[Firehol-support] Răspuns: Răspuns: firehol dual-stack and service helpers

Mihai Hanor mhanor at yahoo.com
Sun Nov 20 02:18:28 GMT 2016

I have found the cause. Newer kernels have the connection tracking disabled by default and (for some reason) setting net.netfilter.nf_conntrack_helper to 1 fails at boot. I think firehol does try to set it, I also added a .conf file in /etc/sysctl.d/, then edited /etc/sysctl.conf, I don't know why it fails. The client4 statement had nothing to do with the fix, running firehol again was actually setting the kernel parameter to 1, that's why it was working until reboot. I don't know why, the virtual machine also has it set to 0, but the ftp data connection gets established with success, most times.

      De la: Phil Whineray <phil at firehol.org>
 Către: Mihai Hanor <mhanor at yahoo.com> 
Cc: "firehol-support at lists.firehol.org" <firehol-support at lists.firehol.org>
 Trimis: Sâmbătă, 19 Noiembrie 2016 22:49:46
 Subiect: Re: [Firehol-support] Răspuns: firehol dual-stack and service helpers
Hi Mihai

On Sat, Nov 19, 2016 at 06:36:28PM +0000, Mihai Hanor wrote:
> Hello Phil,
> I'm having problems with the ftp-data connection between any FTP 
> server (including the one which runs on my LAN PC; external I have 
> tested with ftp.kernel.org), and the client which runs on my 
> router/gateway (2 interfaces, LAN and WAN). For some reason, the 
> ftp-data connection fails, both in active (I have to manually abort, it 
> never connects) and passive mode (connection instantly rejected). The 
> "client ftp accept" is not enough, I have to add a "client4 ftp accept" 
> statement, connect to the ftp server, test the data connection by 
> listing the content (active data connection, by default, using the 
> classic linux ftp client), after that I can remove the client4 
> statement, restart firehol. It works until I reboot the router. The 
> same thing happens when I connect to a public ftp server, via the 
> public network interface of the router. The router runs Debian sid. I 
> thought that firehol wasn't loading the kernel modules, but I failed to 
> notice what 'firehol debug' was actually showing me.
> I managed to reproduce the issue a few times, with a VM running also 
> Debian unstable. It might have something to do with the fact that the 
> firewall on the router is much more complex. I think it has something 
> to do with the ftp connection tracker.
> Thanks,Mihai

I am having trouble understanding what you think you know/don't know
about the module loading or the complexity of the firewall on the

I agree, this sounds related to connection tracking; to get to the
bottom of the problem I think it is necessary to start with a minimal
config and work up from there.

Can you set up a minimal firewall on the router; as few statements
as possible to get to the point that you see the problem i.e. allow
ftp perhaps dns and anything else vital, and post it in your response.

Then, before running with the extra client4 line, could you check:

- the modules loaded
- packets logged when you try the ftp
- any other recent messages from desg

Redo the firewall with the client4 line and get the same info for

Do you use NAT anywhere in your setup? There is a separate FTP module
that gets involved.

Firehol-support mailing list
Firehol-support at lists.firehol.org


More information about the Firehol-support mailing list