[pve-devel] [PATCH pve-docs] pve-firewall: fix ftp conntrack doc

Alexandre DERUMIER aderumier at odiso.com
Wed Aug 7 16:40:19 CEST 2019 

> +net.netfilter.nf_conntrack_helper = 1

>>is this identical to the module parameter? why not set the module 
>>parameter?

yes, I think it should work with module parameter too (but I don't have tested it)


----- Mail original -----
De: "Fabian Grünbichler" <f.gruenbichler at proxmox.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Mercredi 7 Août 2019 14:50:57
Objet: Re: [pve-devel] [PATCH pve-docs] pve-firewall: fix ftp conntrack doc

(going through backlog) 

On May 17, 2019 12:26 pm, Alexandre Derumier wrote: 
> ip_conntrack_ftp is now nf_conntrack_ftp (still work as alias, but deprecrated) 
> nf_conntrack_helper is now disable by default on recent kernel, 
> we need to enable it explicitly 
> 
> Signed-off-by: Alexandre Derumier <aderumier at odiso.com> 
> --- 
> pve-firewall.adoc | 17 +++++++++++++++-- 
> 1 file changed, 15 insertions(+), 2 deletions(-) 
> 
> diff --git a/pve-firewall.adoc b/pve-firewall.adoc 
> index 2bcdf6e..a9a097f 100644 
> --- a/pve-firewall.adoc 
> +++ b/pve-firewall.adoc 
> @@ -554,10 +554,23 @@ FTP is an old style protocol which uses port 21 and several other dynamic ports. 
> need a rule to accept port 21. In addition, you need to load the `ip_conntrack_ftp` module. 
> So please run: 
> 
> - modprobe ip_conntrack_ftp 
> + modprobe nf_conntrack_ftp 
> + sysctl -w net.netfilter.nf_conntrack_helper=1 
> 
> -and add `ip_conntrack_ftp` to `/etc/modules` (so that it works after a reboot). 
> +To make is persistent after a reboot: 
> 
> +add in /etc/modules-load.d/nf_conntrack.conf 
> + 
> +---- 
> +nf_conntrack 
> +nf_conntrack_ftp 
> +---- 
> + 
> +and in /etc/sysctl.conf 
> + 
> +---- 
> +net.netfilter.nf_conntrack_helper = 1 

is this identical to the module parameter? why not set the module 
parameter? 

> +---- 
> 
> Suricata IPS integration 
> ~~~~~~~~~~~~~~~~~~~~~~~~ 
> -- 
> 2.11.0 
> 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 

_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

More information about the pve-devel mailing list