Connection tracking issues using ufw with Raspbian Stretch
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw |
In Progress
|
High
|
Jamie Strandboge |
Bug Description
On a Raspberry Pi running Raspbian Stretch and running ufw the connection state tracking mechanism doesn't allow connections from an external FTP client in passive mode. I found the following in the syslog:
Oct 23 14:05:09 raspberrypi kernel: [ 50.993344] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
Oct 23 14:11:51 raspberrypi kernel: [ 2.781931] nf_conntrack version 0.5.0 (14336 buckets, 57344 max)
With some more research I discovered that the file /proc/sys/
After more research I found this website: https:/
"Using the CT target to refine security
Introduction
One classic problem with helpers is the fact that helpers listen on predefined ports. If a service does not run on standard port, it is necessary to declare it. Before 2.6.34, the only method to do so was to use a module option. This was resulting in having a systematic parsing of the added port by the chosen helper. This was clearly suboptimal and the CT target has been introduced in 2.6.34. It allows to specify what helper to use for a specific flow. For example, let’s say we have a FTP server on IP address 1.2.3.4 running on port 2121.
To declare it, we can simply do
iptables -A PREROUTING -t raw -p tcp --dport 2121 \\
-d 1.2.3.4 -j CT --helper ftp
Therefore, the use of the module options is NOT recommended anymore – please use the CT target instead."
So by running the following from the command line I can get my passive ftp clients to connect with no problem:
sudo iptables -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
I know there are other helpers for other protocols and they work differently than does the helper for ftp. I don't know if you want to modify ufw to enable these or not. I don't understand completely when ufw loads the iptables rules or know where is the best place to put the command above. It would be nice to make it permanent so that my ftp server will always be able to allow passive connections.
ufw version: 0.35
Raspbian Stretch 9
Kernel 4.91.41
Thanks!
I tested ufw on Xubuntu 17.10 and it requires the same additional iptables rule to allow passive ftp to work. Up until recently I was running a Ubuntu server 16.04LTS that did not have this problem.