[Firehol-support] Răspuns: firehol dual-stack and service helpers

Phil Whineray phil at firehol.org
Sat Nov 19 20:49:46 GMT 2016


Hi Mihai

On Sat, Nov 19, 2016 at 06:36:28PM +0000, Mihai Hanor wrote:
> Hello Phil,
> I'm having problems with the ftp-data connection between any FTP 
> server (including the one which runs on my LAN PC; external I have 
> tested with ftp.kernel.org), and the client which runs on my 
> router/gateway (2 interfaces, LAN and WAN). For some reason, the 
> ftp-data connection fails, both in active (I have to manually abort, it 
> never connects) and passive mode (connection instantly rejected). The 
> "client ftp accept" is not enough, I have to add a "client4 ftp accept" 
> statement, connect to the ftp server, test the data connection by 
> listing the content (active data connection, by default, using the 
> classic linux ftp client), after that I can remove the client4 
> statement, restart firehol. It works until I reboot the router. The 
> same thing happens when I connect to a public ftp server, via the 
> public network interface of the router. The router runs Debian sid. I 
> thought that firehol wasn't loading the kernel modules, but I failed to 
> notice what 'firehol debug' was actually showing me.
> I managed to reproduce the issue a few times, with a VM running also 
> Debian unstable. It might have something to do with the fact that the 
> firewall on the router is much more complex. I think it has something 
> to do with the ftp connection tracker.
> Thanks,Mihai

I am having trouble understanding what you think you know/don't know
about the module loading or the complexity of the firewall on the
router.

I agree, this sounds related to connection tracking; to get to the
bottom of the problem I think it is necessary to start with a minimal
config and work up from there.

Can you set up a minimal firewall on the router; as few statements
as possible to get to the point that you see the problem i.e. allow
ftp perhaps dns and anything else vital, and post it in your response.

Then, before running with the extra client4 line, could you check:

- the modules loaded
- packets logged when you try the ftp
- any other recent messages from desg

Redo the firewall with the client4 line and get the same info for
comparison.

Do you use NAT anywhere in your setup? There is a separate FTP module
that gets involved.

Thanks
Phil



More information about the Firehol-support mailing list