Re: FC37 corked my passive FTP, nf_conntrack_helper vanished

[ToddAndMargo via users <users@xxxxxxxxxxxxxxxxxxxxxxx>]

On 12/20/22 11:18, Barry Scott wrote:
> > On 20 Dec 2022, at 17:29, ToddAndMargo via users 
> > <users@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > On 12/19/22 17:24, ToddAndMargo via users wrote:
> > > Hi All,
> > > # uname -r
> > > 6.0.12-300.fc37.x86_64
> > > I have tried googling this.  I get tons of hits
> > > but nothing specific to FC37.
> > > Just noticed that I can not do:
> > > $ curl -v ftp://ftp.adobe.com/pub/adobe/reader/win/AcrobatDC/ -o -
> > > * Connecting to 192.147.130.111 (192.147.130.111) port 18897
> > > Connection timed out
> > > (The above is a simplification of what I am actually
> > > running, but it shows the problem well,)
> > > FC 37 corked my iptables passive FTP rules, which worked
> > > perfectly under FC36
> > > Error message when restarting my iptables firewall:
> > > cat: /proc/sys/net/netfilter/nf_conntrack_helper:
> > > No such file or directory
> > > # dnf whatprovides nf_conntrack_helper
> > > Last metadata expiration check: 4:16:08 ago on Mon 19 Dec 2022 
> > > 12:58:31 PM PST.
> > > Error: No matches found.
> > > Some other data, just in case you ask:
> > > # grep IPTABLES_MODULES /etc/sysconfig/iptables-config
> > > IPTABLES_MODULES=""
> > > IPTABLES_MODULES="nf_conntrack_ftp nf_conntrack_tftp nf_nat_ftp 
> > > nf_nat_tftp"
> > > # lsmod | grep ftp
> > > nf_nat_tftp            16384  0
> > > nf_nat_ftp             20480  0
> > > nf_conntrack_tftp      20480  1 nf_nat_tftp
> > > nf_conntrack_ftp       24576  1 nf_nat_ftp
> > > nf_nat                 57344  5 
> > > ip6table_nat,nf_nat_ftp,nf_nat_tftp,iptable_nat,xt_MASQUERADE
> > > nf_conntrack          167936  8 
> > > xt_conntrack,nf_nat,nf_conntrack_tftp,nf_nat_ftp,nf_nat_tftp,xt_helper,nf_conntrack_ftp,xt_MASQUERADE
> > > Yours in frustration,
> > > -T
> >
> > I looked up nftables to see if I could get any hints:
> >
> > https://serverfault.com/questions/958464/how-can-i-use-nftables-with-passive-ftp <https://serverfault.com/questions/958464/how-can-i-use-nftables-with-passive-ftp>
> >
> >     Below are rules for allowing passive FTP that
> >      are not working.
> >
> >    /proc/sys/net/netfilter/nf_conntrack_helper is set to 1
> >
> > So I really , really have to have something in place for 
> > /proc/sys/net/netfilter/nf_conntrack_helper
>
> I found this comment "But keep in mind this is considered a security 
> vulnerability - that's why newer kernels changed the default value of 
> nf_conntrack_helper to false." on 
> https://github.com/firewalld/firewalld/issues/443
>
> Barry

I am on board with that.

I just need to know how to work around the passive ftp issue.

Supposedly, it is adding:

iptables-nft -t raw -A PREROUTING -p tcp --dport ftp -j CT --helper ftp

But, I don't understand "raw".  Well, yet.







_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue