firehol-cthelper - control connection tracking helpers


{ cthelper | cthelper4 | cthelper6 } protocol helper where [rule-params]


The netfilter team has included in the Linux kernel protocol helpers that monitor traffic and allow them to work under the connection tracker.

The following protocol helpers have been provided:

By default, the helpers will trust either side of the communication. This is considered a security issue and should be avoided.

Using cthelper the helpers that can be configured, can be instructed to trust a specific side of the communication.

Before doing so, the variable FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT should be set to manual.

where defines where the trusted traffic is expected. It can be:

The rule-params define a set of rule parameters to further restrict the traffic that is matched. See firehol-params(5) for more details.

FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT accepts the following values:

When set to kernel, FireHOL will set net.netfilter.nf_conntrack_helper=1. In all other cases, FireHOL will set net.netfilter.nf_conntrack_helper=0.


# enable manual protocol helpers mode

 # trust SIP packets we send via interface dsl0
 cthelper sip out outface dsl0

 # trust SIP packets we receive from via eth0
 cthelper sip in inface eth0 src

 # trust pptp packets we send via interface wan0 (IPv4 only)
 cthelper4 pptp out outface wan0