OpenWrt/LEDE Project

  • Status Unconfirmed
  • Percent Complete
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Medium
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Artur - 03.01.2019

FS#2042 - nat helpers do not work (e.g. ftp), CT rules do not match connections in chain zone_wan_helper

OpenWrt SNAPSHOT, r8978-eb1887be93

Automatically generated rule like the below does not match any connections originating from WAN:

Chain zone_wan_helper (1 references)
pkts bytes target prot opt in out source destination
0 0 CT tcp – * * tcp dpt:21 ctstate DNAT /* !fw3: FTP (CT helper) */ CT helper ftp

To have working passive FTP I need to add the following line to /etc/firewall.user (based on rules generated by shorewall):

iptables -t raw -A zone_wan_helper -p tcp –dport 21 -j CT –helper ftp –tcp-flags SYN,ACK,FIN,RST SYN

Either ctstate or destination ip does not match in the original rule.

Jo-Philipp Wich commented on 03.01.2019 14:02

Do you mean connections originating from the router itself?


Available keyboard shortcuts


Task Details

Task Editing