Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]

Sat, 11 Sep 2004 07:57:57 -0500 

--- Jonas Meurer <[EMAIL PROTECTED]> wrote:

> On 10/09/2004 Mike Mestnik wrote:
> > > anyway firehol doesn't allow to set user specific ports for service
> > > 'ftp', and therefore i have to open these ports manually.
> > 
> > ?user specific? You mean 20 (ftp-data) and not just 21 (ftp)? 
> Connection
> > tracking FTP should handel this, but only for your clients and not for
> any
> > servers you could be running.
> 
> no, i have 5 ftp servers running on 5 different ports. all these ports
> need to be opened for ftp traffic.
> 
Right, dose firehol even load ip_conntrack_ftp?  As you know, better then
me, is that ports= is where you specify what ports are for FTP.  In
firehol you would just open thoes ports as if thay where for ssh ot http.

> > Turn this on with a 'modprobe ip_conntrack_ftp' and if your doing nat
> > 'modprobe ip_nat_ftp'.  I add these into /etc/modules.
> 
> i have
> modprobe ip_conntrack_ftp ports=21,210,215,220,225,230
> in /etc/firehol/firehol.conf, and that works quite well.
> 
It might be worth looking into wather conntrack_ftp supports servers, last
time I looked it only worked for SNATed clients.  It's only like 20 lines
of code to make it work for all four cases (SNAT|DNAT)ed_(clients|server).

If you get lucky I might submit a patch for it, thought I wonder why it
wasen't setup that way from day 1?

> 
> > > so this means that i don't need to open udp ports for ftp ...
> > 
> > That depends, do you plan to use host names instead of IPs?  If yes
> then
> > you will need to let DNS(udp) throught, fireho might do this for you.
> 
> the ftpserver run on ips, but these ips are also available through
> dnsnames, and clients are intended to use these dnsnames, but i guess
> you think dnsname based virtualhosts, what in my opinion doesn't work
> for ftp at all, as it doesn't have the relevant name headers, as http
> has.
> 
Your right.  However DNS(53/udp) is requiered for host names to work at
all.  firehol might by default set this up for you.

> bye
>  jonas
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
> [EMAIL PROTECTED]
> 
> 



                
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail

Reply via email to