Author Topic: [SOLVED] - Firewall and passive ports  (Read 9099 times)

gdavidvlk

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
[SOLVED] - Firewall and passive ports
« on: April 22, 2009, 04:32:30 pm »
I'm really fanatic about e-box, but some times I have to fight with colleagues to put this tool in a real production environment.
One of this fight is about FTP and Hylafax server we have behind eBox Firewall.
The problem is, as obvious, in dealing passive ports. In many FTP servers you can specify passive ports range, so you can limit your "hole" and open that port in eBox firewall. Not pretty elegant but it works.
The real problem arises dealing with Hylafax server. Hylafax daemon applies actual rfc for FTP transactions, so upon a specified TCP port (you can set it) for communication, the server opens a second port for data connection. This new port is (as rfc says) a random one >1024.
Hylafax gives no way to limit the passive port range. The solution, as developers say, is to implement the state "Related" for the firewall rule of the hylafax communication port.
Now, the question to eBox team or anyone can help: how can I set passive port forwarding in eBox? In other words, if I allow tcp port 4559 trafic, how can i say to eBox firewall to let pass the trafic on any other port related to transactions made upon port 4559?

May can help any success story of FTP server with passive port management behind eBox.
Many thanX to anyone will put me in the right direction ...

g
« Last Edit: April 22, 2009, 08:10:44 pm by gdavidvlk »

javi

  • Zen Hero
  • *****
  • Posts: 1042
  • Karma: +0/-0
    • View Profile
Re: Firewall and passive ports
« Reply #1 on: April 22, 2009, 05:07:50 pm »
It seems a common problem with iptables and hylafax. I've googled a bit and I think the solution is this:

Make sure your eBox has the firewall enabled and in console run this:

Code: [Select]
sudo modprobe -r ip_nat_ftp
sudo modprobe ip_nat_ftp ports=21,4559

That should tell the ftp nat helper module to mark data connections created on control  4559 as RELATED. Without that,   netfilter shouldn't know how to track them.

This is my  guess after googling for a while. If you can give it a try and tell us if it works, that would be great.

gdavidvlk

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Firewall and passive ports
« Reply #2 on: April 22, 2009, 05:29:57 pm »
Thanks for quick reply.
Yes, this is a good suggestion, and I already found a similar hint, but it was for ip_conntrack_ftp module. I looked the output of my lsmod, but only found nf_conntrack_ftp. Tried nf_conntrack_ftp ports=21,4559 but with no success.
Your suggestion is to force another module, so now I'll try.
I'll give you back the result ...

gdavidvlk

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Firewall and passive ports
« Reply #3 on: April 22, 2009, 08:10:09 pm »
Ok. It works modifying nf_conntrack_ftp options. Was a mistake of mine in passing ports options.
Now the firewall is open only on port 4559 (no passive ports) and the realetd ports are opened at the occurence.

Resuming the steps for people who don't have time to spend:
- Access as root to your eBox machine:
- Unload the nf_conntrack_ftp module by typing: 'modprobe -r nf_conntrack_ftp'
- Modify your /etc/modprobe.d/options file adding the line: "options nf_conntrack_ftp ports=21,4559"
- Save the modified file
- Reload the module by typing 'modprobe nf_conntrack_ftp' (now it will be loaded forcing the port 21 and 4559)

Enjoy your eBox Platform and Hylafax!
(ThanX so much to Javi to point and mantain me in the right direction)


g

javi

  • Zen Hero
  • *****
  • Posts: 1042
  • Karma: +0/-0
    • View Profile
Re: [SOLVED] - Firewall and passive ports
« Reply #4 on: April 22, 2009, 08:16:21 pm »
Glad to hear it worked :)

Thanks!

cejack

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
Re: [SOLVED] - Firewall and passive ports
« Reply #5 on: February 18, 2012, 01:11:10 pm »
This syntax:

"options nf_conntrack_ftp ports=21,4559"

could also be something like:

"options nf_conntrack_ftp ports=21,4559-4759" if you wanted to allocate a range of ports right?