Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]

To: Jonas Meurer <jonas@freesources.org>, debian-firewall@lists.debian.org
Subject: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
From: Mike Mestnik <cheako911@yahoo.com>
Date: Sun, 12 Sep 2004 07:52:06 -0700 (PDT)
Message-id: <[🔎] 20040912145206.68729.qmail@web11904.mail.yahoo.com>
In-reply-to: <[🔎] 20040912142707.GG3606@resivo.mejo.net>

--- Jonas Meurer <jonas@freesources.org> wrote:

> On 12/09/2004 Mike Mestnik wrote:
> > > i still didn't get the point. you claim, that the module doesn't
> > > understand the -ports option?
> > > or do you mean that ip_conntrack_ftp has problems with handling more
> > > than one IP-addresses, as i have 2?
> > 
> > Ohh wait, I could be wrong here.  I guess it's only for nating that
> you
> > need to care about direction???  The problem as I see it is that the
> PORT
> > cmd is only expected to come from the client end.  It ONLY dose. 
> However
> > when your mangeling you care wather it's inbound(DNAT) or
> outbound(SNAT). 
> > Would for an open port you care for the same reasons?
> 
> i don't use NAT by any meaning, as far as i know.
> so the only goal i want to achieve, is to open the ports for my ftp
> servers on ports 210, 215, 220, ... for _all_ traffic that could be
> produced by valid connections.
> 
> > Yes, I think you need to have code for each case.  You need to have
> code
> > for firewalling a client and then some other code for the server. 
> AFAICT
> > only clients are handeled in the currrent code, not servers.
> 
> sorry, but why do i need to firewall a client. i'm talking about my ftp
> server, and this one has installed a firewall. i don't get the point.
> 
I'm not sure, but I'm farily certin ONLY client's will be properly
handeled with the current code.  It dosen't really matter that you want
server IF I'm right and only clients are supported.

I guess the question is, are the port being open correctly for pasv and
port based connections on your servers?

> > > sorry for confusion, in firehol services have some configuration,
> and
> > > thus you can only open/close configured services. simply using
> > > portranges doesn't work.
> > 
> > Lookes like a whishlist bug to me.  I'd "dpkg --purge" it if I wasen't
> > able to open ports with it.
> 
> as firehol is very smart and the non-common ftp ports are the only
> exception, i'm quite happy with it.
> 
> bye
>  jonas
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail

Reply to:

Follow-Ups:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>

References:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>

Prev by Date: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by Date: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Previous by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Index(es):
- Date
- Thread