View previous topic :: View next topic |
Author |
Message |
hanj Veteran
Joined: 19 Aug 2003 Posts: 1490
|
Posted: Wed Nov 09, 2016 5:20 pm Post subject: Lost CONNTRACK with hardened-sources-4.7.x [SOLVED] |
|
|
Upgrading the kernel this morning to 4.7.10-hardened, I noticed that I was no longer able to FTP to passive FTP servers. I immediately thought it was related to CONNTRACK options in netfilter, but they're all enabled and built into the kernel (no modules). I rolled back to 4.7.6.. same thing. When I rolled back to 4.4.8 I was able to FTP again.
Code: | cat config-4.4.8-hardened-r1 | grep CONN | grep -v \#
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_PROCFS=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_CONNTRACK_IRC=y
CONFIG_NF_CONNTRACK_TFTP=y
CONFIG_NETFILTER_XT_CONNMARK=y
CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y |
Code: | cat config-4.7.6-hardened | grep CONN | grep -v \#
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_PROCFS=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_CONNTRACK_IRC=y
CONFIG_NF_CONNTRACK_TFTP=y
CONFIG_NETFILTER_XT_CONNMARK=y
CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y |
I'm wondering if something to do with established, related logic.. but I have no other network related issues. The only thing that appears to be affected is FTP connections. I re-emerged iptables with different versions.. just in case.
Any ideas?
Thanks!
hanji _________________ Server Admin Blog - Uno-Code.com
Last edited by hanj on Thu Dec 01, 2016 4:05 pm; edited 3 times in total |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1490
|
Posted: Wed Nov 09, 2016 7:54 pm Post subject: |
|
|
I removed the following that were set by default...
Code: | CONFIG_NETFILTER_XT_NAT is not set
CONFIG_NETFILTER_XT_TARGET_NETMAP is not set
CONFIG_NF_NAT_MASQUERADE_IPV4 is not set
CONFIG_IP_NF_NAT is not set |
Not sure why that was causing problem.. but noticed they weren't set in 4.4 and set in 4.7
Thanks!
hanji _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1490
|
Posted: Thu Nov 10, 2016 5:22 am Post subject: |
|
|
Correction.. my 'fix' broke NAT and iptables didn't start.. so it appeared to 'work'. Restoring NAT, and I'm back to the same problem. _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
cord Guru
Joined: 28 Apr 2007 Posts: 344
|
Posted: Sun Nov 13, 2016 8:15 am Post subject: |
|
|
Try nftables (why nftables? - read here). |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3922 Location: Hamburg
|
Posted: Sun Nov 13, 2016 11:42 am Post subject: Re: Lost CONNTRACK with hardened-sources-4.7.x |
|
|
hanj wrote: | Upgrading the kernel this morning to 4.7.10-hardened, I noticed that I was no longer able to FTP to passive FTP servers. | Do you have an example link of a public passive FTP server ? I do run 4.7.10 - so I could test from here too. |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1490
|
Posted: Wed Nov 30, 2016 5:21 pm Post subject: |
|
|
I added some more information on this bug. I tried with 4.8.10 and problem persists. I saw references to PAX/GRSEC in change log for 4.8.10 so I thought we were on to something. I disabled GRSEC, and I'm still experiencing the same issue..
https://bugs.gentoo.org/show_bug.cgi?id=599354
Thanks!
hanji _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1490
|
|
Back to top |
|
|
|