[opensuse] susefirewall2 ftp connection tracking for hylafax
Anyone really knowledgeable about susefirewall2 ? Is there a way to get ftp connection tracking for hylafax's port 4559 just by supplying files with the package? like unusual variables I can put the service definition file? and/or add a modprobe.d/foo.conf file? http://forum.zentyal.org/index.php?topic=1211.0 Basically how can I get this end result: modprobe nf_conntrack_ftp ports=4559 I maintain a HylaFAX+ package and I already include a service definition file but it only opens a single simple tcp port. hylafax+ does not have the port range limiting option that vsftpd has, so I can't handle this the way vsftpd does, by including a limited port range in the service definition file and specifying that same range in vsftpd.conf. In /etc/sysconfig/SuSEfirewall2 there is FW_SERVICES_ACCEPT_RELATED_EXT and FW_LOAD_MODULES These can be edited from yast but only via /etc/sysconfig editor, it's hardly better than hand editing the file, but it's an option. But then where can I put the module options? Normally nf_conntrack_ftp is not loaded even when vsftpd is installed and enabled because as mentioned above it's not needed for vsftpd. But it might be in use for some other ftp server, so, I can't just supply a /etc/modprobe.d/50-hylafax.conf that has the line options nf_conntrack_ftp ports=4559 That's not technically correct. If it were to exist at all it should rightly be named /etc/modprobe.d/50-nf_conntrack_ftp.conf and it should contain nothing but comments or nf_conntrack_ftp ports=21 or nf_conntrack_ftp ports=21,4559 or nf_conntrack_ftp ports=4559 depending one what's installed and how they're configured. But I don't think any suse/init scripts automatically do anything like that. Basically there are a number of ways I can get the final result. I could just put a couple modprobe and iptables commands in boot.local for instance. But I can't see any CLEAN way to do it, and I don't know what to document in my package as the cleanest, shortest, least intrusive, least presumptive way to do it. -- bkw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/09/12 at 04:53pm, Brian K. White wrote:
Anyone really knowledgeable about susefirewall2 ?
Is there a way to get ftp connection tracking for hylafax's port 4559 just by supplying files with the package? like unusual variables I can put the service definition file? and/or add a modprobe.d/foo.conf file?
Have a look at the TEMPLATE at /etc/sysconfig/SuSEfirewall2.d/services directory Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2/9/2012 5:00 PM, Togan Muftuoglu wrote:
On 02/09/12 at 04:53pm, Brian K. White wrote:
Anyone really knowledgeable about susefirewall2 ?
Is there a way to get ftp connection tracking for hylafax's port 4559 just by supplying files with the package? like unusual variables I can put the service definition file? and/or add a modprobe.d/foo.conf file?
Have a look at the TEMPLATE at /etc/sysconfig/SuSEfirewall2.d/services directory
Togan
Good grief both related and modules options right in there, how did I miss that... Ok I don't feel so bad. That file didn't even exist until 10.3 And didn't include those variables until 11.1 or 11.2. Anyways thanks much. -- bkw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2/9/2012 5:57 PM, Brian K. White wrote:
On 2/9/2012 5:00 PM, Togan Muftuoglu wrote:
On 02/09/12 at 04:53pm, Brian K. White wrote:
Anyone really knowledgeable about susefirewall2 ?
Is there a way to get ftp connection tracking for hylafax's port 4559 just by supplying files with the package? like unusual variables I can put the service definition file? and/or add a modprobe.d/foo.conf file?
Have a look at the TEMPLATE at /etc/sysconfig/SuSEfirewall2.d/services directory
Togan
Good grief both related and modules options right in there, how did I miss that...
Ok I don't feel so bad. That file didn't even exist until 10.3 And didn't include those variables until 11.1 or 11.2.
Anyways thanks much.
