On 08/24/2018 08:59 PM, ToddAndMargo wrote:
3) in /etc/modprobe.d/iptables.conf add
nf_conntrack_ftp ports=21
options nf_conntrack_ftp ports=21
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to
Hi All,
Disregard me previous notes (into everyone's life a
little humility must fall).
Okay, another OBSCURE obstacle to overcome:
nf_conntrack_ftp is disabled by default. To enable it:
# echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
-T
Here are my revised notes:
How to track
My notes, so no one else has to go through this crap:
How to track ftp's high port with Fedora and iptables:
Problem: iptables will not automatically track ftp's high ports
(firewalld will).
Note: RHEL used
ip_conntrack_ftp, and
ip_nat_ftp
These have been superseded by
On 08/24/2018 04:28 PM, Samuel Sieb wrote:
Ok, that's great. But I'm still curious about why you need connection
tracking working. Perhaps I was misled in thinking you were referring
to your client system. Is this actually something you're trying to do
on a gateway server?
Hi Samuel,
On 08/24/2018 04:22 PM, Samuel Sieb wrote:
On 08/24/2018 04:01 PM, ToddAndMargo wrote:
Please explain what you are trying to do and what is not working.
I am trying to get iptables to track ftp's usage of high ports.
And I did figure it out. See my followup to this thread.
It was really,
On 08/24/2018 04:10 PM, ToddAndMargo wrote:
# vi /etc/modprobe.d/iptables.conf
options nf_conntrack_ftp ports=21
# systemctl restart iptables.
Problem solved
Ok, that's great. But I'm still curious about why you need connection
tracking working. Perhaps I was misled in thinking you were
On 08/24/2018 03:53 PM, ToddAndMargo wrote:
The actual problem is
Aug 22 16:12:09 rn6 kernel: dsl-out Everything Else IN= OUT=eno2
SRC=192.168.xxx.yyy DST=208.106.xxx.yyy LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=25991 DF PROTO=TCP SPT=59698 DPT=21023 WINDOW=29200 RES=0x00 SYN URGP=0
What is this
On 08/24/2018 04:01 PM, ToddAndMargo wrote:
I modprobe'ed all four in.
They showed in `lsmod | grep ftp`
I ran a
systemctl restart iptables
No joy.
?
Then I rebooted. Now
`lsmod | grep ftp`
show nothing.
Please explain what you are trying to do and what is not working.
On 08/22/2018 03:47 PM, ToddAndMargo wrote:
Hi All,
My iptables firewall ported from RHEL won't connect to ftp sites
and throws this error (written by me years ago):
WARNING: active FTP rules have been selected but one or
more necessary modules have not been detected
In
On 08/24/2018 03:40 PM, Samuel Sieb wrote:
On 08/24/2018 03:23 PM, ToddAndMargo wrote:
# insmod nf_conntrack_ftp
insmod: ERROR: could not load module nf_conntrack_ftp: No such file or
directory
That's because you didn't specify an actual file. Try passing the
entire path to the module.
On 08/24/2018 03:53 PM, ToddAndMargo wrote:
On 08/24/2018 03:40 PM, Samuel Sieb wrote:
On 08/24/2018 03:23 PM, ToddAndMargo wrote:
# insmod nf_conntrack_ftp
insmod: ERROR: could not load module nf_conntrack_ftp: No such file
or directory
That's because you didn't specify an actual file.
On 08/24/2018 03:23 PM, ToddAndMargo wrote:
# insmod nf_conntrack_ftp
insmod: ERROR: could not load module nf_conntrack_ftp: No such file or
directory
That's because you didn't specify an actual file. Try passing the
entire path to the module.
But the proper way is to use "modprobe
On 08/24/2018 02:32 PM, Mike Wright wrote:
sudo iptables-save > iptables.rules
# iptables --list | wc -l
244
Here is a hint:
# ls /lib/modules/`uname -r`/kernel/net/netfilter | grep ftp
nf_conntrack_ftp.ko.xz
nf_conntrack_tftp.ko.xz
nf_nat_ftp.ko.xz
nf_nat_tftp.ko.xz
# insmod
On 08/25/18 05:20, ToddAndMargo wrote:
> Here are my "passive rules"
I don't claim to know how any of this actually works. Yet I do recall the way
connection tracking is handled has changed. Can't find the bugzilla's that
gave some insight into the changes. I do run firewalld and I can tell
On 08/24/2018 02:18 PM, ToddAndMargo wrote:
On 08/24/2018 09:23 AM, Mike Wright wrote:
My *hunch* is that you are running firewalld and that the default
rules for firewalld changed between RHEL and fedora. Mind you,
beneath firewalld lies, you guessed it, iptables.
Execute:
On 08/24/2018 09:35 AM, Rick Stevens wrote:
Here are my "passive rules"
# ftp passive mode (browser) stuff. Note: ftp_conntrack module is
required, e.g.:
# /etc/sysconfig/iptables-config:
# IPTABLES_MODULES="ip_conntrack_ftp"
#
$tbls -A dsl-out -o $eth1 -p tcp -s $eth1_addr --sport
On 08/24/2018 09:23 AM, Mike Wright wrote:
My *hunch* is that you are running firewalld and that the default rules
for firewalld changed between RHEL and fedora. Mind you, beneath
firewalld lies, you guessed it, iptables.
