Re: [hylafax-users] Hylafax in DMZ

Subject: Re: [hylafax-users] Hylafax in DMZ
From: berndq <berndq@xxxxxxx>
Cc: Hylafax Mailing List <hylafax-users@xxxxxxxxxxx>
Date: Sat, 20 Aug 2005 08:48:06 +0200

marthter wrote:

Its all about the HylaFAX protocol being an extension of the File Transfer Protocol (FTP). That uses one port (connection made from client to server like most other protocols) for the control messages, and another port (connection made from server back to client (I think usually on an unpredictable high port number)) for data transfer. I can't remember if that is the "active" or the "passive" version of FTP, but whichever it is, if you can switch it to the OTHER one, that may be a bit of progress for you. I also don't know if HylaFAX has any options to control whether it uses active or passive. Or it may be up to the client (with some flag or parameter) to request an active or passive session, maybe the server accepts both, I really don't know.

"passive" is the way to go, your client must have a setting to activate it: look in you client docu. The server can handle both. "passive" means the (FTP) server will wait passively for the client to establish the data connecton, from client to server.

I've also heard that you can turn on "connection tracking" (ip_conntrack module if you're using a Linux machine as your router/firewall) so that when the second data connection is attempted, it is allowed through the firewall. Supposedly this ip_conntrack setup is "easy" in most of the places I've read about how to do it, but it has yet to work for me. Your router may or may not have some feature like that.


that should be another option with a statefull firewall which can handle
FTP connections, especially passive ones.

Another thing to watch at the client side: if your client machine has more that one network card then make sure the right one is used. Otherwise the client machine might send packets over the NIC to the hylafax server but these packets have an IP adresse for the LAN of the other NIC: active mode will not work that as this IP adresse is probably not routeable from the server at all.

Bernd

Hope that helps, and sorry I can't be more specific.

Martin

b.t.w. I believe the "PORT 192,168,1,5,143,9" is a description of where it is trying to make the connection back to, namely LAN IP address 192.168.1.5, port 2297. The 2297 is computed from the 143 (in the high bytes) and 9 (in the low bytes): 143 * 16 + 9 = 2297.
____________________ HylaFAX(tm) Users Mailing List _______________________
 To subscribe/unsubscribe, click http://lists.hylafax.org/cgi-bin/lsg2.cgi
On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx < /dev/null
 *To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*


____________________ HylaFAX(tm) Users Mailing List _______________________
 To subscribe/unsubscribe, click http://lists.hylafax.org/cgi-bin/lsg2.cgi
On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx < /dev/null
 *To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*

References:
- [hylafax-users] Hylafax in DMZ
  - From: Jan Hugo Prins
- Re: [hylafax-users] Hylafax in DMZ
  - From: marthter

Prev by Date: Re: [hylafax-users] dialing 1 automatically
Next by Date: ***SPAM*** [hylafax-users] ***SPAM*** All love enhancers on one portal!
Previous by thread: Re: [hylafax-users] Hylafax in DMZ
Next by thread: [hylafax-users] COMREC invalid response received PSTN <--> Asterisk <--> Hylafax
Index(es):
- Main
- Thread

Report any problems to webmaster@hylafax.org

HylaFAX is a trademark of Silicon Graphics Corporation.
Internet connectivity for hylafax.org is provided by:
VirtuALL Private Host Services