[pve-devel] [PATCH pve-docs] pve-firewall: fix ftp conntrack doc
Alexandre Derumier
aderumier at odiso.com
Fri May 17 12:26:51 CEST 2019
ip_conntrack_ftp is now nf_conntrack_ftp (still work as alias, but deprecrated)
nf_conntrack_helper is now disable by default on recent kernel,
we need to enable it explicitly
Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
pve-firewall.adoc | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/pve-firewall.adoc b/pve-firewall.adoc
index 2bcdf6e..a9a097f 100644
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@@ -554,10 +554,23 @@ FTP is an old style protocol which uses port 21 and several other dynamic ports.
need a rule to accept port 21. In addition, you need to load the `ip_conntrack_ftp` module.
So please run:
- modprobe ip_conntrack_ftp
+ modprobe nf_conntrack_ftp
+ sysctl -w net.netfilter.nf_conntrack_helper=1
-and add `ip_conntrack_ftp` to `/etc/modules` (so that it works after a reboot).
+To make is persistent after a reboot:
+add in /etc/modules-load.d/nf_conntrack.conf
+
+----
+nf_conntrack
+nf_conntrack_ftp
+----
+
+and in /etc/sysctl.conf
+
+----
+net.netfilter.nf_conntrack_helper = 1
+----
Suricata IPS integration
~~~~~~~~~~~~~~~~~~~~~~~~
--
2.11.0
More information about the pve-devel
mailing list