This will mitigate exploiting networks secured by IPFire using NAT
Slipstreaming:

https://lists.ipfire.org/pipermail/development/2021-February/009303.html

Suggested-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 lfs/configroot | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/lfs/configroot b/lfs/configroot
index bc8c0283f..a3e474d70 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -139,12 +139,7 @@ $(TARGET) :
 	cp $(DIR_SRC)/config/suricata/convert-ids-modifysids-file   /usr/sbin/convert-ids-modifysids-file
 
 	# Add conntrack helper default settings
-	for proto in FTP H323 IRC SIP TFTP; do \
-		echo "CONNTRACK_$${proto}=on" >> $(CONFIG_ROOT)/optionsfw/settings; \
-	done
-
-	# Do not enable these by default because these are broken
-	for proto in AMANDA PPTP; do \
+	for proto in AMANDA FTP H323 IRC PPTP SIP TFTP; do \
 		echo "CONNTRACK_$${proto}=off" >> $(CONFIG_ROOT)/optionsfw/settings; \
 	done
 
-- 
2.20.1