HylaFAX The world's most advanced open source fax server

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [hylafax-users] Hylafax in DMZ

Jan Hugo Prins wrote on 15/08/05 05:58 PM:


I have my Hylafax server running within the DMZ of my network and systems in that DMZ are not able to connect into the private lan. When I try to send a fax from my private lan through the Hylafax server the client is not able to connect because the hfaxd tries to make a direct connection to the client instead of using the connection that was made by the client.

I see the same problem when I do a faxstat from the client:
On the client I see the following error:

[jhp@zeus jhp]$ faxstat -h hercules -v
Trying hercules ( at port 4559...
Connected to hercules.jhprins.org.
220 hercules server (HylaFAX (tm) Version 4.2.1) ready.
-> USER jhp
230 User jhp logged in.
-> PORT 192,168,1,5,143,9
200 PORT command successful.
-> LIST status
425 Cannot build data connection: Connection timed out.

In the logfiles of the firewall between the DMZ and the private lan I see the following errors:

Aug 16 00:02:13 cerberus kernel: RULE 16 -- DENY IN=eth0 OUT=br0 PHYSOUT=eth1 SRC= DST= LEN=60 TOS=0x08 PREC=0x00 TTL=62
ID=41767 DF PROTO=TCP SPT=4558 DPT=36617 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 16 00:03:01 cerberus kernel: RULE 16 -- DENY IN=eth0 OUT=br0 PHYSOUT=eth1 SRC= DST= LEN=60 TOS=0x08 PREC=0x00 TTL=63
ID=41768 DF PROTO=TCP SPT=4558 DPT=36617 WINDOW=5840 RES=0x00 SYN URGP=0

Any other deamon that is running in the DMZ uses the connection that is build by the client and can connect back throught the firewall that way. But because the hfaxd is trying to make a connection by itself it fails.

Is there something in the configuration file that I can change so I don't have to open up my firewall for the hfaxd?

J.H. Prins

I've asked this question before and never really gotten a clear answer. My case was just behind a firewall, not in a DMZ, but I think the basic issue was the same.

I don't know exactly how to fix your problem, but I can tell you a bit more about it.

Its all about the HylaFAX protocol being an extension of the File Transfer Protocol (FTP). That uses one port (connection made from client to server like most other protocols) for the control messages, and another port (connection made from server back to client (I think usually on an unpredictable high port number)) for data transfer. I can't remember if that is the "active" or the "passive" version of FTP, but whichever it is, if you can switch it to the OTHER one, that may be a bit of progress for you. I also don't know if HylaFAX has any options to control whether it uses active or passive. Or it may be up to the client (with some flag or parameter) to request an active or passive session, maybe the server accepts both, I really don't know.

I've also heard that you can turn on "connection tracking" (ip_conntrack module if you're using a Linux machine as your router/firewall) so that when the second data connection is attempted, it is allowed through the firewall. Supposedly this ip_conntrack setup is "easy" in most of the places I've read about how to do it, but it has yet to work for me. Your router may or may not have some feature like that.

Hope that helps, and sorry I can't be more specific.


b.t.w. I believe the "PORT 192,168,1,5,143,9" is a description of where it is trying to make the connection back to, namely LAN IP address, port 2297. The 2297 is computed from the 143 (in the high bytes) and 9 (in the low bytes): 143 * 16 + 9 = 2297.

____________________ HylaFAX(tm) Users Mailing List _______________________ To subscribe/unsubscribe, click http://lists.hylafax.org/cgi-bin/lsg2.cgi On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx < /dev/null *To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*

Project hosted by iFAX Solutions