On 2/6/19 12:20 PM, Kevin Olbrich wrote: > Am Mi., 6. Feb. 2019 um 21:06 Uhr schrieb Tom Eastep <teas...@shorewall.net>: >> >> On 2/6/19 11:57 AM, Kevin Olbrich wrote: >>> Hi Tom, >>> >>> this system only hosts asterisk, nothing else. >>> It seems I don't need any helper, just normal conntrack for outgoing >>> connections (like HTTP for Debian APT). >>> >>> Listing all helper in DONT_LOAD would work but I don't think I need any. >>> Can I just disable all helpers? >>> >> >> Listing them all in DONT_LOAD is the only way to disable all of them. >> And, you need to rmmod all of them that are currently loaded. > > Ok, I will try this and use the module blacklist files. > The docs tell me that I should also set "AUTOHELPERS=No", as I don't > want helpers associated automatically. > > Thank you!
I just took a look at my system, and while there are no rules associating SIP traffic with the SIP helper, the sip conntrack modules are still being loaded, even though they are listed in DONT_LOAD. The reason for that is that /usr/share/shorewall/helpers still lists the pre-kernel-2.6.20 names of the modules (ip_conntrack_sip and ip_nat_sip) and those are aliases for nf_conntrack_sip and nf_nat_sip respectively. So you can: a) Use module blacklisting, as you suggest. b) List the ip_* names in DONT_LOAD along with the nf_* names c) Copy /usr/share/shorewall/helpers to /etc/shorewall and remove the ip_* entries. The old names will be removed from /usr/share/shorewall/helpers in Shorewall 5.2.3. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