Execute:
firewall-cmd --state
echo $?
$ firewall-cmd
On 08/23/2018 09:06 PM, Todd Chester wrote:
>
>
> On 08/23/2018 12:14 PM, Mike Wright wrote:
>> On 08/23/2018 11:50 AM, ToddAndMargo wrote:
>>> On 08/23/2018 11:41 AM, Mike Wright wrote:
On 08/23/2018 11:23 AM, ToddAndMargo wrote:
>
> Just ftp client and I want to support both
On 08/23/2018 09:06 PM, Todd Chester wrote:
On 08/23/2018 12:14 PM, Mike Wright wrote:
On 08/23/2018 11:50 AM, ToddAndMargo wrote:
On 08/23/2018 11:41 AM, Mike Wright wrote:
On 08/23/2018 11:23 AM, ToddAndMargo wrote:
Just ftp client and I want to support both active and passive mode
On 08/23/2018 12:14 PM, Mike Wright wrote:
On 08/23/2018 11:50 AM, ToddAndMargo wrote:
On 08/23/2018 11:41 AM, Mike Wright wrote:
On 08/23/2018 11:23 AM, ToddAndMargo wrote:
Just ftp client and I want to support both active and passive mode
This covers both:
On 08/23/2018 11:50 AM, ToddAndMargo wrote:
On 08/23/2018 11:41 AM, Mike Wright wrote:
On 08/23/2018 11:23 AM, ToddAndMargo wrote:
Just ftp client and I want to support both active and passive mode
This covers both:
http://www.devops-blog.net/iptables/iptables-settings-for-outgoing-ftp
On 08/23/2018 11:41 AM, Mike Wright wrote:
On 08/23/2018 11:23 AM, ToddAndMargo wrote:
Just ftp client and I want to support both active and passive mode
This covers both:
http://www.devops-blog.net/iptables/iptables-settings-for-outgoing-ftp
:m
Hi Mike,
That is a description of what
On 08/23/2018 11:23 AM, ToddAndMargo wrote:
Just ftp client and I want to support both active and passive mode
This covers both:
http://www.devops-blog.net/iptables/iptables-settings-for-outgoing-ftp
:m
___
users mailing list --
On 08/23/2018 11:23 AM, ToddAndMargo wrote:
On 08/23/2018 11:10 AM, Rick Stevens wrote:
On 08/22/2018 06:00 PM, ToddAndMargo wrote:
On 08/22/2018 04:37 PM, Ed Greshko wrote:
On 08/23/18 06:47, ToddAndMargo wrote:
Hi All,
My iptables firewall ported from RHEL won't connect to ftp sites
and
On 08/23/2018 11:10 AM, Rick Stevens wrote:
On 08/22/2018 06:00 PM, ToddAndMargo wrote:
On 08/22/2018 04:37 PM, Ed Greshko wrote:
On 08/23/18 06:47, ToddAndMargo wrote:
Hi All,
My iptables firewall ported from RHEL won't connect to ftp sites
and throws this error (written by me years ago):
On 08/22/2018 06:00 PM, ToddAndMargo wrote:
> On 08/22/2018 04:37 PM, Ed Greshko wrote:
>> On 08/23/18 06:47, ToddAndMargo wrote:
>>> Hi All,
>>>
>>> My iptables firewall ported from RHEL won't connect to ftp sites
>>> and throws this error (written by me years ago):
>>>
>>>
>>> WARNING:
On 08/22/2018 04:37 PM, Ed Greshko wrote:
On 08/23/18 06:47, ToddAndMargo wrote:
Hi All,
My iptables firewall ported from RHEL won't connect to ftp sites
and throws this error (written by me years ago):
WARNING: active FTP rules have been selected but one or
more necessary modules
On 08/23/18 06:47, ToddAndMargo wrote:
> Hi All,
>
> My iptables firewall ported from RHEL won't connect to ftp sites
> and throws this error (written by me years ago):
>
>
> WARNING: active FTP rules have been selected but one or
> more necessary modules have not been detected
>
> In
On 08/22/2018 03:59 PM, Rick Stevens wrote:
On 08/22/2018 03:47 PM, ToddAndMargo wrote:
Hi All,
My iptables firewall ported from RHEL won't connect to ftp sites
and throws this error (written by me years ago):
WARNING: active FTP rules have been selected but one or
more necessary
On 08/22/2018 03:47 PM, ToddAndMargo wrote:
> Hi All,
>
> My iptables firewall ported from RHEL won't connect to ftp sites
> and throws this error (written by me years ago):
>
>
> WARNING: active FTP rules have been selected but one or
> more necessary modules have not been detected
>
Hi All,
My iptables firewall ported from RHEL won't connect to ftp sites
and throws this error (written by me years ago):
WARNING: active FTP rules have been selected but one or
more necessary modules have not been detected
In /etc/sysconfig/iptables-config, you must add
31 matches
Mail list logo