1) Forget to mention: /etc/shorewall/shorewall.conf: FASTACCEPT=Yes 2) Tested following variant: /etc/shorewall/rules: DNAT inet dmz:somehost:21 tcp 21
It works without problem. 3) AFAIK last thing done on the firewall, was Shorewall upgrade (4.4->4.5) Unfortunately I can not downgrade to 4.4 to test this version YES! Shorewall upgrade is guilty! http://shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/releasenotes.txt N E W F E A T U R E S I N 4 . 5 . 7 In short: automatic attachment of helpers to connections is disabled (including FTP helpers) Correct way to define this rule is: DNAT inet dmz:somehost:21 tcp someport ; helper=ftp PLEASE! Somebody update http://shorewall.net/FTP.html guide with this information. Raimonds Cicans On 25.07.2014 02:18, Raimonds Cicans wrote: > Hello. > > Short version: should rule like below work with passive FTP connections > (from Shorewall / nf_conntrack_ftp point of view)? > DNAT inet dmz:somehost:21 tcp someport > > > > Long version: > > First I want to apologize for not posting all required data. > This data contains sensitive information. > So I will try to describe situation as mush as possible. > > shorewall version: 4.5.18 > kernel version: 3.12.21 > /etc/modprobe.d/ftp.conf: options nf_conntrack_ftp ports=21,24354 > /sys/module/nf_conntrack_ftp/parameters/ports: 21,24354 > /etc/shorewall/policy: inet all DROP info > /etc/shorewall/rules: DNAT inet dmz:somehost:21 tcp 24354 > > Problem: command connections go to FTP server flawlessly but data > connections get dropped by Shorewall > > Previous administrator sad it worked some time ago. > > I tried to set nf_conntrack_ftp parameter "loose" to 1, but this did not > help. > > When I will get access to FTP server I will try to set its port to 24354 > > FTP client logs show that server send its internal address as address > for data connections. > > It looks like problem with nf_conntrack_ftp module... > > > Raimonds Cicans ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
