Hi Tom, After adding the zones in the conntrack , i start seeing this issue, where the nf_nat_ftp is not getting called. If I remove the zones from conntrack entry, I don't see the issue, but I need the zones.
Any pointers to solve this will help. Thanks, Naveen On Mon, Dec 31, 2018 at 7:01 PM Naveen Neelakanta < naveen.b.neelaka...@gmail.com> wrote: > Hi Tom, > > After adding the zones in the conntrack , i start seeing this issue, where > the nf_nat_ftp is not getting called . If i remove the zones from > conntrak entry , i don't see the issue, but i need the zones. > > Any pointers to solve this will help . > > Thanks, > Naveen > > > On Mon, Dec 31, 2018 at 6:21 PM Naveen Neelakanta < > naveen.b.neelaka...@gmail.com> wrote: > >> No Tim i dont see the issue, i have shared the config file. I started >> seeing this issue after upgrading to 5.2.0.4 , it was working in old >> version 4.x.x . In the working case i see below connection entries for >> active mode in connection track. >> >> ```ipv4 2 tcp 6 431961 ESTABLISHED src=10.16.8.2 >> dst=144.208.69.31 sport=42351 dport=21 src=144.208.69.31 dst=10.16.8.58 >> sport=21 dport=42351 [ASSURED] mark=0 zone=0 use=2 >> ipv4 2 tcp 6 50 TIME_WAIT src=10.16.8.2 dst=144.208.69.31 >> sport=42349 dport=21 src=144.208.69.31 dst=10.16.8.58 sport=21 dport=42349 >> [ASSURED] mark=0 zone=0 use=2``` >> >> But in the non-working case, i only see one connection entry. Please find >> the conntrack, snat, rule and shorewal.conf file attached. >> >> Thanks, >> Naveen >> >> >> >> >> >> >> >> >> >> >> On Mon, Dec 31, 2018 at 2:00 PM Tom Eastep <teas...@shorewall.net> wrote: >> >>> On 12/31/18 12:19 PM, Naveen Neelakanta wrote: >>> > 10.24.8.11 is the actual client IP from where I started the >>> FTP connection. >>> > >>> > The FTP connection comes to the BOX where Shorewall is running and does >>> > a SNAT(10.24.8.117). Then it goes through another NAT device which is >>> > translating to 96.64.220.253. >>> > >>> > If FTP HELPER is enabled, how does the server know about the internal >>> IP >>> > 10.24.8.11 ( i was thinking FTP helper will modify the request with the >>> > NATted IP). >>> > >>> > >>> >>> The FTP helper has a problem with PORT commands that are split over two >>> packets. Are you seeing system log messages such as the following? >>> >>> 21:37:40 insert-master kernel: [832161.057782] nf_ct_ftp: dropping >>> >>> -Tom >>> -- >>> Tom Eastep \ Q: What do you get when you cross a mobster with >>> Shoreline, \ an international standard? >>> Washington, USA \ A: Someone who makes you an offer you can't >>> http://shorewall.org \ understand >>> \_______________________________________________ >>> >>>
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
