On Mon, Dec 19, 2022 at 8:24 PM ToddAndMargo via users <users(a)lists.fedoraproject.org&gt; wrote: > > [...] > I have tried googling this. I get tons of hits > but nothing specific to FC37. The latest Fedora docs are at https://docs.fedoraproject.org/en-US/fedora/latest/system-administrators-... . > Just noticed that I can not do: > > $ curl -v ftp://ftp.adobe.com/pub/adobe/reader/win/AcrobatDC/ -o - > > * Connecting to 192.147.130.111 (192.147.130.111) port 18897 > Connection timed out > > (The above is a simplification of what I am actually > running, but it shows the problem well,) > > FC 37 corked my iptables passive FTP rules, which worked > perfectly under FC36 It is not clear to me if your simplification included opening the ports and the firewall-cmd. According to the docs, you should perform:[1] firewall-cmd --permanent --add-service=ftp

Jeff [1] https://docs.fedoraproject.org/en-US/fedora/latest/system-administrators-...

Hi All, # uname -r 6.0.12-300.fc37.x86_64 I have tried googling this.  I get tons of hits but nothing specific to FC37. Just noticed that I can not do: $ curl -v ftp://ftp.adobe.com/pub/adobe/reader/win/AcrobatDC/ -o - * Connecting to 192.147.130.111 (192.147.130.111) port 18897 Connection timed out (The above is a simplification of what I am actually running, but it shows the problem well,) FC 37 corked my iptables passive FTP rules, which worked perfectly under FC36 Error message when restarting my iptables firewall:       cat: /proc/sys/net/netfilter/nf_conntrack_helper:       No such file or directory # dnf whatprovides nf_conntrack_helper Last metadata expiration check: 4:16:08 ago on Mon 19 Dec 2022 12:58:31 PM PST. Error: No matches found. Some other data, just in case you ask: # grep IPTABLES_MODULES /etc/sysconfig/iptables-config IPTABLES_MODULES="" IPTABLES_MODULES="nf_conntrack_ftp nf_conntrack_tftp nf_nat_ftp nf_nat_tftp" # lsmod | grep ftp nf_nat_tftp            16384  0 nf_nat_ftp             20480  0 nf_conntrack_tftp      20480  1 nf_nat_tftp nf_conntrack_ftp       24576  1 nf_nat_ftp nf_nat                 57344  5 ip6table_nat,nf_nat_ftp,nf_nat_tftp,iptable_nat,xt_MASQUERADE nf_conntrack          167936  8 xt_conntrack,nf_nat,nf_conntrack_tftp,nf_nat_ftp,nf_nat_tftp,xt_helper,nf_conntrack_ftp,xt_MASQUERADE Yours in frustration, -T

> On 20 Dec 2022, at 17:29, ToddAndMargo via users > <users(a)lists.fedoraproject.org&gt; wrote: > > On 12/19/22 17:24, ToddAndMargo via users wrote: >> Hi All, >> # uname -r >> 6.0.12-300.fc37.x86_64 >> I have tried googling this.  I get tons of hits >> but nothing specific to FC37. >> Just noticed that I can not do: >> $ curl -v ftp://ftp.adobe.com/pub/adobe/reader/win/AcrobatDC/ -o - >> * Connecting to 192.147.130.111 (192.147.130.111) port 18897 >> Connection timed out >> (The above is a simplification of what I am actually >> running, but it shows the problem well,) >> FC 37 corked my iptables passive FTP rules, which worked >> perfectly under FC36 >> Error message when restarting my iptables firewall: >> cat: /proc/sys/net/netfilter/nf_conntrack_helper: >> No such file or directory >> # dnf whatprovides nf_conntrack_helper >> Last metadata expiration check: 4:16:08 ago on Mon 19 Dec 2022 >> 12:58:31 PM PST. >> Error: No matches found. >> Some other data, just in case you ask: >> # grep IPTABLES_MODULES /etc/sysconfig/iptables-config >> IPTABLES_MODULES="" >> IPTABLES_MODULES="nf_conntrack_ftp nf_conntrack_tftp nf_nat_ftp >> nf_nat_tftp" >> # lsmod | grep ftp >> nf_nat_tftp            16384  0 >> nf_nat_ftp             20480  0 >> nf_conntrack_tftp      20480  1 nf_nat_tftp >> nf_conntrack_ftp       24576  1 nf_nat_ftp >> nf_nat                 57344  5 >> ip6table_nat,nf_nat_ftp,nf_nat_tftp,iptable_nat,xt_MASQUERADE >> nf_conntrack          167936  8 >> xt_conntrack,nf_nat,nf_conntrack_tftp,nf_nat_ftp,nf_nat_tftp,xt_helper,nf_conntrack_ftp,xt_MASQUERADE >> Yours in frustration, >> -T > > I looked up nftables to see if I could get any hints: > > https://serverfault.com/questions/958464/how-can-i-use-nftables-with-pass... <https://serverfault.com/questions/958464/how-can-i-use-nftables-with-pass... > >     Below are rules for allowing passive FTP that >      are not working. > >    /proc/sys/net/netfilter/nf_conntrack_helper is set to 1 > > So I really , really have to have something in place for > /proc/sys/net/netfilter/nf_conntrack_helper I found this comment "But keep in mind this is considered a security vulnerability - that's why newer kernels changed the default value of nf_conntrack_helper to false." on https://github.com/firewalld/firewalld/issues/443 Barry

On Tue, Dec 20, 2022 at 5:05 PM ToddAndMargo via users <users(a)lists.fedoraproject.org&gt; wrote: > On 12/20/22 11:18, Barry Scott wrote: >> [...] >> I found this comment "But keep in mind this is considered a security >> vulnerability - that's why newer kernels changed the default value of >> nf_conntrack_helper to false." on >> https://github.com/firewalld/firewalld/issues/443 > > I am on board with that. > > I just need to know how to work around the passive ftp issue. > > Supposedly, it is adding: > > iptables-nft -t raw -A PREROUTING -p tcp --dport ftp -j CT --helper ftp > > But, I don't understand "raw". Well, yet. From the iptables(80 man page: TABLES There are currently five independent tables (which tables are present at any time depends on the kernel configuration options and which mod‐ ules are present). -t, --table table This option specifies the packet matching table which the com‐ mand should operate on. If the kernel is configured with auto‐ matic module loading, an attempt will be made to load the appro‐ priate module for that table if it is not already there. The tables are as follows: filter: This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets). nat: This table is consulted when a packet that creates a new connection is encountered. It consists of four built-ins: PREROUTING (for altering packets as soon as they come in), INPUT (for altering packets destined for local sockets), OUTPUT (for altering locally-generated packets before rout‐ ing), and POSTROUTING (for altering packets as they are about to go out). IPv6 NAT support is available since ker‐ nel 3.7. mangle: This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also sup‐ ported: INPUT (for packets coming into the box itself), FOR‐ WARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out). raw: This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes) security: This table is used for Mandatory Access Control (MAC) net‐ working rules, such as those enabled by the SECMARK and CONNSECMARK targets. Mandatory Access Control is imple‐ mented by Linux Security Modules such as SELinux. The secu‐ rity table is called after the filter table, allowing any Discretionary Access Control (DAC) rules in the filter table to take effect before MAC rules. This table provides the following built-in chains: INPUT (for packets coming into the box itself), OUTPUT (for altering locally-generated packets before routing), and FORWARD (for altering packets being routed through the box).