From d57c6162cb2d00fd4a4989fa3fe6924db528bce1 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 12 May 2015 13:16:40 +0200
Subject: [PATCH] firewall: Make conntrack helpers configurable

---
 lfs/configroot                  |  5 +++++
 src/initscripts/init.d/firewall | 36 ++++++++++++++++++++-------------
 2 files changed, 27 insertions(+), 14 deletions(-)

diff --git a/lfs/configroot b/lfs/configroot
index 601cdf6d38..26583a4eac 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -135,6 +135,11 @@ $(TARGET) :
 	echo  "POLICY=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
 	echo  "POLICY1=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
 
+	# Add conntrack helper default settings
+	for proto in FTP PPTP SIP TFTP; do \
+		echo "CONNTRACK_$${proto}=on" >> $(CONFIG_ROOT)/optionsfw/settings; \
+	done
+
 	# set converters executable
 	chmod 755 /usr/sbin/convert-*
 
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 5d6ac3a295..4e6fd94f17 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -97,26 +97,34 @@ iptables_init() {
 	# Conntrack helpers (https://home.regit.org/netfilter-en/secure-use-of-helpers/)
 
 	# SIP
-	iptables -A CONNTRACK -m conntrack --ctstate RELATED \
-		-m helper --helper sip -j ACCEPT
-	for proto in udp tcp; do
-		iptables -t raw -A CONNTRACK -p "${proto}" --dport 5060 -j CT --helper sip
-	done
+	if [ "${CONNTRACK_SIP}" = "on" ]; then
+		iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+			-m helper --helper sip -j ACCEPT
+		for proto in udp tcp; do
+			iptables -t raw -A CONNTRACK -p "${proto}" --dport 5060 -j CT --helper sip
+		done
+	fi
 
 	# FTP
-	iptables -A CONNTRACK -m conntrack --ctstate RELATED \
-		-m helper --helper ftp -p tcp --dport 1024: -j ACCEPT
-	iptables -t raw -A CONNTRACK -p tcp --dport 21 -j CT --helper ftp
+	if [ "${CONNTRACK_FTP}" = "on" ]; then
+		iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+			-m helper --helper ftp -p tcp --dport 1024: -j ACCEPT
+		iptables -t raw -A CONNTRACK -p tcp --dport 21 -j CT --helper ftp
+	fi
 
 	# PPTP
-	iptables -A CONNTRACK -m conntrack --ctstate RELATED \
-		-m helper --helper pptp -j ACCEPT
-	iptables -t raw -A CONNTRACK -p udp --dport 1723 -j CT --helper pptp
+	if [ "${CONNTRACK_PPTP}" = "on" ]; then
+		iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+			-m helper --helper pptp -j ACCEPT
+		iptables -t raw -A CONNTRACK -p udp --dport 1723 -j CT --helper pptp
+	fi
 
 	# TFTP
-	iptables -A CONNTRACK -m conntrack --ctstate RELATED \
-		-m helper --helper tftp -j ACCEPT
-	iptables -t raw -A CONNTRACK -p udp --dport 69 -j CT --helper tftp
+	if [ "${CONNTRACK_TFTP}" = "on" ]; then
+		iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+			-m helper --helper tftp -j ACCEPT
+		iptables -t raw -A CONNTRACK -p udp --dport 69 -j CT --helper tftp
+	fi
 
 	# Fix for braindead ISP's
 	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-- 
2.39.2