[pve-devel] [PATCH pve-docs] pve-firewall: fix ftp conntrack doc
Fabian Grünbichler
f.gruenbichler at proxmox.com
Wed Aug 7 14:50:57 CEST 2019
(going through backlog)
On May 17, 2019 12:26 pm, Alexandre Derumier wrote:
> ip_conntrack_ftp is now nf_conntrack_ftp (still work as alias, but deprecrated)
> nf_conntrack_helper is now disable by default on recent kernel,
> we need to enable it explicitly
>
> Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
> ---
> pve-firewall.adoc | 17 +++++++++++++++--
> 1 file changed, 15 insertions(+), 2 deletions(-)
>
> diff --git a/pve-firewall.adoc b/pve-firewall.adoc
> index 2bcdf6e..a9a097f 100644
> --- a/pve-firewall.adoc
> +++ b/pve-firewall.adoc
> @@ -554,10 +554,23 @@ FTP is an old style protocol which uses port 21 and several other dynamic ports.
> need a rule to accept port 21. In addition, you need to load the `ip_conntrack_ftp` module.
> So please run:
>
> - modprobe ip_conntrack_ftp
> + modprobe nf_conntrack_ftp
> + sysctl -w net.netfilter.nf_conntrack_helper=1
>
> -and add `ip_conntrack_ftp` to `/etc/modules` (so that it works after a reboot).
> +To make is persistent after a reboot:
>
> +add in /etc/modules-load.d/nf_conntrack.conf
> +
> +----
> +nf_conntrack
> +nf_conntrack_ftp
> +----
> +
> +and in /etc/sysctl.conf
> +
> +----
> +net.netfilter.nf_conntrack_helper = 1
is this identical to the module parameter? why not set the module
parameter?
> +----
>
> Suricata IPS integration
> ~~~~~~~~~~~~~~~~~~~~~~~~
> --
> 2.11.0
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
More information about the pve-devel
mailing list