I take back the feeling stupid. It looks that simple, but it isn't actually working. At least this isn't actually working: /etc/sysconfig/SuSEfirewall2.d/services/hylafax+ ## Name: HylaFAX+ Server ## Description: Opens ports for HylaFAX+ Server (hfaxd). TCP="hylafax" RELATED="0/0,tcp,hylafax" MODULES="nf_conntrack_ftp" If I shut off the firewall (on the client), or if I turn it on with FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes", I can use the remote fax server. If I turn on the firewall without highports, I can't. On a much older opensuse 10.1 box that has the same (current) version of hylafax+ installed, I have it working fine, but the details of configuring the firewall is different on 10.1. So on the 10.1 box I have this: /etc/modprobe.d/ip_conntrack_ftp: options ip_conntrack_ftp ports=21,4559 /etc/sysconfig/SuSEfirewall2: FW_SERVICES_EXT_TCP="... hylafax" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_LOAD_MODULES="ip_conntrack_ftp" And it works. Whether the firewall is on or off, I can use the remote fax server. Oh and no neither box is using the passive option in hyla.conf and neither box nor the fax server are behind nat or other firewalls. Even when I directly edit /etc/sysconfig/SuSEfirewall2 like on the the 10.1 box: FW_CONFIGURATIONS_EXT="... hylafax+" FW_SERVICES_ACCEPT_RELATED_EXT="0.0.0.0/0,tcp,4559" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_LOAD_MODULES="nf_conntrack_ftp" Still no go. If I add /etc/modprobe.d/50-nf_conntrack_ftp.conf: options nf_conntrack_ftp ports=21,4559 rcSuSEfirewall2 stop rmmod nf_conntrack_ftp rcSuSEfirewall2 start lsmod |grep ftp nf_conntrack_ftp 10826 0 nf_conntrack 73918 6 nf_conntrack_ftp,nf_conntrack_ipv6,xt_NOTRACK,xt_state,nf_conntrack_netbios_ns,nf_conntrack_ipv4 Still no go If I manually rmmod nf_conntrack_ftp modprobe nf_conntrack_ftp ports=21,4559 Still no go. iptables -L seems to include the expected rules: ACCEPT tcp -- anywhere anywhere tcp spt:hylafax state RELATED LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:hylafax flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:hylafax Yet the only way I can use the remote fax server is with the firewall off, or with highports open. By "use" or "access" I mean that the return data channel doesn't work. I can ping and ssh to the fax server, and even trying to use hylafax shows an incoming tcp session on the fax server, but the fax server can not make the return connection, exactly the same problem as ftp PORT commands. fax server: tcp 0 1 ...:4558 ...:54076 SYN_SENT tcp 0 0 ...:4559 ...:51417 ESTABLISHED So, from the client "faxstat -sdl" just hangs. FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" on the client and it works fine. So, I don't know, either the iptables are not actually good, or that nf_conntrack_ftp kernel module isn't working. -- bkw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/17/2012 10:42 PM, Brian K. White wrote:
On 2/9/2012 5:57 PM, Brian K. White wrote:
On 2/9/2012 5:00 PM, Togan Muftuoglu wrote:
On 02/09/12 at 04:53pm, Brian K. White wrote:
Anyone really knowledgeable about susefirewall2 ?
Is there a way to get ftp connection tracking for hylafax's port 4559 just by supplying files with the package? like unusual variables I can put the service definition file? and/or add a modprobe.d/foo.conf file?
Have a look at the TEMPLATE at /etc/sysconfig/SuSEfirewall2.d/services directory
Togan
Good grief both related and modules options right in there, how did I miss that...
Ok I don't feel so bad. That file didn't even exist until 10.3 And didn't include those variables until 11.1 or 11.2.
Anyways thanks much.
I take back the feeling stupid.
It looks that simple, but it isn't actually working.
At least this isn't actually working:
/etc/sysconfig/SuSEfirewall2.d/services/hylafax+
it may not matter but SuSEfirewall2 is a bit weird with complicated names at least in my experience drop the + sign
## Name: HylaFAX+ Server ## Description: Opens ports for HylaFAX+ Server (hfaxd).
TCP="hylafax"
RELATED="0/0,tcp,hylafax"
MODULES="nf_conntrack_ftp"
and you have FW_CONFIGURATIONS_EXT="hylafax+"
If I shut off the firewall (on the client), or if I turn it on with FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes", I can use the remote fax server.
That option is history according to /etc/sysconfig/SuSEfirewall2 # Note: Use of this variable is deprecated and it will likely be # removed in the future. If you think it should be kept please # report your use case at # http://forge.novell.com/modules/xfmod/project/?susefirewall2
If I turn on the firewall without highports, I can't.
what does logs show
On a much older opensuse 10.1 box that has the same (current) version of hylafax+ installed, I have it working fine, but the details of configuring the firewall is different on 10.1. So on the 10.1 box I have this:
/etc/modprobe.d/ip_conntrack_ftp: options ip_conntrack_ftp ports=21,4559
/etc/sysconfig/SuSEfirewall2: FW_SERVICES_EXT_TCP="... hylafax" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_LOAD_MODULES="ip_conntrack_ftp"
And it works.
Whether the firewall is on or off, I can use the remote fax server.
Oh and no neither box is using the passive option in hyla.conf and neither box nor the fax server are behind nat or other firewalls.
