From 74d3d9cbe3e3b198e6c7a8c30ec2a0c58b6c5e2c Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 2 Mar 2021 10:04:46 +0000
Subject: [PATCH] firewall: Disable all connection tracking helpers by default
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

This will mitigate exploiting networks secured by IPFire using NAT
Slipstreaming:

https://lists.ipfire.org/pipermail/development/2021-February/009303.html

Suggested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 lfs/configroot | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/lfs/configroot b/lfs/configroot
index bc8c0283f8..a3e474d700 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -139,12 +139,7 @@ $(TARGET) :
 	cp $(DIR_SRC)/config/suricata/convert-ids-modifysids-file   /usr/sbin/convert-ids-modifysids-file
 
 	# Add conntrack helper default settings
-	for proto in FTP H323 IRC SIP TFTP; do \
-		echo "CONNTRACK_$${proto}=on" >> $(CONFIG_ROOT)/optionsfw/settings; \
-	done
-
-	# Do not enable these by default because these are broken
-	for proto in AMANDA PPTP; do \
+	for proto in AMANDA FTP H323 IRC PPTP SIP TFTP; do \
 		echo "CONNTRACK_$${proto}=off" >> $(CONFIG_ROOT)/optionsfw/settings; \
 	done
 
-- 
2.39.5