Bug#593398: ferm: please load nf_conntrack_ftp module when using ftp helper

Yves-Alexis Perez Tue, 17 Aug 2010 14:00:26 -0700

Package: ferm
Version: 2.0.7-1
Severity: normal

Hey,


I just noticed that my ftp rules weren't working correctly in ferm just
because nf_conntrack_ftp wasn't loaded. I assumed it would have been
done by ferm, so I'm reporting this so it could be added to the
initscript or something if ftp is detected in the rules. (feel free to
reassign to iptables if it should load it itself when detecting the ftp
helper).

Cheers,
--
Yves-Alexis


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ferm depends on:
ii  debconf                       1.5.33     Debian configuration management sy
ii  iptables                      1.4.8-3    administration tools for packet fi
ii  lsb-base                      3.2-23.1   Linux Standard Base 3.2 init scrip
ii  perl                          5.10.1-13  Larry Wall's Practical Extraction 

Versions of packages ferm recommends:
ii  libnet-dns-perl               0.66-2     Perform DNS queries from a Perl sc

ferm suggests no packages.

-- Configuration Files:
/etc/default/ferm changed:
FAST=yes
CACHE=no
OPTIONS=
ENABLED=yes

/etc/ferm/ferm.conf changed:
@def &INPUT() = {
      # allow SSH connections
      proto tcp dport ssh ACCEPT;
      #zeroconf
      proto udp dport mdns DROP;
}
def &OUTPUT() = {
      proto (tcp udp) dport domain ACCEPT;
      proto tcp dport whois ACCEPT;
      proto udp dport ipp ACCEPT;
      proto tcp dport 9100 ACCEPT;
      proto tcp dport snmp ACCEPT;
      proto udp dport ntp sport ntp ACCEPT;
      proto tcp dport rsync ACCEPT;
      proto tcp dport nntp ACCEPT;
      # ftp
      proto tcp dport ftp ACCEPT;
      mod helper helper ftp ACCEPT;
      #SIP
      proto udp dport (sip sip-tls) ACCEPT;
      # mail
      proto tcp dport (smtp ssmtp submission) ACCEPT;
      proto tcp dport (imap imaps pop3s) ACCEPT;
      # web
      proto tcp dport (http https) ACCEPT;
      # ssh
      proto tcp dport ssh ACCEPT;
      # jabber
      proto tcp dport (jabber-client 7777) ACCEPT;
      #proto tcp dport 5222 daddr molly.corsac.net ACCEPT;
      #proto tcp dport 5222 daddr heracles.droledequartier.net ACCEPT;
      # irc
      proto tcp dport ircd ACCEPT;
      # gnupg keyservers
      proto tcp dport hkp ACCEPT;
      # collab
      proto tcp dport (subversion git) ACCEPT;
      proto tcp dport ipp ACCEPT;
}
table filter {
    chain INPUT {
      policy DROP;
      # connection tracking
      mod state state INVALID DROP;
      mod state state (ESTABLISHED RELATED) ACCEPT;
      # allow local packets
      interface lo ACCEPT;
      proto 2 mod pkttype pkt-type multicast ACCEPT;
      # dhcp
      proto udp dport 67 sport 68 ACCEPT;
      proto udp dport (67:68) mod addrtype dst-type BROADCAST DROP;
      # cups
      proto udp dport 631 mod addrtype dst-type BROADCAST DROP;
      # respond to ping
      proto icmp ACCEPT; 
      &INPUT();
      #freeplayer
      proto udp saddr 212.27.38.253 ACCEPT;
      #daap
      proto tcp dport 3689 ACCEPT;
      # broadcast
      mod addrtype dst-type BROADCAST DROP;
      LOG log-prefix "[iptables] input: ";
      DROP;
    }
    chain OUTPUT {
      policy DROP;
      # connection tracking
      mod state state INVALID DROP;
      mod state state (ESTABLISHED RELATED) ACCEPT;
      proto udp dport mdns DROP;
      # allow local packets
      outerface lo ACCEPT;
      proto icmp ACCEPT; 
      # dhcp
      proto udp sport 68 dport 67 ACCEPT;
      &OUTPUT();
      # svn version.picty.org
      proto tcp daddr 88.177.168.227 dport 444 ACCEPT;
      # freeplayer
      proto tcp dport 554 daddr 212.27.38.253 ACCEPT;
      proto udp daddr 212.27.38.253 ACCEPT;
      # kcdx
      proto tcp dport 8000 daddr 69.28.135.22 ACCEPT;
      # cfssi
      proto tcp dport 1022 ACCEPT;
      # log, then drop
      LOG log-prefix "[iptables] output: ";
      DROP;
    }
    chain FORWARD {
      policy DROP;
      # connection tracking
      mod state state INVALID DROP;
      mod state state (ESTABLISHED RELATED) ACCEPT;
                LOG log-prefix "[iptables] forward:";
      DROP;
    }
}
domain ip6 {
  table filter {
    chain INPUT {
      policy DROP;
  
      # connection tracking
      mod state state INVALID DROP;
      mod state state (ESTABLISHED RELATED) ACCEPT;
      proto icmpv6 ACCEPT; 
      # allow local packets
      interface lo ACCEPT;
      &INPUT();
      LOG log-prefix "[iptables] input6: ";
      DROP;
    }
    chain OUTPUT {
      policy DROP;
  
      # connection tracking
      mod state state INVALID DROP;
      mod state state (ESTABLISHED RELATED) ACCEPT;
      # allow local packets
      outerface lo ACCEPT;
      proto icmpv6 ACCEPT; 
      &OUTPUT();
      LOG log-prefix "[iptables] output6: ";
      DROP;
    }
    chain FORWARD {
      policy DROP;
  
      # connection tracking
      mod state state INVALID DROP;
      mod state state (ESTABLISHED RELATED) ACCEPT;
      LOG log-prefix "[iptables] forward6: ";
      DROP;
    }
  }
}


-- debconf information:
* ferm/enable: true



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#593398: ferm: please load nf_conntrack_ftp module when using ftp helper

Reply via email to