Conntrack helpers
You can enable conntrack helpers explicitly through your ruleset. You have to attach your conntrack helper from the prerouting chain.
table inet myhelpers {
ct helper ftp-standard {
type "ftp" protocol tcp
}
chain prerouting {
type filter hook prerouting priority 0;
tcp dport 21 ct helper set "ftp-standard"
}
}
The example above shows how to enable the FTP conntrack helper for traffic going through port tcp/21 which is the standard FTP control port.
You can read more on how to enable conntrack helpers in a secure way here.
Supported conntrack helpers
Conntrack provides the following helpers:
- FTP
- TFTP
- NetBIOS
- IRC
- SIP
- H.323
- SNMP
- PPTP
- SANE
- Amanda
The conntrackd daemon also provides support for userspace helpers, such as:
- DHCPv6
- MDNS
- SLP
- SSDP
- RPC
- Oracle TNS