Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: deny port!
« previous next »
Pages: [1]   Go Down

deny port!

  • 6 Replies
  • 1940 Views

Smeily

deny port!
« on: October 19, 2004, 02:31:39 AM »
Hi all,
I have sme-denyport...rpm, that worked nicely on 5.6.
On 6.01 I can install it and ad portrange, but it returns: Internal server error! When I return to the manger the portrange has been added, but I wonder if its
working? It seems that the *.rpm is for 5.6 only - is there a newer one for 6.01 or how do you obtain the
portblocking on 6.01 ( including ports below 1025)?
regards SMEily.
Logged

Muzo

deny port!
« Reply #1 on: October 19, 2004, 10:02:36 AM »
Hi,

sme6.0-masq-manager does this stuff.
Logged

Smeily

deny port...ftp.problem.
« Reply #2 on: November 04, 2004, 01:36:28 PM »
I've installed sme-mask-manager for 6.0.
Nice blocking from port 1025-65534!
But how to block let's say port 80?
When I block 1025-65534 and then
try to let some ports through e.g. 3889,
it doesn't work!
Also when I block a port or a range of ports
the ftp access to the WAN is blocked -
and when I remove the denyed ports the
ftp access works again!
Regards SMEily! :-(
Logged

Muzo

Re: deny port...ftp.problem.
« Reply #3 on: November 04, 2004, 01:54:50 PM »
Quote from: "Smeily"
But how to block let's say port 80?


Uh? i didn't allow to deny port from 0 to 65554?
I must have a look to my code.


Quote from: "Smeily"
When I block 1025-65534 and then
try to let some ports through e.g. 3889,
it doesn't work!
Also when I block a port or a range of ports
the ftp access to the WAN is blocked -
and when I remove the denyed ports the
ftp access works again!
Regards SMEily! :-(


Warning, with this contrib, you don't block ports              , you deny acces through this port to people from your lan (it's a one way blocking).

So if you deny port 3889 and open it, it can't work.
It's like opening a door with a guardian, and you tell to this guardian to block people who want to go outside, but allow people who wome inside.

I hope i understand your problem.
Logged

Smeily

almost
« Reply #4 on: November 04, 2004, 04:42:25 PM »
Nice to have quick replies! :-)
I understand that the panel can't
deny a range of ports let's say
from 1025 to 65534 and on the other
hand at the same time open a few of
the ports between that range - I have to
make 3 or 4 segments e.g. 1025-3888 and
3890-6888 and 6890 if I want 3889 ang 6889
through... right! This will work for me.
But what about the roules denying access
through port 21/ftp...? If I enable a port-
deny my LAN-users can't access ftp-sites!? :lol:
Also looking forward to hear if you can deny
below 1025... :roll:
Regards SMEily.
Logged

Muzo

deny port!
« Reply #5 on: November 04, 2004, 08:05:34 PM »
Perhaps i said something wrong, but i remmember this about ftp:
- port 20 and 21 are used for authentification.
- When authentification is done they use port over 1025 to communicate.

So if port over 1025 are denied, ftp won't work.

(if i'm wrong pleanse feel free to correct me! i'm a network noob)

Have you try to force you ftp (like filzilla) to use only port 21 and 20 and port over 1025?
Logged

Smeily

ftp-ports.
« Reply #6 on: November 05, 2004, 04:45:38 PM »
Here's what I found:
The following chart should help admins remember how each FTP mode works:

 Active FTP :
     command : client >1024 -> server 21
     data    : client >1024 <- server 20

 Passive FTP :
     command : client >1024 -> server 21
     data    : client >1024 -> server >1024
(SlackSite.com)
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: deny port!