Re: [hylafax-users] hylafax and firewalls, this needs work...

["Jason Bachman" <jason@bachman.cc>]

Jeff,  If you posted this info before I appologise in advance for asking for
it again.

1. Is your Hylafax server on the same machine as your netfilter firewall, or
is it behind the firewall on the local network?

2. If it is behind the firewall, do you have a dedicated internet IP address
for the Hylafax machine or are you using IPMASQ to get it to the outside
world?

If the Hylafax server is running on the same machine as the netfilter
firewall, then you could use the following...

iptables -A INPUT -i eth0 -p tcp --syn -s 0.0.0.0/0 -d
64.2.3.4 --destination-port 4559 -j ACCEPT

iptables -A INPUT -i eth0 -s 0.0.0.0/0 -d 64.2.3.4 -m state --state
ESTABLISHED,RELATED -j ACCEPT

... the first line allows connections to the Hylafax server,  The second
line allows any connections related to the first line to come thru.  You
will have to substitute 'eth0' with the interface of your outside internet
connection, and substitute the '64.2.3.4' with your real internet address on
that interface.

If your Server is behind the firewall, and you are using IPMASQ (as I am
here) then it gets slightly more complex.  In that case you would probably
use something like the following...

iptables -t nat -A PREROUTING -p tcp -d 64.2.3.4 -dport 4559 -j DNAT --to
192.168.0.x

... what this line does is it tells the netfilter to watch for any
connections to port 4559 on the internet interface and redirect them to
192.168.0.x (the hylafax server).  In addition to this line you should also
have a line for you FOWARD filter as follows...

iptables -A FORWARD -i eth0 -o eth1 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT

... this line tell the foward filter to allow any new or related connections
seen on eth0 to be forwarded to eth1.  Without this line, your packets will
NOT be translated and forwarded to the Hylafax server properly.

Without knowing your exact network configuration it is very difficult to
give you a precise answer to your query, however I hope that these examples
will guide you in the right direction.

The real problem with the IPMASQ method is that the protocol works similar
to the FTP protocol.  In netfilter there are modules (ip_nat_ftp and
ip_conntrack_ftp) that monitor the ftp connections and keep things flowing
smoothly for the protocol when IPMASQed.   I have not seen a Hylafax module
to do this yet, but I would imagine that it wouldn't be too hard to modify
the ftp modules and create a hylafax module for netfilter.

----- Original Message -----
From: "Jeff Wiegley, Ph.D." <jeff@cyte.com>
To: <hylafax-users@hylafax.org>
Sent: Sunday, May 26, 2002 3:25 PM
Subject: [hylafax-users] hylafax and firewalls, this needs work...


> Well, I started this post with a big long rant against hylafax's
> ftp-like protocol. But I decided to drop that in favor of one simple
> request:
>
> Could somebody please send me all the necessary configuration lines
> that are needed to be added to a Netfilter/iptables setup in order to
> allow all aspects of hylafax to operate correctly.
>
> Cause I can't get cypheus to work and I see all sorts of firewall log
> complaints; none of which appear like they should be part of the hylafax
> protocol or should be allowed by a sane firewall.
>
> - Jeff
>
>
>
> ____________________ HylaFAX(tm) Users Mailing List
_______________________
>   To subscribe/unsubscribe, click
http://lists.hylafax.org/cgi-bin/lsg2.cgi
>  On UNIX: mail -s unsubscribe hylafax-users-request@hylafax.org <
/dev/null
>


____________________ HylaFAX(tm) Users Mailing List _______________________
  To subscribe/unsubscribe, click http://lists.hylafax.org/cgi-bin/lsg2.cgi
 On UNIX: mail -s unsubscribe hylafax-users-request@hylafax.org < /dev/null