ufw

Connection tracking issues using ufw with Raspbian Stretch

Bug #1726550 reported by Knute Johnson on 2017-10-23
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw
High
Jamie Strandboge

Bug Description

On a Raspberry Pi running Raspbian Stretch and running ufw the connection state tracking mechanism doesn't allow connections from an external FTP client in passive mode. I found the following in the syslog:

Oct 23 14:05:09 raspberrypi kernel: [ 50.993344] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
Oct 23 14:11:51 raspberrypi kernel: [ 2.781931] nf_conntrack version 0.5.0 (14336 buckets, 57344 max)

With some more research I discovered that the file /proc/sys/net/netfilter/nf_conntrack_helper contains a 0. It needs to be a 1 for the usual connection tracking mechanism to work. For whatever reason that value cannot be permanently changed (or at least I can't change it) on my Raspberry Pi running Stretch.

After more research I found this website: https://home.regit.org/netfilter-en/secure-use-of-helpers/, which has the following:

"Using the CT target to refine security
Introduction

One classic problem with helpers is the fact that helpers listen on predefined ports. If a service does not run on standard port, it is necessary to declare it. Before 2.6.34, the only method to do so was to use a module option. This was resulting in having a systematic parsing of the added port by the chosen helper. This was clearly suboptimal and the CT target has been introduced in 2.6.34. It allows to specify what helper to use for a specific flow. For example, let’s say we have a FTP server on IP address 1.2.3.4 running on port 2121.

To declare it, we can simply do

iptables -A PREROUTING -t raw -p tcp --dport 2121 \\
       -d 1.2.3.4 -j CT --helper ftp

Therefore, the use of the module options is NOT recommended anymore – please use the CT target instead."

So by running the following from the command line I can get my passive ftp clients to connect with no problem:

sudo iptables -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp

I know there are other helpers for other protocols and they work differently than does the helper for ftp. I don't know if you want to modify ufw to enable these or not. I don't understand completely when ufw loads the iptables rules or know where is the best place to put the command above. It would be nice to make it permanent so that my ftp server will always be able to allow passive connections.

ufw version: 0.35
Raspbian Stretch 9
Kernel 4.91.41

Thanks!

I tested ufw on Xubuntu 17.10 and it requires the same additional iptables rule to allow passive ftp to work. Up until recently I was running a Ubuntu server 16.04LTS that did not have this problem.

Jamie Strandboge (jdstrand) wrote :

Thanks for the bug and additional information! We need to adjust the documentation for this, with common examples. You asked specifically about where to put your rule. See 'man ufw-framework'. You'll likely want to add something like this to the end of /etc/ufw/before.rules, after the COMMIT line:

# Update for CT modules for passive ftp
*raw
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 21 -j CT --helper ftp
COMMIT

Changed in ufw:
importance: Undecided → Medium
status: New → Triaged
Jamie Strandboge (jdstrand) wrote :

I forgot to mention, after doing the above, run 'sudo ufw reload'.

Thanks, that works perfectly.

I found an article at http://www.shorewall.org/4.6/Helpers.html that has information on other helpers. It is a few years old and there may very well be more.

Would it be possible when opening/closing a port for a service such as ftp that ufw would enable/disable the appropriate helper?

I used to code my firewalls all myself with iptables (and before that I think it was iftables) but now I use ufw almost exclusively. It has made life much easier and probably more secure too.

Thanks

Jamie Strandboge (jdstrand) wrote :

Glad that worked for you. :)

Yes, ufw could do that. There is some upcoming work for ufw managing other tables and once that is in, we could look at this.

Jamie Strandboge (jdstrand) wrote :

FYI, this is being worked on for an upcoming 0.35.1.

Changed in ufw:
status: Triaged → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Medium → High
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers