NAME

firehol-cthelper - control connection tracking helpers

SYNOPSIS

{ cthelper | cthelper4 | cthelper6 } protocol helper where [rule-params]

DESCRIPTION

The netfilter team has included in the Linux kernel protocol helpers that monitor traffic and allow them to work under the connection tracker.

The following protocol helpers have been provided:

By default, the helpers will trust either side of the communication. This is considered a security issue and should be avoided.

Using cthelper the helpers that can be configured, can be instructed to trust a specific side of the communication.

Before doing so, the variable FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT should be set to manual.

where defines where the trusted traffic is expected. It can be:

The rule-params define a set of rule parameters to further restrict the traffic that is matched. See firehol-params(5) for more details.

FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT accepts the following values:

When set to kernel, FireHOL will set net.netfilter.nf_conntrack_helper=1. In all other cases, FireHOL will set net.netfilter.nf_conntrack_helper=0.

EXAMPLES

# enable manual protocol helpers mode
 FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT="manual"

 # trust SIP packets we send via interface dsl0
 cthelper sip out outface dsl0

 # trust SIP packets we receive from 10.0.0.1 via eth0
 cthelper sip in inface eth0 src 10.0.0.1

 # trust pptp packets we send via interface wan0 (IPv4 only)
 cthelper4 pptp out outface wan0

SEE ALSO