On 02/17/2012 10:42 PM, Brian K. White wrote:
On 2/9/2012 5:57 PM, Brian K. White wrote:
On 2/9/2012 5:00 PM, Togan Muftuoglu wrote:
On 02/09/12 at 04:53pm, Brian K. White wrote:
Anyone really knowledgeable about susefirewall2 ?
Is there a way to get ftp connection tracking for hylafax's port 4559 just by supplying files with the package? like unusual variables I can put the service definition file? and/or add a modprobe.d/foo.conf file?
Have a look at the TEMPLATE at /etc/sysconfig/SuSEfirewall2.d/services directory
Togan
Good grief both related and modules options right in there, how did I miss that...
Ok I don't feel so bad. That file didn't even exist until 10.3 And didn't include those variables until 11.1 or 11.2.
Anyways thanks much.
I take back the feeling stupid.
It looks that simple, but it isn't actually working.
At least this isn't actually working:
/etc/sysconfig/SuSEfirewall2.d/services/hylafax+
it may not matter but SuSEfirewall2 is a bit weird with complicated names at least in my experience drop the + sign
## Name: HylaFAX+ Server ## Description: Opens ports for HylaFAX+ Server (hfaxd).
TCP="hylafax"
RELATED="0/0,tcp,hylafax"
MODULES="nf_conntrack_ftp"
and you have FW_CONFIGURATIONS_EXT="hylafax+"
If I shut off the firewall (on the client), or if I turn it on with FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes", I can use the remote fax server.
That option is history according to /etc/sysconfig/SuSEfirewall2 # Note: Use of this variable is deprecated and it will likely be # removed in the future. If you think it should be kept please # report your use case at # http://forge.novell.com/modules/xfmod/project/?susefirewall2
If I turn on the firewall without highports, I can't.
what does logs show
On a much older opensuse 10.1 box that has the same (current) version of hylafax+ installed, I have it working fine, but the details of configuring the firewall is different on 10.1. So on the 10.1 box I have this:
/etc/modprobe.d/ip_conntrack_ftp: options ip_conntrack_ftp ports=21,4559
/etc/sysconfig/SuSEfirewall2: FW_SERVICES_EXT_TCP="... hylafax" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_LOAD_MODULES="ip_conntrack_ftp"
And it works.
Whether the firewall is on or off, I can use the remote fax server.
Oh and no neither box is using the passive option in hyla.conf and neither box nor the fax server are behind nat or other firewalls.
Even when I directly edit /etc/sysconfig/SuSEfirewall2 like on the the 10.1 box: FW_CONFIGURATIONS_EXT="... hylafax+" FW_SERVICES_ACCEPT_RELATED_EXT="0.0.0.0/0,tcp,4559"
if using configuration file this is not needed
tcp 0 1 ...:4558 ...:54076 SYN_SENT tcp 0 0 ...:4559 ...:51417 ESTABLISHED
So, from the client "faxstat -sdl" just hangs.
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" on the client and it works fine.
see above why you should not use this parameter
So, I don't know, either the iptables are not actually good, or that nf_conntrack_ftp kernel module isn't working.
iptables Susefirewall versions may be helpful Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org