Re: [Shorewall-users] nf_conntrack: automatic helper assignment is deprecated

Sun, 10 Jan 2016 09:04:57 -0800 

On 01/10/2016 02:36 AM, Erich Titl wrote:
> Hi Tom
> 
> some more questions after a look at the macros
> 
> Am 10.01.2016 um 05:47 schrieb Tom Eastep:
> ...>
>> Check out AUTOHELPERS in the shorewall.conf man page.
> 
> I looked at macro.FTP
> 
> ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER )
> PARAM - - tcp 21 { helper=ftp }
> ?else
> PARAM - - tcp 21
> ?endif
> 
> Does the above mean that if AUTOHELPERS are enabled, then the FTP helper
> is added to the corresponding connection, e.g. the automatic helper
> assignment is not a function of netfilter but in this case the helper
> gets assigned by shorewall?
> 
> Can we safely ignore the warning from nf_contrack in this case?

Netfilter's automatic helper assignment is controlled by
/proc/sys/net/netfilter/nf_conntrack_helper.

Shorewall:

- always sets that to 0 during start/restart/reload if it exists, thus
  disabling it.
- always sets it to 1 when executing the 'clear' command. This is a
  possible cause of the messages that you are seeing.

AUTOHELPERS determines whether *Shorewall* enables automatic helper
assignment via entries in the conntrack file. Changing its default value
to No would result in a lot of problems for new users who don't use the
Shorewall-provided macros.

Automatic helper assignment is dangerous because there is an exploit
allowing attackers to open ports on the firewall. Shorewall's 'sfilter'
implementation blocks that exploit, independent of the AUTOHELPERS setting.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to