[Firehol-support] Răspuns: Răspuns: firehol dual-stack and service helpers
Phil Whineray
phil at firehol.org
Sun Nov 20 10:22:05 CET 2016
Hi Mihai
On Sun, Nov 20, 2016 at 02:18:28AM +0000, Mihai Hanor wrote:
> I have found the cause. Newer kernels have the connection tracking
> disabled by default and (for some reason)
> setting net.netfilter.nf_conntrack_helper to 1 fails at boot. I think
> firehol does try to set it, I also added a .conf file in
> /etc/sysctl.d/, then edited /etc/sysctl.conf, I don't know why it
> fails. The client4 statement had nothing to do with the fix, running
> firehol again was actually setting the kernel parameter to 1, that's
> why it was working until reboot. I don't know why, the virtual machine
> also has it set to 0, but the ftp data connection gets established with
> success, most times.
Glad you found the cause; thanks for letting us know.
Does Sid list specify nf_conntrack_helper=0 as a value when loading the
module? You might be able to change that. If the module is loaded after
sysctl.conf is processed, that would explain why that does not seem to work.
I am not sure what could be preventing the setting of the value, though.
Perhaps something like apparmor (but then why would it work on a second
attempt?).
Hope that helps a bit
Phil
More information about the Firehol-support
mailing list