directadmin + APF (main issue fsockopen)

S

schoonmoeder

Verified User
Joined
Oct 14, 2007
Messages
34
Location
netherlands
hello,

we just went from debian 4 to debian 5 and we also wanted to change de firewall. so we went from firehol to APF.

after making some config changes for like Imap and ftp we still have 1 issue and that is maybe with support from DA also elliminated soon.

we run some functions where we use fsockopen in php. but it always gets a time out. even if we try to connect to a port 80 so http. when i put APF on stop it works.

why could DA help us. well if i do a DNS change on the server it changes it on the server but then hangs. i think it is because of our second DNS server that is connected to this DA server.

he will try to update it. but doesn't work. maybe someone knows what ports or what ever config i need to change from APF

i'll post a list of ports and use soon so there is also some usefull info in here
 
Check that you have 53 UDP port open for inbound and outbound for DNS, and that you have 80 TCP port open outbound for fsockopen (or whichever else port the script uses).
I suggest also looking at iptables logging, usually in /var/log/messages or /var/log/syslog.
 
hello thanx for the reply.

all ports that might be good where set open. in TCP and UDP (basicly 21,53,80 are placed everywhere) i even placed a range from 6000 to 7000 for passive mode of proFTPd.

if EGF from APF is set on 1 (so enabled) server is totally unreachable

APF config:
# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="21,22,25,37,53,80,110,143,443,465,587,953,993,995,2222,3690,6
000_7000"

# Common inbound (ingress) UDP ports
#IG_UDP_CPORTS=""
IG_UDP_CPORTS="20,21,22,25,53,80,465,873"

# Common ICMP inbound (ingress) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
#IG_ICMP_TYPES="all"

# Outbound (egress) filtering
EGF="0"

# Common outbound (egress) TCP ports
EG_TCP_CPORTS="21_25,53,80,443,110,143,6000_7000,2222"

# Common outbound (egress) UDP ports
EG_UDP_CPORTS="20,21,22,53,80"

# Common ICMP outbound (egress) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"

any help is apriciated.
 
okay i just made a test file (php)
PHP: 
fsockopen("gmail.com",80,$errno,$errstr,5)
fsockopen("gmail.com",21,$errno,$errstr,5)
fsockopen("gmail.com",110,$errno,$errstr,5)

in my case all these 3 give a time out error.
normally it could happen that 21 and 110 aren't available on the domain but 80 is the website so it should work.

i think this is also what appends when i change a DNS record in DA. he changes is but the tries to change it on the other server and doesn't succeed.

thnx in advanced.
 
nothing special just that he loads the ports.
some messages but that shouldn't be bad.
iptables: No chain/target/match by that name
Click to expand...

maybe i should delete apf totally and retry is there a fast and easy way? there was quit some work to delete fireholl (who was working okay)
 
small update.

i got in contact with the makers of APF. the point is my server doesn't have de module xt_state or ipt_state and those are needed.

i would appreciate if someone could tell me how to install that module on a debian machine.

thnx in advanded
 
If you were using linux-image-2.6 from Debian repositories, you would have that module. If you are compiling your own kernel, just use CONFIG_NETFILTER_XT_MATCH_STATE=m or =y.
 
hallo,

well i recompilled it with all netfilter options. no luck
i added the CONFIG_NETFILTER_XT_MATCH_STATE=m to the config. no luck

more help is appriciated.
i found the .h and .c files somewhere
 
again some more curious info

root@server:/# updatedb
root@server:/# locate xt_state
/lib/modules/2.6.18-5-686/kernel/net/netfilter/xt_state.ko
/lib/modules/2.6.18-6-686/kernel/net/netfilter/xt_state.ko
/usr/include/linux/netfilter/xt_state.h
/usr/src/linux-2.6.28.7/include/linux/netfilter/xt_state.h
/usr/src/linux-2.6.28.7/net/netfilter/xt_state.c
root@server:/# locate ipt_state
/lib/iptables/libipt_state.so
/usr/include/linux/netfilter_ipv4/ipt_state.h
/usr/src/linux-2.6.28.7/include/linux/netfilter_ipv4/ipt_state.h
 
If you added the CONFIG_NETFILTER_XT_MATCH_STATE=m line manually to the config, maybe there is another line containing CONFIG_NETFILTER_XT_MATCH_STATE=n that overwrites your choice... try to set it with "make menuconfig", "Networking support", "Networking options", "Network packet filtering framework (Netfilter)", "Core Netfilter Configuration" and set M on '"state" match support'. Then just "make modules" and "make modules_install".
 
again no luck.

is it possible to copy i from an old kernel and activate it? it is on a life server so the stuff i already did is freaking me out. if it goes down i need to head over to the datacenter again.
 
No, you can't just copy it from another kernel. It has to be compiled from the sources of your kernel.
I can help you, come to MSN or write me a GPG encrypted email with the access data.
 
You must log in or register to reply here.
Back
Top