Hi Tom This works where zone 2 is the internet facing zone.
?if __FTP_HELPER IPTABLES(CT --zone 2 --helper ftp) eth3 - tcp 21 IPTABLES(CT --zone 2 --helper ftp):O 0.0.0.0/0 eth3 tcp 21 IPTABLES(CT --zone 2 --helper ftp) veth-e3-p - tcp 21 IPTABLES(CT --zone 2 --helper ftp):O 0.0.0.0/0 veth-e3-p tcp 21 ?endif Please find the attached conntrack file, please let me know if this is the right way to do it or is there a better way. Can I use a generic zone id in this case or just the zone which is internet facing? Thanks, Naveen On Tue, Jan 1, 2019 at 9:43 AM Tom Eastep <teas...@shorewall.net> wrote: > On 12/31/18 7:02 PM, Naveen Neelakanta wrote: > > Hi Tom, > > > > After adding the zones in the conntrack , i start seeing this issue, > > where the nf_nat_ftp is not getting called. If I remove the zones from > > conntrack entry, I don't see the issue, but I need the zones. > > > > Any pointers to solve this will help. > > > > I don't have any, as I have no experience with conntrack zones. I can > envision potential problems with active mode FTP and zones if the zone > for client->FTPserver traffic is different from the one for > FTPserver->client traffic. You seem to be using "CT --zone x", according > to your earlier post(s). I see that "CT --zone-orig x" and "CT > --zone-reply x" are also supported, but again, I have no experience with > using them. > > -Tom > -- > Tom Eastep \ Q: What do you get when you cross a mobster with > Shoreline, \ an international standard? > Washington, USA \ A: Someone who makes you an offer you can't > http://shorewall.org \ understand > \_______________________________________________ > >
conntrack
Description: Binary data
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
