Re: "[FLSA-2005:2252] Updated iptables packages resolve security issues" introduces new bug

[Pekka Savola <pekkas netcore fi>]

On Sat, 19 Feb 2005, Marc Deslauriers wrote:
> On Sat, 2005-02-19 at 12:46 +0100, Bart Westra wrote:
> > After upgrading to iptables-1.2.8-8.90.1.legacy for Red Hat 9, I have found
> > that ip_conntrack_ftp is not working on some interfaces of my system (it has
> > 4 physical interfaces). It no longer recognizes the data sessions associated
> > with an ftp control session. When I open the high ports in iptables, the
> > data session will work.
>
> With the new iptables package, you have to manually add
> "ip_conntrack_ftp" to the IPTABLES_MODULES="" variable in
> the /etc/sysconfig/iptables-config file and
> uncomment the line.
>
> Please try that and report back here if it worked so we can close the bug.

Umm.. that shouldn't be needed -- the whole point is that the modules 
are loaded properly? (Of course, it can be tried...)

But that said, something _is_ wrong.  I started hearing weird reports 
from our multi-interface RHL9-based firewall as well, and I couldn't 
associate them until now.

It would be interesting to know whether conntrack_ftp is:
 - automatically loaded or not
 - actually loaded when conntracking fails
 - whether conntracking works on some interfaces and not in others

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings