* Is the article "Secure use of iptables and connection tracking helpers" (by Pablo et al.) still relevant?
@ 2026-06-17 10:29 Binarus
2026-06-17 10:39 ` Florian Westphal
2026-06-17 10:40 ` Binarus
0 siblings, 2 replies; 3+ messages in thread
From: Binarus @ 2026-06-17 10:29 UTC (permalink / raw)
To: netfilter
Dear all,
I've come across the following article (which has been co-authored by Pablo):
https://github.com/regit/secure-conntrack-helpers/blob/master/secure-conntrack-helpers.rst
All statements of this article make sense in my eyes. I have understood that it relates to iptables, not nftables, but it seems that the underlying reasoning and explanations are valid for nftables as well.
However, since the article is 14 years old (at least), I'd like to know whether it is still up to date and whether we should follow its recommendations.
For example, the nf_conntrack module in modern kernels (e.g., 6.12.90 on my Debian trixie system) obviously does not have the "nf_conntrack_helper" parameter the article mentions. Hence, setting it to 0 does not effect anything. Setting the "port" parameter to 0 seems to do the trick, though.
Background: If finally have upgraded my firewall from iptables to nftables (and have learned a lot in doing so). Now I'd like to improve security further by applying the recommendations from that article to the nf_conntrack_sip helper module (I have an asterisk instance running on my local network that communicates with the internet / the telephony providers via NAT, so I have to use the conntrack sip helper to make telephony work).
In other words, I' like to know whether we should still prevent the automatic loading of the nf_conntrack_sip module, and how we can achieve that.
Thank you very in advance, and best regards,
Binarus
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Is the article "Secure use of iptables and connection tracking helpers" (by Pablo et al.) still relevant?
2026-06-17 10:29 Is the article "Secure use of iptables and connection tracking helpers" (by Pablo et al.) still relevant? Binarus
@ 2026-06-17 10:39 ` Florian Westphal
2026-06-17 10:40 ` Binarus
1 sibling, 0 replies; 3+ messages in thread
From: Florian Westphal @ 2026-06-17 10:39 UTC (permalink / raw)
To: Binarus; +Cc: netfilter
Binarus <lists@binarus.de> wrote:
> I've come across the following article (which has been co-authored by Pablo):
>
> https://github.com/regit/secure-conntrack-helpers/blob/master/secure-conntrack-helpers.rst
>
> All statements of this article make sense in my eyes. I have understood that it relates to iptables, not nftables, but it seems that the underlying reasoning and explanations are valid for nftables as well.
>
> However, since the article is 14 years old (at least), I'd like to know whether it is still up to date and whether we should follow its recommendations.
>
> For example, the nf_conntrack module in modern kernels (e.g., 6.12.90 on my Debian trixie system) obviously does not have the "nf_conntrack_helper" parameter the article mentions. Hence, setting it to 0 does not effect anything. Setting the "port" parameter to 0 seems to do the trick, though.
You don't have to set it to 0, the feature was removed, i.e. the
'Disable helper by default' section no longer applies. All helpers are
off unless there are rules that explicitly activate them ('-j CT
--helper ftp' etc).
> In other words, I' like to know whether we should still prevent the automatic loading of the nf_conntrack_sip module, and how we can achieve that.
No. There is no automatic helper assignement in the kernel anymore and
therefore no helper ever automatically snoops traffic even if the module
is loaded.
The port module arguments are dead-weight and will be removed soon.
They don't do anything these days.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Is the article "Secure use of iptables and connection tracking helpers" (by Pablo et al.) still relevant?
2026-06-17 10:29 Is the article "Secure use of iptables and connection tracking helpers" (by Pablo et al.) still relevant? Binarus
2026-06-17 10:39 ` Florian Westphal
@ 2026-06-17 10:40 ` Binarus
1 sibling, 0 replies; 3+ messages in thread
From: Binarus @ 2026-06-17 10:40 UTC (permalink / raw)
To: netfilter
On 17.06.2026 12:29, Binarus wrote:
> [...]
>
> For example, the nf_conntrack module in modern kernels (e.g., 6.12.90 on my Debian trixie system) obviously does not have the "nf_conntrack_helper" parameter the article mentions. Hence, setting it to 0 does not effect anything. Setting the "port" parameter to 0 seems to do the trick, though.
Setting the "port" parameter to 0 does not do the trick, too. Sorry for the wrong statement. I had interpreted a test result in a wrong way.
>
> Background: If finally have upgraded my firewall from iptables to nftables (and have learned a lot in doing so). Now I'd like to improve security further by applying the recommendations from that article to the nf_conntrack_sip helper module (I have an asterisk instance running on my local network that communicates with the internet / the telephony providers via NAT, so I have to use the conntrack sip helper to make telephony work).
>
> In other words, I' like to know whether we should still prevent the automatic loading of the nf_conntrack_sip module, and how we can achieve that.
>
> Thank you very in advance, and best regards,
>
> Binarus
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-17 10:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-17 10:29 Is the article "Secure use of iptables and connection tracking helpers" (by Pablo et al.) still relevant? Binarus
2026-06-17 10:39 ` Florian Westphal
2026-06-17 10:40 ` Binarus
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.