Re: FC37 corked my passive FTP, nf_conntrack_helper vanished

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/20/22 11:18, Barry Scott wrote:


On 20 Dec 2022, at 17:29, ToddAndMargo via users <users@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

On 12/19/22 17:24, ToddAndMargo via users wrote:
Hi All,
# uname -r
6.0.12-300.fc37.x86_64
I have tried googling this.  I get tons of hits
but nothing specific to FC37.
Just noticed that I can not do:
$ curl -v ftp://ftp.adobe.com/pub/adobe/reader/win/AcrobatDC/ -o -
* Connecting to 192.147.130.111 (192.147.130.111) port 18897
Connection timed out
(The above is a simplification of what I am actually
running, but it shows the problem well,)
FC 37 corked my iptables passive FTP rules, which worked
perfectly under FC36
Error message when restarting my iptables firewall:
cat: /proc/sys/net/netfilter/nf_conntrack_helper:
No such file or directory
# dnf whatprovides nf_conntrack_helper
Last metadata expiration check: 4:16:08 ago on Mon 19 Dec 2022 12:58:31 PM PST.
Error: No matches found.
Some other data, just in case you ask:
# grep IPTABLES_MODULES /etc/sysconfig/iptables-config
IPTABLES_MODULES=""
IPTABLES_MODULES="nf_conntrack_ftp nf_conntrack_tftp nf_nat_ftp nf_nat_tftp"
# lsmod | grep ftp
nf_nat_tftp            16384  0
nf_nat_ftp             20480  0
nf_conntrack_tftp      20480  1 nf_nat_tftp
nf_conntrack_ftp       24576  1 nf_nat_ftp
nf_nat                 57344  5 ip6table_nat,nf_nat_ftp,nf_nat_tftp,iptable_nat,xt_MASQUERADE nf_conntrack          167936  8 xt_conntrack,nf_nat,nf_conntrack_tftp,nf_nat_ftp,nf_nat_tftp,xt_helper,nf_conntrack_ftp,xt_MASQUERADE
Yours in frustration,
-T

I looked up nftables to see if I could get any hints:

https://serverfault.com/questions/958464/how-can-i-use-nftables-with-passive-ftp <https://serverfault.com/questions/958464/how-can-i-use-nftables-with-passive-ftp>

    Below are rules for allowing passive FTP that
     are not working.

   /proc/sys/net/netfilter/nf_conntrack_helper is set to 1

So I really , really have to have something in place for /proc/sys/net/netfilter/nf_conntrack_helper

I found this comment "But keep in mind this is considered a security vulnerability - that's why newer kernels changed the default value of nf_conntrack_helper to false." on https://github.com/firewalld/firewalld/issues/443

Barry

I am on board with that.

I just need to know how to work around the passive ftp issue.

Supposedly, it is adding:

iptables-nft -t raw -A PREROUTING -p tcp --dport ftp -j CT --helper ftp

But, I don't understand "raw".  Well, yet.







_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux