[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Suspected nf_conntrack_ftp module failure under Stretch

	Hi.

On Fri, Dec 15, 2017 at 02:46:16PM +0100, David Guyot wrote:
> Hello, there.
> 
> I'm running a Pure-FTPd service, with passive FTP, and I encountered
> what seems to be a defect in the nf_conntrack_ftp module: it seems to
> not recognize the passive FTP data connection as RELATED to the
> established control connection.

And it should not, as they disabled automatic assignment of conntrack
helper modules back in mainline kernel version 3.5.
Also, see Debian bug #870484.

What you need to make it work is the set of these netfilter rules:

-t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftp

-A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ens3 -p tcp --dport 21 -j ACCEPT

Remove nf_conntrack_ftp from /etc/modules (loading netfilter rule will
take care of this module), and exterminate these:

> -A INPUT -i ens3 -p tcp -m tcp --dport 50000:50500 -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> -A OUTPUT -o ens3 -p tcp -m tcp --sport 50000:50500 -m state --state
> RELATED,ESTABLISHED -j ACCEPT

Reco
Reply to: