Disable FTP_alg script.

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.
P

podkaracz

Guest
So i contacted asus about how to completly disable ftp alg and i got response from asus poland that they will contact headquarters and reply back. So my question is how to apply those scripts to work like firewall-start scripts work for merlin users?


I want to add those 2 because from what ive seen it disables ftp_alg

modprobe -r nf_nat_ftp
modprobe -r nf_conntrack_ftp
 
Last edited by a moderator:

QasusAnon

New Around Here
Like you said @ColinTaylor was the one that first suggested using those two lines:

modprobe -r nf_nat_ftp
modprobe -r nf_conntrack_ftp

to /jffs/scripts/firewall-start in Merlin Firmware

Are you saying that you are NOT using Merlin firmware, and are using Stock ASUS firmware?

The question I would like to have answered is how do you test for the effect(iveness) if those two lines regardless of firmware version you use?

>> I.e. would you need a way to appear to be on the WAN side and try to probe your own IP address, for example?

>>> I guess what I'm saying is like so many vulnerabilities that are discovered by cybersecurity experts, usually they are accompanied by a proof of concept, and a suggested mitigation method.
 
Last edited:

KevTech

Very Senior Member
So i contacted asus about how to completly disable ftp alg and i got response from asus poland that they will contact headquarters and reply back. Its taking long and as i thought asus poland is not too smart so either they wont reply or it will take forever. So my question is how to apply those scripts to work like firewall-start scripts work for merlin users?


I want to add those 2 because from what ive seen it disables ftp_alg

modprobe -r nf_nat_ftp
modprobe -r nf_conntrack_ftp

Are you wanting to use scripts with official firmware?
If so you can not do that.
If you are talking about Merlin firmware then this thread is in the wrong forum.
 
P

podkaracz

Guest
So i contacted asus about how to completly disable ftp alg and i got response from asus poland that they will contact headquarters and reply back. So my question is how to apply those scripts to work like firewall-start scripts work for merlin users?


I want to add those 2 because from what ive seen it disables ftp_alg

modprobe -r nf_nat_ftp
modprobe -r nf_conntrack_ftp
Ok so after 14 days since i wrote about this around start of february i have response from asus with the right commands. Asus Poland is helpful but it takes them long to respond. Update on my previous post.
They advised: nvram set vts_ftpport=0

So is changing this port to 0 actually eliminates problem?
 

juched

Senior Member
You cannot set it to 0 via the UI. Lots going on right on around NAT slipstream issues, so while it is nice the rest can be turned off the best solution I could think of was to change the default port.
 
P

podkaracz

Guest
You cannot set it to 0 via the UI. Lots going on right on around NAT slipstream issues, so while it is nice the rest can be turned off the best solution I could think of was to change the default port.

I mean 3 posts in this threads other than mine suggest what i saw on all forums on the internet ever.
a) people dont read what op says and write something on topic mentioned in title
b) they read but they dont understand what they read

So to clarify:

Im using stock Asus firmware ( latest beta with dnspooq fixes).

I saw someone posting a command that is supposed to disable ftp_alg line in nat passthrough tab but at the same time that person pointed out it works only on merlin firmware so i created this thread to ask about possibility of same action on stock.

Then i got response from Asus stating that nvram set vts_ftpport=0 is the answer to my problem and once i did it ftp_alg port changed to 0 and its visible in gui and i reached back here to ask what do you think about this change and if it really disables that service since it seems like it just changed port and not disabled it.
 

juched

Senior Member
To be honest I read through this thread a few times before replying initially. I read it because I have been turning off all ALG items for a few months now due to security issues. What I was trying to add was that FTP is unfortunately the only one without a disable pull down. So your question and answer is appreciated. Setting something to use port 0 is common for Linux services to disable since port 0 is not a valid port to open. I am not sure how to test and probably only Asus can really confirm how to test. So, we either trust them or find other details to validate this. I have not found anything else online yet to validate.
Thanks to your post though I have gone in and run the command and nvram commit to set the port to 0 and will see what comes from that.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top