Dear All,
Could you have a look at my simple nft firewall script below, I've used
ct related, established, but it doesnt work with passive mode FTP - the
data session on high ports is dropped by firewall. Does NFTables have
connection tracking helper for FTP? If not - is it planned in foreseable
future to add it?
table ip filter {
chain input {
type filter hook input priority 0;
dport {21} ct state new limit rate 2/second counter accept
ct state {established, related} counter accept
counter limit rate 100/second log group 2 prefix "RULE=Default drop"
counter drop
}
chain output {
type filter hook output priority 0;
ct state {established, related} counter accept
}
}
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
