Differences

This shows you the differences between two versions of the page.

--- doc:appunti:linux:sa:nf_conntrack_expect [2025/01/10 12:08] – [Shorewall and helpers] niccolo
+++ doc:appunti:linux:sa:nf_conntrack_expect [2025/03/14 10:05] (current) – [Shorewall and helpers] niccolo
@@ Line 124: / Line 124: @@
 The **Shorewall** firewall can be configured to install helpers for some particular protocols, e.g. FTP, IRC, SIP, ...
-The configuration file **/etc/shorewall/shorewall.conf** may contain the options **AUTOHELPERS** and **HELPERS**. The first option defaults to **AUTOHELPERS=Yes**, but it is recommended to set it to **AUTOHELPERS=No** on modern kernels (>= 3.5) because it is not desiderable to have ruleset with automatically associate helpers for all the applications.
+The configuration file **/etc/shorewall/shorewall.conf** may contain the options **AUTOHELPERS** and **HELPERS**. The first option defaults to **AUTOHELPERS=Yes** and the second defaults to **HELPERS=**, but it is recommended to set it to **AUTOHELPERS=No** on modern kernels (>= 3.5) because it is not desiderable to have ruleset with automatically associated helpers for all the applications (the default when HELPERS is empty).
+A possible configuration may be the following:
+<file>
+AUTOHELPERS=Yes
+HELPERS=ftp,sip
+</file>
+in this case helpers will be configured into the iptables raw table for ''tcp dpt:21'' (FTP) and ''udp dpt:5060'' (SIP).
+But the **recommended** configuration is the following:
+<file>
+AUTOHELPERS=No
+HELPERS=ftp,sip
+</file>
+And be more specific with helpers in **/etc/shorewall/rules**, e.g.:
+<file>
+HELPER    loc    -    udp    5060    ; helper=sip
+</file>
+This combination will create the following iptable rule into the raw table:
+<code>
+Chain PREROUTING (policy ACCEPT 12 packets, 792 bytes)
+ pkts bytes target  prot opt in     out  source     destination
+     0 CT      17   --  lan0   *    0.0.0.0/0  0.0.0.0/0    udp dpt:5060 CT helper sip
+</code>
+Or you can add this into **/etc/shorewall/conntrack**:
+<code>
+CT:helper:sip:PO
+</code>
+In this case the helper is instantiated into the raw table in both PREROUTING and OUTPUT chains.
+The default **Debian 12 Bookworm** configuration for Shorewall provides a **conntrack** file where helpers are enabled only if the Shorewall **AUTOHELPERS** option is enabled (in ''shorewall.conf'') and if the **CT_TARGET** iptables/netfilter capability is available (verify the output of ''shorewall show capabilities'').
+==== Shorewall upgrade from Debian 11 to 12 ====
+In Debian, upgrading to **Shorewall 5.2.8** as per upgrade from **Debian 11 Bullseye** to **Debian 12 Bookworm**, connection tracking protocol helpers are no longer globally enabled by default; use **shorewall-conntrack(5)** or **shorewall-rules(5)** to enable them as appropriate where they are required.
+Setting **AUTOHELPERS** to 'Yes' in shorewall.conf restores the previous behavior.
 ===== Web references =====