On 2/9/2012 5:57 PM, Brian K. White wrote:
On 2/9/2012 5:00 PM, Togan Muftuoglu wrote:
On 02/09/12 at 04:53pm, Brian K. White wrote:
Anyone really knowledgeable about susefirewall2 ?
Is there a way to get ftp connection tracking for hylafax's port 4559 just by supplying files with the package? like unusual variables I can put the service definition file? and/or add a modprobe.d/foo.conf file?
Have a look at the TEMPLATE at /etc/sysconfig/SuSEfirewall2.d/services directory
Togan
Good grief both related and modules options right in there, how did I miss that...
Ok I don't feel so bad. That file didn't even exist until 10.3 And didn't include those variables until 11.1 or 11.2.
Anyways thanks much.
I take back the feeling stupid. It looks that simple, but it isn't actually working. At least this isn't actually working: /etc/sysconfig/SuSEfirewall2.d/services/hylafax+ ## Name: HylaFAX+ Server ## Description: Opens ports for HylaFAX+ Server (hfaxd). TCP="hylafax" RELATED="0/0,tcp,hylafax" MODULES="nf_conntrack_ftp" If I shut off the firewall (on the client), or if I turn it on with FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes", I can use the remote fax server. If I turn on the firewall without highports, I can't. On a much older opensuse 10.1 box that has the same (current) version of hylafax+ installed, I have it working fine, but the details of configuring the firewall is different on 10.1. So on the 10.1 box I have this: /etc/modprobe.d/ip_conntrack_ftp: options ip_conntrack_ftp ports=21,4559 /etc/sysconfig/SuSEfirewall2: FW_SERVICES_EXT_TCP="... hylafax" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_LOAD_MODULES="ip_conntrack_ftp" And it works. Whether the firewall is on or off, I can use the remote fax server. Oh and no neither box is using the passive option in hyla.conf and neither box nor the fax server are behind nat or other firewalls. Even when I directly edit /etc/sysconfig/SuSEfirewall2 like on the the 10.1 box: FW_CONFIGURATIONS_EXT="... hylafax+" FW_SERVICES_ACCEPT_RELATED_EXT="0.0.0.0/0,tcp,4559" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_LOAD_MODULES="nf_conntrack_ftp" Still no go. If I add /etc/modprobe.d/50-nf_conntrack_ftp.conf: options nf_conntrack_ftp ports=21,4559 rcSuSEfirewall2 stop rmmod nf_conntrack_ftp rcSuSEfirewall2 start lsmod |grep ftp nf_conntrack_ftp 10826 0 nf_conntrack 73918 6 nf_conntrack_ftp,nf_conntrack_ipv6,xt_NOTRACK,xt_state,nf_conntrack_netbios_ns,nf_conntrack_ipv4 Still no go If I manually rmmod nf_conntrack_ftp modprobe nf_conntrack_ftp ports=21,4559 Still no go. iptables -L seems to include the expected rules: ACCEPT tcp -- anywhere anywhere tcp spt:hylafax state RELATED LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:hylafax flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:hylafax Yet the only way I can use the remote fax server is with the firewall off, or with highports open. By "use" or "access" I mean that the return data channel doesn't work. I can ping and ssh to the fax server, and even trying to use hylafax shows an incoming tcp session on the fax server, but the fax server can not make the return connection, exactly the same problem as ftp PORT commands. fax server: tcp 0 1 ...:4558 ...:54076 SYN_SENT tcp 0 0 ...:4559 ...:51417 ESTABLISHED So, from the client "faxstat -sdl" just hangs. FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" on the client and it works fine. So, I don't know, either the iptables are not actually good, or that nf_conntrack_ftp kernel module isn't working. -- bkw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org