Conntrack helpers

From nftables wiki
Revision as of 18:50, 18 December 2020 by Pablo (talk | contribs)
Jump to navigation Jump to search

You can enable conntrack helpers explicitly through your ruleset. You have to attach your conntrack helper from the prerouting chain.

table inet myhelpers {
      ct helper ftp-standard {
            type "ftp" protocol tcp
      }
      chain prerouting {
            type filter hook prerouting priority 0;
            tcp dport 21 ct helper set "ftp-standard"
      }
}

The example above shows how to enable the FTP conntrack helper for traffic going through port tcp/21 which is the standard FTP control port.

You can read more on how to enable conntrack helpers in a secure way here.

Supported helpers

Conntrack provides the following helpers:

  • FTP
  • TFTP
  • NetBIOS
  • IRC
  • SIP
  • H.323
  • SNMP
  • PPTP
  • SANE
  • Amanda

The conntrackd daemon also provides support for userspace helpers, such as:

  • DHCPv6
  • MDNS
  • SLP
  • SSDP
  • RPC
  • Oracle TNS