* [PATCH] firewall: Disable all connection tracking helpers by default
@ 2021-03-02 10:07 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2021-03-02 10:07 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1114 bytes --]
This will mitigate exploiting networks secured by IPFire using NAT
Slipstreaming:
https://lists.ipfire.org/pipermail/development/2021-February/009303.html
Suggested-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
lfs/configroot | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/lfs/configroot b/lfs/configroot
index bc8c0283f..a3e474d70 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -139,12 +139,7 @@ $(TARGET) :
cp $(DIR_SRC)/config/suricata/convert-ids-modifysids-file /usr/sbin/convert-ids-modifysids-file
# Add conntrack helper default settings
- for proto in FTP H323 IRC SIP TFTP; do \
- echo "CONNTRACK_$${proto}=on" >> $(CONFIG_ROOT)/optionsfw/settings; \
- done
-
- # Do not enable these by default because these are broken
- for proto in AMANDA PPTP; do \
+ for proto in AMANDA FTP H323 IRC PPTP SIP TFTP; do \
echo "CONNTRACK_$${proto}=off" >> $(CONFIG_ROOT)/optionsfw/settings; \
done
--
2.20.1
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-03-02 10:07 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-02 10:07 [PATCH] firewall: Disable all connection tracking helpers by default Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox