Bug#593398: ferm: please load nf_conntrack_ftp module when using ftp helper

2018-02-11 Thread martin f krafft 
Package: ferm
Followup-For: Bug #593398

Hey Yves-Alexis,

I just encountered this bug report of yours and wanted to say that
the nf_conntrack_ftp module will be autoloaded by the kernel, ferm
does not need to do that.

If for some reason that's not being done, then either your rule is
not correct, or there is something in modprobe.d interfering,
possibly?

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ferm depends on:
ii  debconf  1.5.65
ii  init-system-helpers  1.51
ii  iptables 1.6.1-2+b1
ii  lsb-base 9.20170808
ii  perl 5.26.1-4

Versions of packages ferm recommends:
ii  libnet-dns-perl  1.10-2

ferm suggests no packages.

-- Configuration Files:
/etc/ferm/ferm.conf [Errno 13] Permission denied: '/etc/ferm/ferm.conf'

-- debconf information:
  ferm/enable: yes


-- 
 .''`.   martin f. krafft  @martinkrafft
: :'  :  proud Debian developer
`. `'`   http://people.debian.org/~madduck
  `-  Debian - when you have better things to do than fixing systems


digital_signature_gpg.asc
Description: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)

Bug#593398: ferm: please load nf_conntrack_ftp module when using ftp helper

2010-08-17 Thread Yves-Alexis Perez 
Package: ferm
Version: 2.0.7-1
Severity: normal

Hey,

I just noticed that my ftp rules weren't working correctly in ferm just
because nf_conntrack_ftp wasn't loaded. I assumed it would have been
done by ferm, so I'm reporting this so it could be added to the
initscript or something if ftp is detected in the rules. (feel free to
reassign to iptables if it should load it itself when detecting the ftp
helper).

Cheers,
--
Yves-Alexis


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ferm depends on:
ii  debconf   1.5.33 Debian configuration management sy
ii  iptables  1.4.8-3administration tools for packet fi
ii  lsb-base  3.2-23.1   Linux Standard Base 3.2 init scrip
ii  perl  5.10.1-13  Larry Wall's Practical Extraction 

Versions of packages ferm recommends:
ii  libnet-dns-perl   0.66-2 Perform DNS queries from a Perl sc

ferm suggests no packages.

-- Configuration Files:
/etc/default/ferm changed:
FAST=yes
CACHE=no
OPTIONS=
ENABLED=yes

/etc/ferm/ferm.conf changed:
@def INPUT() = {
  # allow SSH connections
  proto tcp dport ssh ACCEPT;
  #zeroconf
  proto udp dport mdns DROP;
}
def OUTPUT() = {
  proto (tcp udp) dport domain ACCEPT;
  proto tcp dport whois ACCEPT;
  proto udp dport ipp ACCEPT;
  proto tcp dport 9100 ACCEPT;
  proto tcp dport snmp ACCEPT;
  proto udp dport ntp sport ntp ACCEPT;
  proto tcp dport rsync ACCEPT;
  proto tcp dport nntp ACCEPT;
  # ftp
  proto tcp dport ftp ACCEPT;
  mod helper helper ftp ACCEPT;
  #SIP
  proto udp dport (sip sip-tls) ACCEPT;
  # mail
  proto tcp dport (smtp ssmtp submission) ACCEPT;
  proto tcp dport (imap imaps pop3s) ACCEPT;
  # web
  proto tcp dport (http https) ACCEPT;
  # ssh
  proto tcp dport ssh ACCEPT;
  # jabber
  proto tcp dport (jabber-client ) ACCEPT;
  #proto tcp dport 5222 daddr molly.corsac.net ACCEPT;
  #proto tcp dport 5222 daddr heracles.droledequartier.net ACCEPT;
  # irc
  proto tcp dport ircd ACCEPT;
  # gnupg keyservers
  proto tcp dport hkp ACCEPT;
  # collab
  proto tcp dport (subversion git) ACCEPT;
  proto tcp dport ipp ACCEPT;
}
table filter {
chain INPUT {
  policy DROP;
  # connection tracking
  mod state state INVALID DROP;
  mod state state (ESTABLISHED RELATED) ACCEPT;
  # allow local packets
  interface lo ACCEPT;
  proto 2 mod pkttype pkt-type multicast ACCEPT;
  # dhcp
  proto udp dport 67 sport 68 ACCEPT;
  proto udp dport (67:68) mod addrtype dst-type BROADCAST DROP;
  # cups
  proto udp dport 631 mod addrtype dst-type BROADCAST DROP;
  # respond to ping
  proto icmp ACCEPT; 
  INPUT();
  #freeplayer
  proto udp saddr 212.27.38.253 ACCEPT;
  #daap
  proto tcp dport 3689 ACCEPT;
  # broadcast
  mod addrtype dst-type BROADCAST DROP;
  LOG log-prefix [iptables] input: ;
  DROP;
}
chain OUTPUT {
  policy DROP;
  # connection tracking
  mod state state INVALID DROP;
  mod state state (ESTABLISHED RELATED) ACCEPT;
  proto udp dport mdns DROP;
  # allow local packets
  outerface lo ACCEPT;
  proto icmp ACCEPT; 
  # dhcp
  proto udp sport 68 dport 67 ACCEPT;
  OUTPUT();
  # svn version.picty.org
  proto tcp daddr 88.177.168.227 dport 444 ACCEPT;
  # freeplayer
  proto tcp dport 554 daddr 212.27.38.253 ACCEPT;
  proto udp daddr 212.27.38.253 ACCEPT;
  # kcdx
  proto tcp dport 8000 daddr 69.28.135.22 ACCEPT;
  # cfssi
  proto tcp dport 1022 ACCEPT;
  # log, then drop
  LOG log-prefix [iptables] output: ;
  DROP;
}
chain FORWARD {
  policy DROP;
  # connection tracking
  mod state state INVALID DROP;
  mod state state (ESTABLISHED RELATED) ACCEPT;
LOG log-prefix [iptables] forward:;
  DROP;
}
}
domain ip6 {
  table filter {
chain INPUT {
  policy DROP;
  
  # connection tracking
  mod state state INVALID DROP;
  mod state state (ESTABLISHED RELATED) ACCEPT;
  proto icmpv6 ACCEPT; 
  # allow local packets
  interface lo ACCEPT;
  INPUT();
  LOG log-prefix [iptables] input6: ;
  DROP;
}
chain OUTPUT {
  policy DROP;
  
  # connection tracking
  mod state state INVALID DROP;
  mod state state (ESTABLISHED RELATED) ACCEPT;
  # allow local packets
  outerface lo ACCEPT;
  proto icmpv6 ACCEPT; 
  OUTPUT();
  LOG log-prefix [iptables] output6: ;
  DROP;
}
chain FORWARD {
  policy DROP;
  
  #