For a public file archive with an anonymous ftp server (vsftpd) I need to restore passive ftp, which ceased to work after upgrading Ubuntu 16 LTS to 18 LTS some time ago (with 20 to follow). Previous answers around the SE network indicate that in addition to configuring connection tracking in the kernel and firewall, nf_conntrack_helper should be enabled in the kernel settings or a sysctl config.
However, this oft-referenced article on using helpers points out "this is not optimal and is even a security risk". This is reiterated in this answer, yet no other answers I found in this context have such reservations about setting net.netfilter.nf_conntrack_helper=1.
So I am not sure: is this safe to use or a risk?
Passive ftp is blocked by UFW unless I enable nf_conntrack_helper. Or is there another oversight in the conntrack configuration?
Background
Kernel 4.15.x with ftp modules:
$ lsmod | grep ftp
nf_nat_ftp 16384 0
nf_nat 28672 1 nf_nat_ftp
nf_conntrack_ftp 16384 1 nf_nat_ftp
nf_conntrack 110592 9 nf_conntrack_ipv6,nf_conntrack_ftp,nf_conntrack_ipv4,nf_conntrack_broadcast,nf_nat_ftp,nf_conntrack_netbios_ns,xt_CT,xt_conntrack,nf_nat
vsftpd with restricted pasv port range:
pasv_min_port=49152
pasv_max_port=60999
UFW with relevant configuration lines in before.rules:
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
In user.rules:
### tuple ### allow tcp 21 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 21 -j ACCEPT
In after.rules:
*raw
-A PREROUTING -p tcp --dport ftp -j CT -helper ftp
COMMIT
*filter
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-after-forward - [0:0]
-A ufw-after-input -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp -d <IP-address> --dport 49152:60999 -j ACCEPT
0 Answers