From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 2 Mar 2021 10:04:46 +0000 (+0000)
Subject: firewall: Disable all connection tracking helpers by default
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=74d3d9cbe3e3b198e6c7a8c30ec2a0c58b6c5e2c;p=people%2Fms%2Fipfire-2.x.git

firewall: Disable all connection tracking helpers by default

This will mitigate exploiting networks secured by IPFire using NAT
Slipstreaming:

https://lists.ipfire.org/pipermail/development/2021-February/009303.html

Suggested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/lfs/configroot b/lfs/configroot
index bc8c0283f8..a3e474d700 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -139,12 +139,7 @@ $(TARGET) :
 	cp $(DIR_SRC)/config/suricata/convert-ids-modifysids-file   /usr/sbin/convert-ids-modifysids-file
 
 	# Add conntrack helper default settings
-	for proto in FTP H323 IRC SIP TFTP; do \
-		echo "CONNTRACK_$${proto}=on" >> $(CONFIG_ROOT)/optionsfw/settings; \
-	done
-
-	# Do not enable these by default because these are broken
-	for proto in AMANDA PPTP; do \
+	for proto in AMANDA FTP H323 IRC PPTP SIP TFTP; do \
 		echo "CONNTRACK_$${proto}=off" >> $(CONFIG_ROOT)/optionsfw/settings; \
 	done