Manualshelf

Technical data

ManualsBrandsSamsung ManualsFlat Panel TVPC680-ZA
61626364656667686970
3. Base configuration
You may continue here forever. . .
3.10.7. DMZ Demilitarized Zone
fli4l may also serve to build a DMZ. As this is only another additional ruleset for the router
please refer to the wiki at https://ssl.nettworks.org/wiki for the time being.
3.10.8. Conntrack-Helpers
Using IP-Masquerading has the advantage that a bunch of machines in the LAN can be routed
over only one official IP-address. However, there are also disadvantages that you have to take
into account.
A big problem for example is that no machine from outside can contact the machines in the
LAN. This may be desired for security reasons but certain protocols will not work anymore
because they require a connection from outside.
A classic example is FTP. Beside a communication channel to exchange commands and
answers another channel is needed (an IP-port) to transfer the actual data. fli4l uses certain
conntrack-helpers for this in order to open such ports instantaneously and redirect them to
the machine in question when needed. The conntrack-helper “listens” to the data stream to
recognize when such an additional port is needed.
Typical applications for conntrack-helpers are i.e. chat-protocols and Internet games.
Conntrack-helper are activated over rules in two special arrays. The array PF_PREROUTING_CT_%
contains helper-assignments to packets coming from outside, the array PF_OUTPUT_CT_% contains
helper-assignments to packets generated on the router. Some practical examples help to illus-
trate this.
Example 1: If active FTP from the LAN should be allowed this is, from the router’s view,
a connection from outside the router, thus an entry in PF_PREROUTING_CT_% has to be created:
PF_PREROUTING_CT_N='1'
PF_PREROUTING_CT_1='tmpl:ftp IP_NET_1 HELPER:ftp'
The ftp-helper module will be loaded for all TCP connections from the local network
(IP_NET_1) to any other addresses’ port 21 (which is the ftp-Port). This module will allow the
FTP server to establish a data transfer connection back to the client during this connection
by opening a “hole” in the firewall temporarily.
Example 2: If you want to enable passive ftp for a FTP server on the LAN (the data
connection is established from the outside to the inside, so that a hole in the firewall must be
opened here as well), this is also seen as a connection from outside by the router. Here we see
the rule as for this:
PF_PREROUTING_CT_N='1'
PF_PREROUTING_CT_1='tmpl:ftp any dynamic HELPER:ftp'
By this rule it is expressed that all FTP connections to the dynamic address of the router
are associated to the FTP conntrack helper. Here dynamic was used because it is assumed
that the router is responsible for dialing in to the Internet and thus has an external IP address.
If the router performs dial-in via DSL, the rule can also be written as:
PF_PREROUTING_CT_N='1'
PF_PREROUTING_CT_1='tmpl:ftp if:pppoe:any HELPER:ftp'
66