On 12/20/22 11:18, Barry Scott wrote:
On 20 Dec 2022, at 17:29, ToddAndMargo via users
<users@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 12/19/22 17:24, ToddAndMargo via users wrote:
Hi All,
# uname -r
6.0.12-300.fc37.x86_64
I have tried googling this. I get tons of hits
but nothing specific to FC37.
Just noticed that I can not do:
$ curl -v ftp://ftp.adobe.com/pub/adobe/reader/win/AcrobatDC/ -o -
* Connecting to 192.147.130.111 (192.147.130.111) port 18897
Connection timed out
(The above is a simplification of what I am actually
running, but it shows the problem well,)
FC 37 corked my iptables passive FTP rules, which worked
perfectly under FC36
Error message when restarting my iptables firewall:
cat: /proc/sys/net/netfilter/nf_conntrack_helper:
No such file or directory
# dnf whatprovides nf_conntrack_helper
Last metadata expiration check: 4:16:08 ago on Mon 19 Dec 2022
12:58:31 PM PST.
Error: No matches found.
Some other data, just in case you ask:
# grep IPTABLES_MODULES /etc/sysconfig/iptables-config
IPTABLES_MODULES=""
IPTABLES_MODULES="nf_conntrack_ftp nf_conntrack_tftp nf_nat_ftp
nf_nat_tftp"
# lsmod | grep ftp
nf_nat_tftp 16384 0
nf_nat_ftp 20480 0
nf_conntrack_tftp 20480 1 nf_nat_tftp
nf_conntrack_ftp 24576 1 nf_nat_ftp
nf_nat 57344 5
ip6table_nat,nf_nat_ftp,nf_nat_tftp,iptable_nat,xt_MASQUERADE
nf_conntrack 167936 8
xt_conntrack,nf_nat,nf_conntrack_tftp,nf_nat_ftp,nf_nat_tftp,xt_helper,nf_conntrack_ftp,xt_MASQUERADE
Yours in frustration,
-T
I looked up nftables to see if I could get any hints:
https://serverfault.com/questions/958464/how-can-i-use-nftables-with-passive-ftp <https://serverfault.com/questions/958464/how-can-i-use-nftables-with-passive-ftp>
Below are rules for allowing passive FTP that
are not working.
/proc/sys/net/netfilter/nf_conntrack_helper is set to 1
So I really , really have to have something in place for
/proc/sys/net/netfilter/nf_conntrack_helper
I found this comment "But keep in mind this is considered a security
vulnerability - that's why newer kernels changed the default value of
nf_conntrack_helper to false." on
https://github.com/firewalld/firewalld/issues/443
Barry
I am on board with that.
I just need to know how to work around the passive ftp issue.
Supposedly, it is adding:
iptables-nft -t raw -A PREROUTING -p tcp --dport ftp -j CT --helper ftp
But, I don't understand "raw". Well, yet.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue