# Can't configure Firewall due to kernel issue?

## Budoka

Going crazy.

Before going into details I all want to do is open port 22 or 2222 so that I can ssh into my Gentoo box and it has proven more difficult than it should be.

Issue 1:

I installed UFW and tried the GUI's  kcm-ufw, ufw-frontends, as well as Fwbuilder. All of them would not let me activate the firewall (I believe iptables is the underlying firewall) and would also indicate the firewall isn't active. But I noticed no network traffic was coming in or out so checked UFW from the CLI and it was active. If I disable it then traffic resumes so clearly it is working at some level even if the GUI's can't talk to it.

Issue 2:

So I check any messages for UFW or iptables and there are some kernel options that need to be configured. http://wiki.gentoo.org/wiki/Iptables I add them all, recompile, and behaviour is the same. Not even sure if they are even related to the problem to be honest. Anyway, re-install UFW in the hopes that would do something but now when issuing  

```
ufw enable
```

 get the error message  *Quote:*   

> 
> 
> ERROR: problem running ufw-init
> 
> modprobe: FATAL: Module nf_nat_ftp not found.
> ...

 

but strangely enough the firewall is enabled and all network traffic is stopped until I run ufw disable.

Mod probe nf_nat_ftp and get  *Quote:*   

> modprobe: FATAL: Module nf_nat_ftp not found

 .

So now I am trying to find where nf_nat_ftp is in the kernel.

Issue 3:

Can't find it for my life. If I search for it I only get  *Quote:*   

> Symbol: NF_NAT_FTP [=n]                                                                                                                      │  
> 
>   │ Type  : tristate

  which doesn't show any path to where it lives in the config. I found this on Google  *Quote:*   

> NF_NAT_FTP found in net/netfilter/Kconfig
> 
> The configuration item CONFIG_NF_NAT_FTP:
> 
> prompt:
> ...

 

I'm on kernel 3.8.13 so it should be there but I don't have Kconfig anywhere???!!! Once again I am not sure if the fact that this kernel option not being active is the cause of my problem or will solve it because clearly the firewall is activated when I issue the enable command.

I just need a way to open that port.

----------

## PaulBredbury

In kernel 3.10.7:

```
Symbol: NF_NAT_FTP [=y]                                             

Depends on: NET [=y] && INET [=y] && NETFILTER [=y] && NF_CONNTRACK [=y] && NF_NAT [=y]
```

Check that "Depends" line carefully. You probably don't have NF_NAT.

UFW is for Ubuntu users  :Wink:  I'd recommend Gentoo users to use iptables itself.

----------

## Goverp

Have you followed the UFW installation insructions - i.e. added the ufw service to the default runlevel?

Also, did you run the configuration checker, /usr/share/ufw/check-requirements, and follow its recommendations?

These are mentioned in the ebuild messages.

UFW needs several kernel netfilter configuration options set; if you miss them, it won't start.  One approach is simply to make modules for all the netfilter configuration options, and let UFW load what it wants to meet your particular firewall configuration.

I've used UFW for some time.  Apart from needing to keep up with its netfilter requirements, it's been a lot simpler than guessing how to configure iptables et al.

----------

## CleanTestr

a) Upon emerge ufw, I get:

```
* Note: once enabled, ufw blocks also incoming SSH connections by

* default. See README, Remote Management section for more information.

```

b) a quick search of the Internet yields a page which states it can do:

```
Status:

activeTo      Action   From

--------      ------   ----

OpenSSH       LIMIT    Anywhere

```

That page is blog:UFW with Fail2ban

They'll tell you why you don't want SSH port open for server use. They'll also 

tell you how to selectively enable/disable it.

If you wanted to use just iptables w/o ufw,

c) You write:

 *Quote:*   

> Issue 3:
> 
> Can't find it for my life. If I search for it I only get
> 
> Quote:	
> ...

 

The:  NF_NAT_FTP [=n] means NAT isn't compiled into the kernel. 

Go back and set it to [*] and try again.

Using the tool grep on your kernel config:

zgrep NAT /proc/config.gz

d) Alternatively, since more information is better than less, could you (please)

```
emerge wgetpaste

zcat /proc/config.gz > _fool

wgetpaste _fool

```

and put the resulting URL into a [ url = :URL: ] config.gz [ / url ] BBCode?

----------

## Budoka

 *CleanTestr wrote:*   

> a) Upon emerge ufw, I get:
> 
> ```
> * Note: once enabled, ufw blocks also incoming SSH connections by
> 
> ...

 

Thanks for all the good info folks. STill struggling with this. Really annoying to tell the truth. I may be a dunce but it really shouldn't be this diffcult to open a port. I am not even on a hardened version of Gentoo so not sure even why it is closed.

Anyway, I would add one thing. What I meant is that I can't find where  NF_NAT_FTP lives in the kernel config.

----------

## PaulBredbury

You won't find  NF_NAT_FTP until you've enabled its prerequisites, e.g. NF_NAT.

----------

## Budoka

 *PaulBredbury wrote:*   

> You won't find  NF_NAT_FTP until you've enabled its prerequisites, e.g. NF_NAT.

 

OK. I'll check again. But why isn't it outlined in the iptables wiki? I enabled everything in the kernel that page requested.

----------

## PaulBredbury

Probably the wiki is just slightly out-of-date, due to the kernel changing its deps.

----------

