https://gnupit.net/firewall/Recent content in Firewall on The Gnu PitHugoen-USThu, 21 Dec 2017 22:26:24 -0500https://gnupit.net/posts/nf_conntrack/Thu, 21 Dec 2017 22:26:24 -0500https://gnupit.net/posts/nf_conntrack/<p>For quite a while, I&rsquo;ve been getting the &ldquo;nf_conntrack: automatic helper assignment is deprecated and it will be removed soon&rdquo; warning at boot. So I can&rsquo;t say I was too surprised when I started getting &ldquo;kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.&rdquo;</p> <p>Back in January/February 2017 there was a <a href="http://lkml.iu.edu/hypermail/linux/kernel/1702.0/00470.html">post</a> on the Linux-Kernel mailing list submitting a patch to print out the warning so firewall admins would at least have notice. As best as I can tell from reading a ton of stuff, the warning is logged if a packet which would have otherwise traversed your firewall didn&rsquo;t because there was no helper available. More information can be found at <a href="https://home.regit.org/netfilter-en/secure-use-of-helpers/">Secure use of iptables and connection tracking helpers</a>.</p>