Page MenuHomeVyOS Platform

Add conntrack helper matching on firewall
Closed, ResolvedPublic

Description

Conntrack helpers can be a security issue if not implemented correctly. Nftables for example notes:

If you use a helper to forward traffic to a host behind your stateful router, it is critical that you use a daddr expression to restrict such traffic to that specific host in both Rule 2 (helper assignment) and in a rule similar to Rule 3b (related packets) in your forward filter chain(s). Otherwise the helper may allow allow arbitrary port forwarding, much like allowing untrusted remote hosts to inject "dnat"-based port forwarding rules.

We should therefore add the means to extend firewall rules to secure the use of conntrack helpers.

Proposed syntax:
set firewall ipv4 [forward filter|name N] rule N conntrack-helper [ftp|pptp|...]

Ref:

Details

Version
-
Is it a breaking change?
Perfectly compatible