HylaFAX The world's
most advanced open source fax server
Re: [hylafax-users] Hylafax in DMZ
Jan Hugo Prins wrote on 15/08/05 05:58 PM:
Hi,I've asked this question before and never really gotten a clear answer.
My case was just behind a firewall, not in a DMZ, but I think the basic
issue was the same.
I don't know exactly how to fix your problem, but I can tell you a bit
more about it.
Its all about the HylaFAX protocol being an extension of the File
Transfer Protocol (FTP). That uses one port (connection made from
client to server like most other protocols) for the control messages,
and another port (connection made from server back to client (I think
usually on an unpredictable high port number)) for data transfer. I
can't remember if that is the "active" or the "passive" version of FTP,
but whichever it is, if you can switch it to the OTHER one, that may be
a bit of progress for you. I also don't know if HylaFAX has any options
to control whether it uses active or passive. Or it may be up to the
client (with some flag or parameter) to request an active or passive
session, maybe the server accepts both, I really don't know.
I've also heard that you can turn on "connection tracking" (ip_conntrack
module if you're using a Linux machine as your router/firewall) so that
when the second data connection is attempted, it is allowed through the
firewall. Supposedly this ip_conntrack setup is "easy" in most of the
places I've read about how to do it, but it has yet to work for me.
Your router may or may not have some feature like that.
Hope that helps, and sorry I can't be more specific.
I have my Hylafax server running within the DMZ of my network and systems in
that DMZ are not able to connect into the private lan. When I try to send a
fax from my private lan through the Hylafax server the client is not able to
connect because the hfaxd tries to make a direct connection to the client
instead of using the connection that was made by the client.
I see the same problem when I do a faxstat from the client:
On the client I see the following error:
[jhp@zeus jhp]$ faxstat -h hercules -v
Trying hercules (10.0.0.1) at port 4559...
Connected to hercules.jhprins.org.
220 hercules server (HylaFAX (tm) Version 4.2.1) ready.
-> USER jhp
230 User jhp logged in.
-> PORT 192,168,1,5,143,9
200 PORT command successful.
-> LIST status
425 Cannot build data connection: Connection timed out.
In the logfiles of the firewall between the DMZ and the private lan I see the
Aug 16 00:02:13 cerberus kernel: RULE 16 -- DENY IN=eth0 OUT=br0 PHYSOUT=eth1
SRC=10.0.0.1 DST=192.168.1.5 LEN=60 TOS=0x08 PREC=0x00 TTL=62
ID=41767 DF PROTO=TCP SPT=4558 DPT=36617 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 16 00:03:01 cerberus kernel: RULE 16 -- DENY IN=eth0 OUT=br0 PHYSOUT=eth1
SRC=10.0.0.1 DST=192.168.1.5 LEN=60 TOS=0x08 PREC=0x00 TTL=63
ID=41768 DF PROTO=TCP SPT=4558 DPT=36617 WINDOW=5840 RES=0x00 SYN URGP=0
Any other deamon that is running in the DMZ uses the connection that is build
by the client and can connect back throught the firewall that way. But
because the hfaxd is trying to make a connection by itself it fails.
Is there something in the configuration file that I can change so I don't have
to open up my firewall for the hfaxd?
b.t.w. I believe the "PORT 192,168,1,5,143,9" is a description of where
it is trying to make the connection back to, namely LAN IP address
192.168.1.5, port 2297. The 2297 is computed from the 143 (in the high
bytes) and 9 (in the low bytes): 143 * 16 + 9 = 2297.
____________________ HylaFAX(tm) Users Mailing List _______________________
To subscribe/unsubscribe, click http://lists.hylafax.org/cgi-bin/lsg2.cgi
On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx < /dev/null
*To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*