On 2/18/2012 4:15 AM, Togan Muftuoglu wrote:
On 02/17/2012 10:42 PM, Brian K. White wrote:
On 2/9/2012 5:57 PM, Brian K. White wrote:
On 2/9/2012 5:00 PM, Togan Muftuoglu wrote:
On 02/09/12 at 04:53pm, Brian K. White wrote:
Anyone really knowledgeable about susefirewall2 ?
Is there a way to get ftp connection tracking for hylafax's port 4559 just by supplying files with the package? like unusual variables I can put the service definition file? and/or add a modprobe.d/foo.conf file?
Have a look at the TEMPLATE at /etc/sysconfig/SuSEfirewall2.d/services directory
Togan
Good grief both related and modules options right in there, how did I miss that...
Ok I don't feel so bad. That file didn't even exist until 10.3 And didn't include those variables until 11.1 or 11.2.
Anyways thanks much.
I take back the feeling stupid.
It looks that simple, but it isn't actually working.
At least this isn't actually working:
/etc/sysconfig/SuSEfirewall2.d/services/hylafax+
it may not matter but SuSEfirewall2 is a bit weird with complicated names at least in my experience drop the + sign
## Name: HylaFAX+ Server ## Description: Opens ports for HylaFAX+ Server (hfaxd).
TCP="hylafax"
RELATED="0/0,tcp,hylafax"
MODULES="nf_conntrack_ftp"
and you have FW_CONFIGURATIONS_EXT="hylafax+"
If I shut off the firewall (on the client), or if I turn it on with FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes", I can use the remote fax server.
That option is history according to /etc/sysconfig/SuSEfirewall2
# Note: Use of this variable is deprecated and it will likely be # removed in the future. If you think it should be kept please # report your use case at # http://forge.novell.com/modules/xfmod/project/?susefirewall2
Of course I know that's to be avoided, otherwise I would mention it or be spending all day and all night trying to avoid it.
If I turn on the firewall without highports, I can't. what does logs show
On a much older opensuse 10.1 box that has the same (current) version of hylafax+ installed, I have it working fine, but the details of configuring the firewall is different on 10.1. So on the 10.1 box I have this:
/etc/modprobe.d/ip_conntrack_ftp: options ip_conntrack_ftp ports=21,4559
/etc/sysconfig/SuSEfirewall2: FW_SERVICES_EXT_TCP="... hylafax" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_LOAD_MODULES="ip_conntrack_ftp"
And it works.
Whether the firewall is on or off, I can use the remote fax server.
Oh and no neither box is using the passive option in hyla.conf and neither box nor the fax server are behind nat or other firewalls.
Even when I directly edit /etc/sysconfig/SuSEfirewall2 like on the the 10.1 box: FW_CONFIGURATIONS_EXT="... hylafax+" FW_SERVICES_ACCEPT_RELATED_EXT="0.0.0.0/0,tcp,4559"
if using configuration file this is not needed
tcp 0 1 ...:4558 ...:54076 SYN_SENT tcp 0 0 ...:4559 ...:51417 ESTABLISHED
So, from the client "faxstat -sdl" just hangs.
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" on the client and it works fine.
see above why you should not use this parameter
So, I don't know, either the iptables are not actually good, or that nf_conntrack_ftp kernel module isn't working.
iptables Susefirewall versions may be helpful
Togan
Well after a lot of testing and process of elimination I got it. The + in the hylafax+ name for the service file and such isn't screwing anything up. Basically, the service descriptor needs: ----------- TCP="hylafax" RELATED="0.0.0.0/0,tcp,4558 0.0.0.0/0,tcp,hylafax" MODULES="nf_conntrack_ftp" ----------- IE: it needs to include 4558 and 4559 And the module must be loaded with option ports=<ports> where <ports> must include 4559 In the case of opensuse most people can just create a new file: /etc/modprobe.d/50-nf_conntrack_ftp.conf With one (active) line in it: ----------- # port 4559 for hylafax # On older kernels the module name is ip_conntrack_ftp options nf_conntrack_ftp ports=4559 ----------- It does not need 4558. That's if the PassiveMode is not yes in /etc/hylafax+/hyla.conf. I didn't look at passive mode yet. Now how to do this cleaner? I can and do supply the service descriptor file in the rpm, so it's no problem to update that to look like above. But I can't add that modprobe conf file in the rpm because I can't have the the hylafax+ package walking all over the users ftp/firewall/modules config even though on opensuse it just happens to be that the stock ftp server doesn't use or need the ftp connection tracking module to deal with ftp PORT connections because vsftpd has another way to do it. Meaning, practically no one is going to already have a modules.d/*.conf with options nf_conntrack_ftp ports=21 in it, but they might. certainly you can't just so you could just create one with nf_conntrack_ftp ports=4559 in it and not mess I don't like the idea of writing a script to search all possible places the option might exist, update it in-place if it does exist, which means fully parsing the line just to make sure the 4559 isn't already in there, or create a file and write the desired line in it if it doesn't exist anywhere already. ...and have that all actually be reliable. Nor do I like shipping a package that doesn't work as well as possible out of the box. I guess it's not that big of a deal. Most people probably just don't do hylafax over the network. I don't see anything in the regular hylafax package in the oss repo that would make this work either. They don't even have the service descriptor file. -- bkw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org