Hi. On Fri, Dec 15, 2017 at 02:46:16PM +0100, David Guyot wrote: > Hello, there. > > I'm running a Pure-FTPd service, with passive FTP, and I encountered > what seems to be a defect in the nf_conntrack_ftp module: it seems to > not recognize the passive FTP data connection as RELATED to the > established control connection.
And it should not, as they disabled automatic assignment of conntrack helper modules back in mainline kernel version 3.5. Also, see Debian bug #870484. What you need to make it work is the set of these netfilter rules: -t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftp -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ens3 -p tcp --dport 21 -j ACCEPT Remove nf_conntrack_ftp from /etc/modules (loading netfilter rule will take care of this module), and exterminate these: > -A INPUT -i ens3 -p tcp -m tcp --dport 50000:50500 -m state --state > RELATED,ESTABLISHED -j ACCEPT > -A OUTPUT -o ens3 -p tcp -m tcp --sport 50000:50500 -m state --state > RELATED,ESTABLISHED -j ACCEPT Reco
