Difference between revisions of "Conntrack helpers"

From nftables wiki
Jump to navigation Jump to search
Line 17: Line 17:
You can read more on how to enable conntrack helpers in a secure way [https://github.com/regit/secure-conntrack-helpers/blob/master/secure-conntrack-helpers.rst here].
You can read more on how to enable conntrack helpers in a secure way [https://github.com/regit/secure-conntrack-helpers/blob/master/secure-conntrack-helpers.rst here].


= Supported helpers =
= Supported conntrack helpers =


Conntrack provides the following helpers:
Conntrack provides the following helpers:

Revision as of 18:50, 18 December 2020

You can enable conntrack helpers explicitly through your ruleset. You have to attach your conntrack helper from the prerouting chain.

table inet myhelpers {
      ct helper ftp-standard {
            type "ftp" protocol tcp
      }
      chain prerouting {
            type filter hook prerouting priority 0;
            tcp dport 21 ct helper set "ftp-standard"
      }
}

The example above shows how to enable the FTP conntrack helper for traffic going through port tcp/21 which is the standard FTP control port.

You can read more on how to enable conntrack helpers in a secure way here.

Supported conntrack helpers

Conntrack provides the following helpers:

  • FTP
  • TFTP
  • NetBIOS
  • IRC
  • SIP
  • H.323
  • SNMP
  • PPTP
  • SANE
  • Amanda

The conntrackd daemon also provides support for userspace helpers, such as:

  • DHCPv6
  • MDNS
  • SLP
  • SSDP
  • RPC
  • Oracle TNS