Thanks for your hint, Adel.
Enabling the helper modules with echo 1 >
/proc/sys/net/netfilter/nf_conntrack_helper did the trick, thank you
very much.
I am not quite sure if this is just enabling the helpers and loose will
be at its default == 0 or if this is setting loose=1 implicit? I guess
it won't affect the default value, but I want to be sure with this. Do
you know?
Thanks,
Stefanie
Am 06.01.19 um 20:21 schrieb Adel Belhouane:
Le 06/01/2019 à 18:37, Stefanie Leisestreichler a écrit :
Hi.
I have problems getting passive FTP working.
My setup is like this:
Internet --> Router(public IP) --> FTP-Server (192.168.177.22/32)
I have these rules set up in my firewall:
(ens3 is the interface facing the public internet,
br0 is the internal network interface)
*filter
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Since kernel 4.7 the default handling of helpers have changed (from
implicit use to explicit declaration of use). Take a look there:
https://home.regit.org/netfilter-en/secure-use-of-helpers/
especially
https://home.regit.org/netfilter-en/secure-use-of-helpers/#disable-helper-by-default
which is now default.
I am on ubuntu 18.04 lts and have loaded, which are said to fix
passive ftp issues:
ip_conntrack_ftp
ip_nat_ftp
in /etc/modules
Wondering, why this output is there in lsmod
(ip_*_ftp is named nf_*_ftp):
root@fw:~# lsmod | grep ftp
nf_nat_ftp 16384 0
nf_nat 32768 3 nf_nat_ftp,nf_nat_ipv4,xt_nat
nf_conntrack_ftp 20480 1 nf_nat_ftp
nf_conntrack 131072 7
xt_conntrack,nf_conntrack_ipv4,nf_nat,nf_nat_ftp,nf_nat_ipv4,xt_nat,nf_conntrack_ftp
For a long time ip_{nat,conntrack}* modules are named nf_{nat,conntrack}*
instead, with an alias for backward compatibility (it worked here). You
should use nf_* everywhere. Prbably the main reason is they can also
handle IPv6.
Thanks,
Stefanie
Regards,
Adel
