main/unbound: improve update-unbound-root-hints notes

iptables conntrack helpers are disabled by default: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=a9006892643a8f4e885b692de0708bcb35a7d530 Notes updated for making passive ftp work in update-unbound-root-hints.
author: Stuart Cardall <developer@it-offshore.co.uk> 2016-10-01 19:59:43 +0000
committer: Jakub Jirutka <jakub@jirutka.cz> 2016-10-01 23:52:40 +0200
commit: 5ce0ba3d31b7caf4baf92973cb199acc08ee9512 (patch)
tree: 4ae11a3bdf86893473e39f2147bde32720433036 /main/unbound/update-unbound-root-hints
parent: 76d2855e5af26bbd3a43ded9702c7cad5a526c66 (diff)
download: aports-5ce0ba3d31b7caf4baf92973cb199acc08ee9512.tar.bz2
aports-5ce0ba3d31b7caf4baf92973cb199acc08ee9512.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/main/unbound/update-unbound-root-hints b/main/unbound/update-unbound-root-hints
index 69c5e537da..ec7bb86079 100644
--- a/main/unbound/update-unbound-root-hints
+++ b/main/unbound/update-unbound-root-hints
@@ -3,6 +3,10 @@
 # to allow passive ftp through a default deny iptables firewall:
 # modprobe nf_conntrack_ftp
 # echo nf_conntrack_ftp >> /etc/modules
+# enable helpers automatically via sysctl:
+# net.netfilter.nf_conntrack_helper = 1
+# OR enable manually for ftp only:
+# iptables -t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftp
 
 check_format() {
 	# check that we have some ipv4 addresses and some '.' hints
author	Stuart Cardall <developer@it-offshore.co.uk>	2016-10-01 19:59:43 +0000
committer	Jakub Jirutka <jakub@jirutka.cz>	2016-10-01 23:52:40 +0200
commit	5ce0ba3d31b7caf4baf92973cb199acc08ee9512 (patch)
tree	4ae11a3bdf86893473e39f2147bde32720433036 /main/unbound/update-unbound-root-hints
parent	76d2855e5af26bbd3a43ded9702c7cad5a526c66 (diff)
download	aports-5ce0ba3d31b7caf4baf92973cb199acc08ee9512.tar.bz2 aports-5ce0ba3d31b7caf4baf92973cb199acc08ee9512.tar.xz