i would call that a regression within a stable release and this default
should be changed in the fedora kernel!
looks like iwth kernel 4.7 you need "net.netfilter.nf_conntrack_helper =
1" in sysctl.conf to continue things like PASV FTP or Hylafax (which
uses FTP as procotocol) working like before
there are warnings over years now at boot but nobody was able to tell
until today how you are supposed to solve "the kernel needs to be aware
about the prococol and open the data port for the client IP" - all you
find is that the current way is unsecure - well - open the port range
for any IP would be much more unsecure as any magic
_______________________________________
in case of a server providing hylafax and ftp services for specific
machines (controlled by iptables allow 21/4559 only for them) the config
until now looks like:
/etc/sysconfig/iptables-config:
IPTABLES_MODULES="nf_conntrack_ftp"
/etc/modprobe.d/iptables-conntrack.conf:
options nf_conntrack_ftp ports=21,4559
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/kernel@xxxxxxxxxxxxxxxxxxxxxxx
