* nftables and FTP connection tracking
@ 2014-08-14 9:29 tomekx1000
2014-08-14 18:02 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: tomekx1000 @ 2014-08-14 9:29 UTC (permalink / raw)
To: netfilter
Dear All,
Could you have a look at my simple nft firewall script below, I've used
ct related, established, but it doesnt work with passive mode FTP - the
data session on high ports is dropped by firewall. Does NFTables have
connection tracking helper for FTP? If not - is it planned in foreseable
future to add it?
table ip filter {
chain input {
type filter hook input priority 0;
dport {21} ct state new limit rate 2/second counter accept
ct state {established, related} counter accept
counter limit rate 100/second log group 2 prefix "RULE=Default drop"
counter drop
}
chain output {
type filter hook output priority 0;
ct state {established, related} counter accept
}
}
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: nftables and FTP connection tracking
2014-08-14 9:29 nftables and FTP connection tracking tomekx1000
@ 2014-08-14 18:02 ` Pablo Neira Ayuso
2014-08-14 18:38 ` tomekx1000
0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2014-08-14 18:02 UTC (permalink / raw)
To: tomekx1000; +Cc: netfilter
On Thu, Aug 14, 2014 at 11:29:57AM +0200, tomekx1000 wrote:
> Dear All,
>
> Could you have a look at my simple nft firewall script below, I've
> used ct related, established, but it doesnt work with passive mode
> FTP - the data session on high ports is dropped by firewall. Does
> NFTables have connection tracking helper for FTP?
Yes, no changes in that regard.
> If not - is it planned in foreseable future to add it?
>
> table ip filter {
> chain input {
> type filter hook input priority 0;
> dport {21} ct state new limit rate 2/second counter accept
The brackets have special meaning. If you uses brackets to wrap
elements, the kernel will create a set for it with one single element.
Better use the brackets when you have multiple elements. In this case,
I suggest you to use:
tcp dport 21 ...
> ct state {established, related} counter accept
^ ^
No need to use the brackets here:
ct state established,related ...
The ct state allows enumeration of several states using commas. This
is due to the fact that ct state internally represents the states as a
bitmask.
You can check that use the describe command:
# nft describe ct state
ct expression, datatype ct_state (conntrack state) (basetype bitmask,
integer), 32 bits
pre-defined symbolic constants:
invalid 0x00000001
new 0x00000008
established 0x00000002
related 0x00000004
untracked 0x00000040
Basically, all bitmask types can use the comma-separated enumeration
notation to combine the supported flags.
You can use describe to inquire for other selectors in case of doubt.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: nftables and FTP connection tracking
2014-08-14 18:02 ` Pablo Neira Ayuso
@ 2014-08-14 18:38 ` tomekx1000
0 siblings, 0 replies; 5+ messages in thread
From: tomekx1000 @ 2014-08-14 18:38 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
Thank you Pablo for clarification on usage of brackets. I've updated
script, however still no joy when connecting to server FTP. Maybe i'm
missing some modules?
# lsmod | grep conn
nf_conntrack_ftp 7059 1 nf_nat_ftp
nf_conntrack_ipv4 8066 19
nf_defrag_ipv4 1235 1 nf_conntrack_ipv4
nf_conntrack 55929 5
nf_nat_ftp,nf_nat,nft_ct,nf_conntrack_ftp,nf_conntrack_ipv4
Here is the corrected script:
table filter {
chain input {
type filter hook input priority 0;
tcp dport 21 ct state new counter accept
ct state related counter accept
ct state established counter accept
counter limit rate 100/second log group 2 prefix "RULE=Default
drop"
counter drop
}
chain output {
type filter hook output priority 0;
ct state established, related counter accept
}
}
After connecting to port 21, FTP servers tries to negotiate data
connection on high ports, and this new connection is dropped...
How can I make FTP helper to work with nftables?
W dniu 20:02 14-08-14, Pablo Neira Ayuso napisał(a):
> On Thu, Aug 14, 2014 at 11:29:57AM +0200, tomekx1000 wrote:
>
>> Dear All, Could you have a look at my simple nft firewall script
>> below, I've used ct related, established, but it doesnt work with
>> passive mode FTP - the data session on high ports is dropped by
>> firewall. Does NFTables have connection tracking helper for FTP?
>
> Yes, no changes in that regard.
>
>> If not - is it planned in foreseable future to add it? table ip filter
>> { chain input { type filter hook input priority 0; dport {21} ct state
>> new limit rate 2/second counter accept
>
> The brackets have special meaning. If you uses brackets to wrap
> elements, the kernel will create a set for it with one single element.
> Better use the brackets when you have multiple elements. In this case,
> I suggest you to use:
>
> tcp dport 21 ...
>
>> ct state {established, related} counter accept
>
> ^ ^
>
> No need to use the brackets here:
>
> ct state established,related ...
>
> The ct state allows enumeration of several states using commas. This
> is due to the fact that ct state internally represents the states as a
> bitmask.
>
> You can check that use the describe command:
>
> # nft describe ct state
> ct expression, datatype ct_state (conntrack state) (basetype bitmask,
> integer), 32 bits
>
> pre-defined symbolic constants:
> invalid 0x00000001
> new 0x00000008
> established 0x00000002
> related 0x00000004
> untracked 0x00000040
>
> Basically, all bitmask types can use the comma-separated enumeration
> notation to combine the supported flags.
>
> You can use describe to inquire for other selectors in case of doubt.
^ permalink raw reply [flat|nested] 5+ messages in thread
* nftables and FTP connection tracking
@ 2014-08-13 12:56 Tomek L
0 siblings, 0 replies; 5+ messages in thread
From: Tomek L @ 2014-08-13 12:56 UTC (permalink / raw)
To: netfilter
Hi All,
Could you have a look at my simple nft firewall script below, I've
used ct related, established, but it doesnt work with passive mode FTP
- the data session on high ports is dropped by firewall. Does NFTables
have connection tracking helper for FTP? If not - is it planned in
foreseable future to add it?
table ip filter {
chain input {
type filter hook input priority 0;
dport {21} ct state new limit rate 2/second counter accept
ct state {established, related} counter accept
counter limit rate 100/second log group 2 prefix
"RULE=Default drop"
counter drop
}
chain output {
type filter hook output priority 0;
ct state {established, related} counter accept
}
}
^ permalink raw reply [flat|nested] 5+ messages in thread* nftables and FTP connection tracking
@ 2014-08-13 10:30 Tomek L
0 siblings, 0 replies; 5+ messages in thread
From: Tomek L @ 2014-08-13 10:30 UTC (permalink / raw)
To: netfilter
Hi All,
Could you have a look at my simple nft firewall script below, I've
used ct related, established, but it doesnt work with passive mode FTP
- the data session on high ports is dropped by firewall. Does NFTables
have connection tracking helper for FTP? If not - is it planned in
foreseable future to add it?
table ip filter {
chain input {
type filter hook input priority 0;
dport {21} ct state new limit rate 2/second counter accept
ct state {established, related} counter accept
counter limit rate 100/second log group 2 prefix
"RULE=Default drop"
counter drop
}
chain output {
type filter hook output priority 0;
ct state {established, related} counter accept
}
}
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-08-14 18:38 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-08-14 9:29 nftables and FTP connection tracking tomekx1000
2014-08-14 18:02 ` Pablo Neira Ayuso
2014-08-14 18:38 ` tomekx1000
-- strict thread matches above, loose matches on Subject: below --
2014-08-13 12:56 Tomek L
2014-08-13 10:30 Tomek L
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox