On 3/29/19 10:20 AM, ObNox wrote: > Hi, > > With "AUTOHELPERS=No" and "HELPERS=none" in "shorewall.conf", is it > expected of Shorewall to still load all the modules in the "helpers" file ?
Yes - except for those listed in DONT_LOAD=... > > I don't use any of them and even though the FW rules are really tight, > these modules can still potentially be a threat if misused with address > spoofing and such sneaky attacks. I stress the word "potential" but > we're never too cautious. Shorewall unconditionally sets /proc/sys/net/netfilter/nf_conntrack_helper to zero, so no helpers are enabled by default. So unless you add unconditional entries to the 'conntrack' file or you use the standard macros for applications that have helpers (e.g., FTP(ACCEPT)) or you specify a helper in the HELPER column of the rules file, no loaded helpers are actually enabled. As a consequence, they can't be exploited. > > For a test I copied the "helpers" file to "/etc/shorewall" and commented > all helpers, except "nf_nat" and left alone the LOG related modules as > they are needed. > > After a reboot of the test machine, none of the modules were loaded so > Shorewall is loading them. > > I was expecting these modules not to be loaded since the helpers related > settings are set to No/none in shorewall.conf. Patches cheerfully accepted... -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
