This will mitigate exploiting networks secured by IPFire using NAT Slipstreaming:
https://lists.ipfire.org/pipermail/development/2021-February/009303.html
Suggested-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- lfs/configroot | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/lfs/configroot b/lfs/configroot index bc8c0283f..a3e474d70 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -139,12 +139,7 @@ $(TARGET) : cp $(DIR_SRC)/config/suricata/convert-ids-modifysids-file /usr/sbin/convert-ids-modifysids-file
# Add conntrack helper default settings - for proto in FTP H323 IRC SIP TFTP; do \ - echo "CONNTRACK_$${proto}=on" >> $(CONFIG_ROOT)/optionsfw/settings; \ - done - - # Do not enable these by default because these are broken - for proto in AMANDA PPTP; do \ + for proto in AMANDA FTP H323 IRC PPTP SIP TFTP; do \ echo "CONNTRACK_$${proto}=off" >> $(CONFIG_ROOT)/optionsfw/settings; \ done
-
Michael Tremer