1701063 – Conntrack helpers are no longer loaded automatically, FTP broken OOB

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1701063 - Conntrack helpers are no longer loaded automatically, FTP broken OOB

Summary: Conntrack helpers are no longer loaded automatically, FTP broken OOB

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	firewalld
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.1
Assignee:	Eric Garver
QA Contact:	Tomas Dolezal
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-04-17 22:30 UTC by Morgan Weetman
Modified:	2020-11-14 11:07 UTC (History)
CC List:	1 user (show)
Fixed In Version:	firewalld-0.7.0-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-11-05 22:31:34 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	firewalld firewalld issues 453	0	None	closed	nftables: CT helpers aren't properly instantiated	2021-02-15 11:09:55 UTC
Red Hat Product Errata	RHEA-2019:3635	0	None	None	None	2019-11-05 22:31:49 UTC

Description Morgan Weetman 2019-04-17 22:30:18 UTC

Description of problem:
Since kernel 4.7.? nf_conntrack helpers are no longer loaded automatically[1] due to security concerns[2].
The impact of this is that protocols like FTP (defaulting to passive mode) no longer work out of the box when allowing the ftp service through firewalld. 

This issue is also documented in a closed Fedora bug[3].

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install and enable vsftpd
2. firewall-cmd --zone=public --add-service=ftp
3. Attempt downloading a file

Actual results:
# lftp -c "debug; open -u anonymous,student serverb.lab.example.com; cd pub; get testfile"
---- Resolving host address...
---- 1 address found: 172.25.250.11
---- Connecting to serverb.lab.example.com (172.25.250.11) port 21
<--- 220 (vsFTPd 3.0.3)
---> FEAT
<--- 211-Features:
<---  EPRT
<---  EPSV
<---  MDTM
<---  PASV
<---  REST STREAM
<---  SIZE
<---  TVFS
<---  UTF8
<--- 211 End
---> AUTH TLS
<--- 530 Please login with USER and PASS.
---> OPTS UTF8 ON
<--- 200 Always in UTF8 mode.
---> USER anonymous
<--- 331 Please specify the password.
---> PASS student
<--- 230 Login successful.
---> PWD
<--- 257 "/" is the current directory
---- CWD path to be sent is `/pub'
---> CWD /pub
<--- 250 Directory successfully changed.
---> TYPE I
<--- 200 Switching to Binary mode.
---> SIZE testfile
<--- 213 0
---> MDTM testfile
<--- 213 20190417002835
---> PORT 172,25,250,12,197,87
<--- 200 PORT command successful. Consider using PASV.
---> RETR testfile
<--- 425 Failed to establish connection.
---- Closing data socket
---> SIZE testfile                       
<--- 213 0
---> PORT 172,25,250,12,229,39
<--- 200 PORT command successful. Consider using PASV.
---> RETR testfile
<--- 425 Failed to establish connection.
---- Closing data socket
^Cestfile' at 0 [Delaying before retry]


Expected results:
# lftp -c "debug; open -u anonymous,student serverb.lab.example.com; cd pub; get testfile"
---- Resolving host address...
---- 1 address found: 172.25.250.11
---- Connecting to serverb.lab.example.com (172.25.250.11) port 21
<--- 220 (vsFTPd 3.0.3)
---> FEAT
<--- 211-Features:
<---  EPRT
<---  EPSV
<---  MDTM
<---  PASV
<---  REST STREAM
<---  SIZE
<---  TVFS
<---  UTF8
<--- 211 End
---> AUTH TLS
<--- 530 Please login with USER and PASS.
---> OPTS UTF8 ON
<--- 200 Always in UTF8 mode.
---> USER anonymous
<--- 331 Please specify the password.
---> PASS student
<--- 230 Login successful.
---> PWD
<--- 257 "/" is the current directory
---- CWD path to be sent is `/pub'
---> CWD /pub
<--- 250 Directory successfully changed.
---> TYPE I
<--- 200 Switching to Binary mode.
---> SIZE testfile
<--- 213 0
---> MDTM testfile
<--- 213 20190417002835
---> PASV
<--- 227 Entering Passive Mode (172,25,250,11,197,59).
---- Connecting data socket to (172.25.250.11) port 50491
---- Data connection established
---> RETR testfile
<--- 150 Opening BINARY mode data connection for testfile (0 bytes).
---- saw file size in response
---- Got EOF on data connection
---- Closing data socket
<--- 226 Transfer complete.
---> QUIT
<--- 221 Goodbye.
---- Closing control socket


Additional info:

I believe the simplest fix is a documentation update suggesting that users specify the port range for passive connections in /etc/vsftpd/vsftpd.conf, and allow that range through the firewall also:

pasv_enable=Yes
pasv_min_port=21000
pasv_max_port=21020

firewall-cmd --zone=public --add-port=21000-21020/tcp
firewall-cmd --permanent --zone=public --add-port=21000-21020/tcp

However there will be other protocols where this has a similar impact.

An alternative is to document the secure use of helpers as per [2], possibly with firewall-cmd examples for impacted protocols.


[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3bb398d925ec73e42b778cf823c8f4aecae359ea
[2] https://home.regit.org/netfilter-en/secure-use-of-helpers/
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1380168

Comment 1 Phil Sutter 2019-04-18 07:27:10 UTC

I guess this should be handled by firewalld, hence moving the ticket. At least it's not related to libnetfilter_conntrack at all.

Comment 2 Eric Garver 2019-04-18 13:43:03 UTC

Upstream:

  a8930f0b694c ("test: add test to check for nftables helper objects")
  9e2d1ed0c3b2 ("fix: nftables: make helpers work by creating ct helper objects")

Comment 3 Eric Garver 2019-04-19 13:09:32 UTC

Additional upstream fixes for test case:

  e2301b0409db ("fix: tests/regression/gh453: guarantee automatic helpers disabled")
  32c2497f6ec0 ("test: add macro CHECK_NFT_CT_HELPER()")

Comment 7 errata-xmlrpc 2019-11-05 22:31:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:3635

Note You need to log in before you can comment on or make changes to this bug.