On Tue, 20 Dec 2022 11:00:43 -0800 ToddAndMargo <ToddAndMargo@xxxxxxxx> wrote: > Hi All, > > $ uname -r > 6.0.12-300.fc37.x86_64 > > Since kernel 6.0.1, Since 6.0-rc4. > /proc/sys/net/netfilter/nf_conntrack_helper > has been removed. > > This breaks passive ftp. Specifically, it removes automatic conntrack helper assignment, which was a security hazard. > > What do you guys do to work around the problem? You should assign the desired conntrack helper as a part of your ruleset. For example, "-t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp". Or, "-A PREROUTING" if running an FTP server. The CT module is described by iptables-extensions(8) and, if needs be, you may refer to iptables(8) for the distinction between the OUTPUT and PREROUTING chains. Should you decide to use nft(8) at some point in the future, see https://wiki.nftables.org/wiki-nftables/index.php/Conntrack_helpers. -- Kerin Millar
