I'm really fanatic about e-box, but some times I have to fight with colleagues to put this tool in a real production environment.
One of this fight is about FTP and Hylafax server we have behind eBox Firewall.
The problem is, as obvious, in dealing passive ports. In many FTP servers you can specify passive ports range, so you can limit your "hole" and open that port in eBox firewall. Not pretty elegant but it works.
The real problem arises dealing with Hylafax server. Hylafax daemon applies actual rfc for FTP transactions, so upon a specified TCP port (you can set it) for communication, the server opens a second port for data connection. This new port is (as rfc says) a random one >1024.
Hylafax gives no way to limit the passive port range. The solution, as developers say, is to implement the state "Related" for the firewall rule of the hylafax communication port.
Now, the question to eBox team or anyone can help: how can I set passive port forwarding in eBox? In other words, if I allow tcp port 4559 trafic, how can i say to eBox firewall to let pass the trafic on any other port related to transactions made upon port 4559?
May can help any success story of FTP server with passive port management behind eBox.
Many thanX to anyone will put me in the right direction ...
g