Mailing List Archive

packet filtering vs. conserver
Hi,

Is there a way to make conserver listen on a limited number of ports
only (instead of opening random ports)?

The manual page talks about the 'secondaryport' option but this seems to
do nothing at all, and I'm not at all sure that it's the option I need
anyway.

The reason I'm asking is that I have to devise a set of iptables (packet
filter) rules to let users in, as a policy.

thanks

Andras
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users
Re: packet filtering vs. conserver [ In reply to ]
Normally, a "stateful" packet filter will allow the "return ports" for all
sessions opened from "inside" the firewall... In that case, Conserver
initiates the TCP session, suggesting the port it is listening on, and the
firewall should allow that returning communications.

Is this not possible for your firewall?

-Z-

On Wed, Aug 19, 2009 at 7:23 AM, <Andras.Horvath@cern.ch> wrote:

> Hi,
>
> Is there a way to make conserver listen on a limited number of ports
> only (instead of opening random ports)?
>
> The manual page talks about the 'secondaryport' option but this seems to
> do nothing at all, and I'm not at all sure that it's the option I need
> anyway.
>
> The reason I'm asking is that I have to devise a set of iptables (packet
> filter) rules to let users in, as a policy.
>
> thanks
>
> Andras
> _______________________________________________
> users mailing list
> users@conserver.com
> https://www.conserver.com/mailman/listinfo/users
>



--
ConsoleTeam - Support and training services for Conserver users.
www.conserver.com/consoles/
consoleteam.blogspot.com
Re: packet filtering vs. conserver [ In reply to ]
secondaryport is what you want. Something like:

config * {
secondaryport 9900;
}

tells conserver to start allocating from port 9900 for it's secondary
ports. 'conserver -V' will show you both the primary port and secondary
port range. If you do something like:

config * {
primaryport 782;
secondaryport 783;
}

It would make the main port 782, and then start allocating from 783 for
the rest...up to the number of conserver processes forked off.

Or you could do:

config * {
primaryport conserver;
secondaryport conserver-child;
}

and put whatever values into /etc/services for those names.

The configure option --with-port sets primaryport and --with-base sets
secondaryport, to have them compiled in instead.

Bryan

On Wed, Aug 19, 2009 at 04:23:01PM +0200, Andras.Horvath@cern.ch wrote:
> Hi,
>
> Is there a way to make conserver listen on a limited number of ports
> only (instead of opening random ports)?
>
> The manual page talks about the 'secondaryport' option but this seems to
> do nothing at all, and I'm not at all sure that it's the option I need
> anyway.
>
> The reason I'm asking is that I have to devise a set of iptables (packet
> filter) rules to let users in, as a policy.
>
> thanks
>
> Andras
> _______________________________________________
> users mailing list
> users@conserver.com
> https://www.conserver.com/mailman/listinfo/users
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users
Re: packet filtering vs. conserver [ In reply to ]
On Thu, Aug 20, 2009 at 06:22:00AM +0200, Bryan Stansell wrote:

> It would make the main port 782, and then start allocating from 783 for
> the rest...up to the number of conserver processes forked off.

Thanks, it seems to work. I've also found the '-m' switch, and the
combination of the two makes for predictable port usage.

Zonker: as I understand it, the client first contacts the server
(master) to determine which host/port to connect to for a given console,
then connects to said host/port (which may be the same host as the
master). These two connections are in no relation on the TCP/IP level,
and the second one's port is sort of random by default.

cheers,

Andras
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users
Re: packet filtering vs. conserver [ In reply to ]
Got it. I had tunnle vision, and was only thinking of Conserver starting
up and connecting to console servers on other networks...

-Z-

On Thu, Aug 20, 2009 at 4:05 AM, <Andras.Horvath@cern.ch> wrote:

> On Thu, Aug 20, 2009 at 06:22:00AM +0200, Bryan Stansell wrote:
>
> > It would make the main port 782, and then start allocating from 783 for
> > the rest...up to the number of conserver processes forked off.
>
> Thanks, it seems to work. I've also found the '-m' switch, and the
> combination of the two makes for predictable port usage.
>
> Zonker: as I understand it, the client first contacts the server
> (master) to determine which host/port to connect to for a given console,
> then connects to said host/port (which may be the same host as the
> master). These two connections are in no relation on the TCP/IP level,
> and the second one's port is sort of random by default.
>
> cheers,
>
> Andras
> _______________________________________________
> users mailing list
> users@conserver.com
> https://www.conserver.com/mailman/listinfo/users
>



--
ConsoleTeam - Support and training services for Conserver users.
www.conserver.com/consoles/
consoleteam.blogspot.com