"[FLSA-2005:2252] Updated iptables packages resolve security issues" introduces new bug
Pekka Savola
pekkas at netcore.fi
Sat Feb 19 18:39:45 UTC 2005
On Sat, 19 Feb 2005, Marc Deslauriers wrote:
> On Sat, 2005-02-19 at 12:46 +0100, Bart Westra wrote:
>> After upgrading to iptables-1.2.8-8.90.1.legacy for Red Hat 9, I have found
>> that ip_conntrack_ftp is not working on some interfaces of my system (it has
>> 4 physical interfaces). It no longer recognizes the data sessions associated
>> with an ftp control session. When I open the high ports in iptables, the
>> data session will work.
>
> With the new iptables package, you have to manually add
> "ip_conntrack_ftp" to the IPTABLES_MODULES="" variable in
> the /etc/sysconfig/iptables-config file and
> uncomment the line.
>
> Please try that and report back here if it worked so we can close the bug.
Umm.. that shouldn't be needed -- the whole point is that the modules
are loaded properly? (Of course, it can be tried...)
But that said, something _is_ wrong. I started hearing weird reports
from our multi-interface RHL9-based firewall as well, and I couldn't
associate them until now.
It would be interesting to know whether conntrack_ftp is:
- automatically loaded or not
- actually loaded when conntracking fails
- whether conntracking works on some interfaces and not in others
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the fedora-legacy-list
mailing list