[pve-devel] [PATCH pve-docs] pve-firewall: fix ftp conntrack doc

Alexandre Derumier aderumier at odiso.com
Fri May 17 12:26:51 CEST 2019


ip_conntrack_ftp is now nf_conntrack_ftp (still work as alias, but deprecrated)
nf_conntrack_helper is now disable by default on recent kernel,
we need to enable it explicitly

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 pve-firewall.adoc | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/pve-firewall.adoc b/pve-firewall.adoc
index 2bcdf6e..a9a097f 100644
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@@ -554,10 +554,23 @@ FTP is an old style protocol which uses port 21 and several other dynamic ports.
 need a rule to accept port 21. In addition, you need to load the `ip_conntrack_ftp` module.
 So please run: 
 
- modprobe ip_conntrack_ftp
+ modprobe nf_conntrack_ftp
+ sysctl -w net.netfilter.nf_conntrack_helper=1
 
-and add `ip_conntrack_ftp` to `/etc/modules` (so that it works after a reboot).
+To make is persistent after a reboot:
 
+add in /etc/modules-load.d/nf_conntrack.conf
+
+----
+nf_conntrack
+nf_conntrack_ftp
+----
+
+and in /etc/sysctl.conf
+
+----
+net.netfilter.nf_conntrack_helper = 1
+----
 
 Suricata IPS integration
 ~~~~~~~~~~~~~~~~~~~~~~~~
-- 
2.11.0




More information about the pve-devel mailing list