[Chilli] Coova and FTP

Iacopo Spalletti serverinfo at iast.it
Tue May 25 06:21:37 UTC 2010

Alle 19:40 di lunedì 17 maggio 2010, Iacopo Spalletti ha scritto:
> Hi, i'm trying to setup the firewall on a coova board, but apparently Coova
> doesn't go along well with FTP conntrack module in Linux
> I have a shorewall-based firewall on the same host as coova which is
> basically configured to block every connection except some destination
> ports (HTTP, and such)
> As for FTP protocol rules are based on conntrack helper, but apparently it
> can't detect connections routed via coova; this is the shorewall error
> message Shorewall:wlan2net:REJECT:IN=tun0 OUT=eth3 SRC=
> DST=$DEST_IP LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=51861 DF PROTO=TCP
> SPT=41279 DPT=65162 WINDOW=5840 RES=0x00 SYN URGP=0
> Where $DEST_IP is the FTP server on the internet, and the destination port
> is the passive FTP
> I've tried both svn (rev 322) and 1.2.2 version with no success; i tried
> alse enabling the NOTRACK options in
> Any hint?
> BTW: Disabling coova makes FTP work, and nf_conntrack_ftp is loaded
> correctly in both cases

I've made some more test: it really seems like conntrack modules (not just 
FTP) is confused by chillispot
Does anyone knows a workaround? NOTRACK is not an option because we need NAT.


Iacopo Spalletti

Nephila sas
i.spalletti at nephila.it
PGP key block: http://www.nephila.it/pgp

More information about the Chilli mailing list