On 2021/03/08 04:24, Stefan Hartmann wrote:
In chain INPUT4 {
your mentioned rule
ct helper "ftp-21" tcp dport {1024-65535} counter accept
did not match in my test.
Eventually the ct helper "ftp-21" matches only on the master connection
and not for the expects?
What if you do (untested):
table my_table {
ct helper ftp-21 {
type "ftp" protocol tcp;
}
chain ct_helper_assign {
type filter hook prerouting priority filter;
ct state new tcp dport 21 ct helper set "ftp-21"
}
chain INPUT4 {
type filter hook input priority filter; policy drop;
...
tcp dport 21 counter accept # accept ftp control packets
ct helper "ftp-21" tcp dport {1024-65535} counter accept
...
limit rate 15/hour burst 30 packets log prefix "drop: "
}
...
}
Differences from previous ruleset:
1) Add accept rule to tcp/21 for ftp control packets
2) Add log rule (at least during debug) to see dropped packets.
Best Wishes,
Frank
