[Firehol-support] Răspuns: firehol dual-stack and service helpers
Mihai Hanor
mhanor at yahoo.com
Sat Nov 19 19:36:28 CET 2016
Hello Phil,
I'm having problems with the ftp-data connection between any FTP server (including the one which runs on my LAN PC; external I have tested with ftp.kernel.org), and the client which runs on my router/gateway (2 interfaces, LAN and WAN). For some reason, the ftp-data connection fails, both in active (I have to manually abort, it never connects) and passive mode (connection instantly rejected). The "client ftp accept" is not enough, I have to add a "client4 ftp accept" statement, connect to the ftp server, test the data connection by listing the content (active data connection, by default, using the classic linux ftp client), after that I can remove the client4 statement, restart firehol. It works until I reboot the router. The same thing happens when I connect to a public ftp server, via the public network interface of the router. The router runs Debian sid. I thought that firehol wasn't loading the kernel modules, but I failed to notice what 'firehol debug' was actually showing me.
I managed to reproduce the issue a few times, with a VM running also Debian unstable. It might have something to do with the fact that the firewall on the router is much more complex. I think it has something to do with the ftp connection tracker.
Thanks,Mihai
De la: Phil Whineray <phil at firehol.org>
Către: Mihai Hanor <quake2iasi at gmail.com>
Cc: firehol-support at lists.firehol.org
Trimis: Sâmbătă, 19 Noiembrie 2016 18:25:37
Subiect: Re: [Firehol-support] firehol dual-stack and service helpers
Hi Mihai
On Sat, Nov 19, 2016 at 04:57:50PM +0200, Mihai Hanor wrote:
> Firehol 3.0.1 seems to not take into account the helper_service statements
> for IPv4 firewall rules, when issuing both IPv6 and IPv4 rules (e.g. client
> ftp accept). Is it by design? I have to issue a client4 statement for one
> of the interfaces, for it to issue the required commands to load the
> required kernel modules or I have to manually load them.
Could you possibly send a minimal example so I can try to recreate it?
Cheers
Phil
More information about the Firehol-support
mailing list