Even when I directly edit /etc/sysconfig/SuSEfirewall2 like on the the 10.1 box: FW_CONFIGURATIONS_EXT="... hylafax+" FW_SERVICES_ACCEPT_RELATED_EXT="0.0.0.0/0,tcp,4559"
if using configuration file this is not needed
tcp 0 1 ...:4558 ...:54076 SYN_SENT tcp 0 0 ...:4559 ...:51417 ESTABLISHED
So, from the client "faxstat -sdl" just hangs.
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" on the client and it works fine.
see above why you should not use this parameter
So, I don't know, either the iptables are not actually good, or that nf_conntrack_ftp kernel module isn't working.
iptables Susefirewall versions may be helpful Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
# zypper up ... Retrieving repository 'Updates for openSUSE 12.1 12.1-1.4' metadata [/] File 'repomd.xml' from repository 'Updates for openSUSE 12.1 12.1-1.4' is unsigned, continue? [yes/no] (no): no Retrieving repository 'Updates for openSUSE 12.1 12.1-1.4' metadata [error] Repository 'Updates for openSUSE 12.1 12.1-1.4' is invalid. [|] Valid metadata not found at specified URL(s) Please check if the URIs defined for this repository are pointing to a valid repository. Warning: Disabling repository 'Updates for openSUSE 12.1 12.1-1.4' because of the above error. ... Huh? Met vriendelijk groet / Best regards, Wilfred van Velzen -- SERCOM Regeltechniek B.V. Heereweg 9 2161 AB Lisse Nederland +31 (0)252 416530 (voice) +31 (0)252 419481 (fax) <http://www.sercom.nl/> Op al onze offertes, op alle opdrachten aan ons en op alle met ons gesloten overeenkomsten zijn toepasselijk de METAALUNIEVOORWAARDEN, gedeponeerd ter Griffie van de Rechtbank te Rotterdam, zoals deze luiden volgens de laatstelijk aldaar neergelegde tekst. De leveringsvoorwaarden worden u op verzoek toegezonden. De informatie/inhoud van dit e-mail bericht (en bijlagen) is uitsluitend bestemd voor de geadresseerden. SERCOM staat niet in voor juiste dan wel volledige overbrenging van de inhoud van dit e-mail bericht. SERCOM kan niet garanderen dat een verzonden e-mail bericht wordt overgebracht zonder inbreuk of tussenkomst van derden, noch de tijdige ontvangst ervan. Indien bovenstaand e-mail bericht niet aan u is gericht, verzoeken wij u vriendelijk doch dringend het e-mail bericht te retourneren aan de verzender en het origineel en eventuele kopieën te verwijderen en te vernietigen. The information in this e-mail is intended only for use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. Access to this e-mail by anyone else than the addressee is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken omitted to be taken in reliance of it, is prohibited and may be unlawful. If you are not the intended recipient please contact the sender by return e-mail and destroy all copies of the original message. --- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, Feb 18, 2012 at 10:46:36AM +0100, Wilfred van Velzen wrote:
# zypper up ... Retrieving repository 'Updates for openSUSE 12.1 12.1-1.4' metadata [/] File 'repomd.xml' from repository 'Updates for openSUSE 12.1 12.1-1.4' is unsigned, continue? [yes/no] (no): no Retrieving repository 'Updates for openSUSE 12.1 12.1-1.4' metadata [error] Repository 'Updates for openSUSE 12.1 12.1-1.4' is invalid. [|] Valid metadata not found at specified URL(s) Please check if the URIs defined for this repository are pointing to a valid repository. Warning: Disabling repository 'Updates for openSUSE 12.1 12.1-1.4' because of the above error. ...
Huh?
Unclear why this happens, but the problem is on our servers ... I mailed the responsible folks. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2/18/2012 4:15 AM, Togan Muftuoglu wrote:
On 02/17/2012 10:42 PM, Brian K. White wrote:
On 2/9/2012 5:57 PM, Brian K. White wrote:
On 2/9/2012 5:00 PM, Togan Muftuoglu wrote:
On 02/09/12 at 04:53pm, Brian K. White wrote:
Anyone really knowledgeable about susefirewall2 ?
Is there a way to get ftp connection tracking for hylafax's port 4559 just by supplying files with the package? like unusual variables I can put the service definition file? and/or add a modprobe.d/foo.conf file?
Have a look at the TEMPLATE at /etc/sysconfig/SuSEfirewall2.d/services directory
Togan
Good grief both related and modules options right in there, how did I miss that...
Ok I don't feel so bad. That file didn't even exist until 10.3 And didn't include those variables until 11.1 or 11.2.
