On 12/20/22 14:14, Jeffrey Walton wrote:
On Tue, Dec 20, 2022 at 5:05 PM ToddAndMargo via users
<users@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 12/20/22 11:18, Barry Scott wrote:
[...]
I found this comment "But keep in mind this is considered a security
vulnerability - that's why newer kernels changed the default value of
nf_conntrack_helper to false." on
https://github.com/firewalld/firewalld/issues/443
I am on board with that.
I just need to know how to work around the passive ftp issue.
Supposedly, it is adding:
iptables-nft -t raw -A PREROUTING -p tcp --dport ftp -j CT --helper ftp
But, I don't understand "raw". Well, yet.
From the iptables(80 man page:
TABLES
There are currently five independent tables (which tables are present
at any time depends on the kernel configuration options and which mod‐
ules are present).
-t, --table table
This option specifies the packet matching table which the com‐
mand should operate on. If the kernel is configured with auto‐
matic module loading, an attempt will be made to load the appro‐
priate module for that table if it is not already there.
The tables are as follows:
filter:
This is the default table (if no -t option is passed). It
contains the built-in chains INPUT (for packets destined to
local sockets), FORWARD (for packets being routed through
the box), and OUTPUT (for locally-generated packets).
nat:
This table is consulted when a packet that creates a new
connection is encountered. It consists of four built-ins:
PREROUTING (for altering packets as soon as they come in),
INPUT (for altering packets destined for local sockets),
OUTPUT (for altering locally-generated packets before rout‐
ing), and POSTROUTING (for altering packets as they are
about to go out). IPv6 NAT support is available since ker‐
nel 3.7.
mangle:
This table is used for specialized packet alteration. Until
kernel 2.4.17 it had two built-in chains: PREROUTING (for
altering incoming packets before routing) and OUTPUT (for
altering locally-generated packets before routing). Since
kernel 2.4.18, three other built-in chains are also sup‐
ported: INPUT (for packets coming into the box itself), FOR‐
WARD (for altering packets being routed through the box),
and POSTROUTING (for altering packets as they are about to
go out).
raw:
This table is used mainly for configuring exemptions from
connection tracking in combination with the NOTRACK target.
It registers at the netfilter hooks with higher priority and
is thus called before ip_conntrack, or any other IP tables.
It provides the following built-in chains: PREROUTING (for
packets arriving via any network interface) OUTPUT (for
packets generated by local processes)
security:
This table is used for Mandatory Access Control (MAC) net‐
working rules, such as those enabled by the SECMARK and
CONNSECMARK targets. Mandatory Access Control is imple‐
mented by Linux Security Modules such as SELinux. The secu‐
rity table is called after the filter table, allowing any
Discretionary Access Control (DAC) rules in the filter table
to take effect before MAC rules. This table provides the
following built-in chains: INPUT (for packets coming into
the box itself), OUTPUT (for altering locally-generated
packets before routing), and FORWARD (for altering packets
being routed through the box).
I will have to read it very slowly.
And figure out how to modify my old rules to
accommodate raw as well. (I have been told
that I am overusing "! --syn" with
"RELATED,ESTABLISHED".)
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
$tbls -A dsl-out -o $eth1 -p tcp -s $eth1_addr --sport $unassgn
--dport ftp -m conntrack --ctstate NEW,ESTABLISHED -j
ACCEPT
$tbls -A dsl-in -i $eth1 -p tcp ! --syn --sport ftp -d $eth1_addr
--dport $unassgn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$tbls -A dsl-for -i $eth1 -p tcp ! --syn --sport ftp -d $internal_net
--dport $unassgn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$tbls -A dsl-out -o $eth1 -p tcp -s $eth1_addr -d $ANY_IP
-m helper --helper ftp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$tbls -A dsl-in -i $eth1 -p tcp ! --syn -s $ANY_IP -d $eth1_addr
-m helper --helper ftp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$tbls -A dsl-for -i $eth1 -p tcp ! --syn -s $ANY_IP -d $internal_net
-m helper --helper ftp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
