firewall: Disable all connection tracking helpers by default

This will mitigate exploiting networks secured by IPFire using NAT
Slipstreaming:

https://lists.ipfire.org/pipermail/development/2021-February/009303.html

Suggested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/lfs/configroot b/lfs/configroot
index bc8c0283f8392a761bc6b68754980b3748199d87..a3e474d700a4b2875b37dfcb78a21762d1a04ee0 100644 (file)
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -139,12 +139,7 @@ $(TARGET) :
        cp $(DIR_SRC)/config/suricata/convert-ids-modifysids-file   /usr/sbin/convert-ids-modifysids-file
 
        # Add conntrack helper default settings
-       for proto in FTP H323 IRC SIP TFTP; do \
-               echo "CONNTRACK_$${proto}=on" >> $(CONFIG_ROOT)/optionsfw/settings; \
-       done
-
-       # Do not enable these by default because these are broken
-       for proto in AMANDA PPTP; do \
+       for proto in AMANDA FTP H323 IRC PPTP SIP TFTP; do \
                echo "CONNTRACK_$${proto}=off" >> $(CONFIG_ROOT)/optionsfw/settings; \
        done