diff mbox series

firewall: Disable all connection tracking helpers by default

Message ID 20210302100759.7823-1-michael.tremer@ipfire.org
State Accepted
Commit 74d3d9cbe3e3b198e6c7a8c30ec2a0c58b6c5e2c
Headers
Series firewall: Disable all connection tracking helpers by default |

Commit Message

Michael Tremer March 2, 2021, 10:07 a.m. UTC 
  This will mitigate exploiting networks secured by IPFire using NAT
Slipstreaming:

https://lists.ipfire.org/pipermail/development/2021-February/009303.html

Suggested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 lfs/configroot | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)
diff mbox series

Patch

diff --git a/lfs/configroot b/lfs/configroot
index bc8c0283f..a3e474d70 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -139,12 +139,7 @@  $(TARGET) :
 	cp $(DIR_SRC)/config/suricata/convert-ids-modifysids-file   /usr/sbin/convert-ids-modifysids-file
 
 	# Add conntrack helper default settings
-	for proto in FTP H323 IRC SIP TFTP; do \
-		echo "CONNTRACK_$${proto}=on" >> $(CONFIG_ROOT)/optionsfw/settings; \
-	done
-
-	# Do not enable these by default because these are broken
-	for proto in AMANDA PPTP; do \
+	for proto in AMANDA FTP H323 IRC PPTP SIP TFTP; do \
 		echo "CONNTRACK_$${proto}=off" >> $(CONFIG_ROOT)/optionsfw/settings; \
 	done