Anyways thanks much.
I take back the feeling stupid.
It looks that simple, but it isn't actually working.
At least this isn't actually working:
/etc/sysconfig/SuSEfirewall2.d/services/hylafax+
it may not matter but SuSEfirewall2 is a bit weird with complicated names at least in my experience drop the + sign
## Name: HylaFAX+ Server ## Description: Opens ports for HylaFAX+ Server (hfaxd).
TCP="hylafax"
RELATED="0/0,tcp,hylafax"
MODULES="nf_conntrack_ftp"
and you have FW_CONFIGURATIONS_EXT="hylafax+"
If I shut off the firewall (on the client), or if I turn it on with FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes", I can use the remote fax server.
That option is history according to /etc/sysconfig/SuSEfirewall2
# Note: Use of this variable is deprecated and it will likely be # removed in the future. If you think it should be kept please # report your use case at # http://forge.novell.com/modules/xfmod/project/?susefirewall2
Of course I know that's to be avoided, otherwise I would mention it or be spending all day and all night trying to avoid it.
If I turn on the firewall without highports, I can't. what does logs show
On a much older opensuse 10.1 box that has the same (current) version of hylafax+ installed, I have it working fine, but the details of configuring the firewall is different on 10.1. So on the 10.1 box I have this:
/etc/modprobe.d/ip_conntrack_ftp: options ip_conntrack_ftp ports=21,4559
/etc/sysconfig/SuSEfirewall2: FW_SERVICES_EXT_TCP="... hylafax" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_LOAD_MODULES="ip_conntrack_ftp"
And it works.
Whether the firewall is on or off, I can use the remote fax server.
Oh and no neither box is using the passive option in hyla.conf and neither box nor the fax server are behind nat or other firewalls.
Even when I directly edit /etc/sysconfig/SuSEfirewall2 like on the the 10.1 box: FW_CONFIGURATIONS_EXT="... hylafax+" FW_SERVICES_ACCEPT_RELATED_EXT="0.0.0.0/0,tcp,4559"
if using configuration file this is not needed
tcp 0 1 ...:4558 ...:54076 SYN_SENT tcp 0 0 ...:4559 ...:51417 ESTABLISHED
So, from the client "faxstat -sdl" just hangs.
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" on the client and it works fine.
see above why you should not use this parameter
So, I don't know, either the iptables are not actually good, or that nf_conntrack_ftp kernel module isn't working.
iptables Susefirewall versions may be helpful
Togan
Well after a lot of testing and process of elimination I got it. The + in the hylafax+ name for the service file and such isn't screwing anything up. Basically, the service descriptor needs: ----------- TCP="hylafax" RELATED="0.0.0.0/0,tcp,4558 0.0.0.0/0,tcp,hylafax" MODULES="nf_conntrack_ftp" ----------- IE: it needs to include 4558 and 4559 And the module must be loaded with option ports=<ports> where <ports> must include 4559 In the case of opensuse most people can just create a new file: /etc/modprobe.d/50-nf_conntrack_ftp.conf With one (active) line in it: ----------- # port 4559 for hylafax # On older kernels the module name is ip_conntrack_ftp options nf_conntrack_ftp ports=4559 ----------- It does not need 4558. That's if the PassiveMode is not yes in /etc/hylafax+/hyla.conf. I didn't look at passive mode yet. Now how to do this cleaner? I can and do supply the service descriptor file in the rpm, so it's no problem to update that to look like above. But I can't add that modprobe conf file in the rpm because I can't have the the hylafax+ package walking all over the users ftp/firewall/modules config even though on opensuse it just happens to be that the stock ftp server doesn't use or need the ftp connection tracking module to deal with ftp PORT connections because vsftpd has another way to do it. Meaning, practically no one is going to already have a modules.d/*.conf with options nf_conntrack_ftp ports=21 in it, but they might. certainly you can't just so you could just create one with nf_conntrack_ftp ports=4559 in it and not mess I don't like the idea of writing a script to search all possible places the option might exist, update it in-place if it does exist, which means fully parsing the line just to make sure the 4559 isn't already in there, or create a file and write the desired line in it if it doesn't exist anywhere already. ...and have that all actually be reliable. Nor do I like shipping a package that doesn't work as well as possible out of the box. I guess it's not that big of a deal. Most people probably just don't do hylafax over the network. I don't see anything in the regular hylafax package in the oss repo that would make this work either. They don't even have the service descriptor file. -- bkw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Brian K. White -
Marcus Meissner -
Togan Muftuoglu -
Wilfred van Velzen