Re: Nftables + ALG + Linux 6.1.0-10-amd64 …?... is it a kown Problem?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am Dienstag, dem 01.08.2023 um 22:11 +0200 schrieb Florian Westphal:

> Sounds about right, helper assignment looks correct to me.

Unfortunately, the example from my previous post does not work, when I tighten the filter to prevent unwanted traffic. For outgoing FTP I always get the message:
"Could not open data connection to port nnnnn: Connection refused".

I then just created a log entry before the general-drop (like policy) takes effect. And surprise, S-Port 20 is the Problem. This Package going dropped.
Aug 03 13:54:12 ftps kernel: Debugging: IN=enp1s0 OUT= MAC=0a:cc:00:22:44:0a:e0:28:zv:11:5f:ff:gg:00 SRC=222.178.19.133 DST=10.1.1.4 LEN=60 TOS=0x00 PREC=0x00 TTL
1=55 ID=30979 DF PROTO=TCP SPT=20 DPT=38909 WINDOW=64240 RES=0x00 SYN URGP=0 

The Package is marked with "SYN", but seems it is not related to the connection via Port 21.  But, also open for SYN in general, also suitable to establish a another connection as friendly. This was not necessary until now with the old ALG-model in Bullseye. Could it be, that I myself and my expectation am the source of the Problem here? 
The following sample works. But I don't know, is it that, what I want... a closed filter with explicit permissions? 

table ip filter {
        ct helper ftp-helper {
                type "ftp" protocol tcp
                l3proto ip
        }

        chain prerouting {
                type filter hook prerouting priority -100; policy accept;
                ct state 0x8 tcp dport 21 ct helper set "ftp-helper"
        }

        chain input {
                type filter hook input priority 0; policy accept;
                iifname "lo" accept
                ct state 0x2,0x4 accept
                ip protocol 1 accept
                meta pkttype { 1, 2 } accept
                tcp sport 20 accept
                tcp dport 21 accept
                ct helper "ftp" accept
                log prefix "Debugging: "
                ip protocol 6 counter packets 0 bytes 0 reject with tcp reset
                counter packets 0 bytes 0 reject
        }

        chain output {
                type filter hook output priority 0; policy accept;
                oifname "lo" accept
                ct state 0x2,0x4 accept
                meta pkttype { 0, 1, 2 } accept
                ip protocol 1 accept
                ct state 0x8 tcp dport 21 ct helper set "ftp-helper"
                tcp dport 21 accept
                ct helper "ftp" accept
                counter packets 0 bytes 0 reject with icmp 13
        }
}


Best Regards
Thomas
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux