Configure Connection to the RHN RPM Repositories
The first step in configuring a system for updates is to register with the Red Hat Network (RHN). For most systems, this is done during the initial installation. Successfully registered systems will appear on the RHN web site. If the system is not listed, run the Red Hat Network Registration tool, which can be found in the Applications menu under System Tools or on the command line:
Follow the prompts on the screen. If successful, the system will appear on the RHN web site and be subscribed to one or more software update channels. Additionally, a new daemon, rhnsd, will be enabled. If the system will not have access to the Internet, it will not be able to directly subscribe to the RHN update repository. Updates will have to be downloaded from the RHN web site manually. The command line tool yum and the graphical front-ends pirut and pup can be configured to handle this situation.
FTP Connection Issues
On servers running Monolithic kernels (e.g. VPS Virtuozzo/OpenVZ and custom built kernels) ip_conntrack and ip_conntrack_ftp iptables kernel modules may not be available or fully functional. If this happens, FTP passive mode (PASV) won’t work. In such circumstances you will have to open a hole in your firewall and configure the FTP server to use that same hole.
For example, with pure-ftpd you could add the port range 30000:35000 to TCP_IN and add the following line to /etc/pure-ftpd.conf and then restart pure-ftpd:
PassivePortRange 30000 35000
For example, with proftpd you could add the port range 30000:35000 to TCP_IN and add the following line to /etc/proftpd.conf and then restart proftpd:
FTP over SSL/TLS will usually fail when using an SPI firewall. This is because of the way the FTP protocol established a connection between client and server. iptables fails to establish a related connection when using FTP over SSL because the FTP control connection is encrypted and so cannot track the relationship between the connection and the allocation of an ephemeral port.
If you need to use FTP over SSL, you will have to open up a passive port block in both csf and your FTP server configuration.
iptables includes a module that allows administrators to inspect and restrict connections to services available on an internal network using a method called connection tracking.
NEW - A packet requesting a new connection, such as an HTTP request.
ESTABLISHED - A packet that is part of an existing connection.
RELATED - A packet that is requesting a new connection but is part of an existing connection, such as passive FTP connections where the connection port is 20, but the transfer port can be any unused port 1024 or higher.
INVALID - A packet that is not part of any connections in the connection tracking table.
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
The following above example shows a rule that uses connection tracking to forward only the packets that are associated with an established connection.
