[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]

On 12/09/2004 Daniel Pittman wrote:
> No, firehol has an internal concept of "services", which are related to
> but not the same as entries in /etc/services.
> 
> Adding a new service is trivial, however:
> 
>     SERVER_<NAME>_PORTS="<proto>/<port>"
>     CLIENT_<NAME>_PORTS="default"
> 
> Substitute the '<NAME>', etc sections for relevant values for your newly
> defined service.  Also, you can have port numbers or ranges for the
> client ports, or the server ports.

yea, that's what i use for my personal ftp ports:

--- snip /etc/firehol/firehol.conf
server_myftp_ports="tcp/210 tcp/215 tcp/215 tcp/220 tcp/225 tcp/230"
client_myftp_ports="default"

[...]

interface eth0+ interface1
	[...]
	server ftp accept
	server myftp accept
--- snip ---

anyway this isn't enough for ftp connections, as ftp seems to be a
complex protocol. therefore i now have also in interface1 config
section:

--- snip /etc/firehol/firehol.conf ---
	# add the ftp module with configured ftp ports
	modprobe ip_conntrack_ftp ports=21,210,215,220,225,230
	modprobe ipt_ULOG
	
	# add manual iptable rules for ftp ports
	iptables -A INPUT  -i eth0 -m state --state NEW,ESTABLISHED,RELATED \
			-m multiport -p tcp --dports 210,215,220,225,230 \
			-d 62.75.128.98/31 -j ACCEPT
	iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
			-m multiport -p tcp --sports 210,215,220,225,230 \
			-s 62.75.128.98/31 -j ACCEPT
--- snip ---

> For more complex protocols there is a correspondingly more complex way
> to specify them to Firehol;  consulting the source for that would help.

yes, i already read this in your excelent firehol documentation, but
after giving the rules_ftp() function at /lib/firehol/firehol a look, i
didn't feel like understanding what it does exactly. what i understood:
- client_ftp_ports are set to default
- for incoming connections, new and established are allowed
- for outgoing connections, established is allowed
- for passive ftp, the same is done again (???)
- the kernel module ip_conntrack_ftp is required
- the kernel module ip_nat_ftp is required in case we use NAT

as i don't use nat, and RELATED data should also be allowed, i think
that my firehol configuration works quite well, and is quite more open
than the complex bash function you suggest at your documentation.
am i wrong?

> The OP seems quite resistant to either talking to the upstream authors
> or reading the documentation supplied with Firehol, however, which is
> still encouraging this thread to become more full of things that are
> simply and clearly documented if he spent ten minutes reading...

hey, sorry if i take a incompetent effect, but i read your documentation
and i'm not resistant to talk to the upstream authors, i simply already
know that opening ports in firehol doesn't work out of the box, and i
guess also, that my configuration does nearly the same as your
rules_ftp() function, so i didn't have any objections that would require
communication to upstream.

but in any case, here are two wishlist suggestions:
- firehol could support an easier way to configure complex services,
  to avoid those situations and to open this functionality also to
  people without much experiences in bash.
- firehol could support a way to extend, change the port list of already
  configured services, to allow users with non-common ports to use the
  advantages of your services configuration.
  for many users may run httpd on 80, and 81 for test purposes.
  or like me, run several ftpds.

what do you think?

bye
 jonas
Reply to: