Disabling Conntrack Helpers for Extra Security?

Newbie here, just learning this. My idea of security is simple, it's to keep it simple by disabling what I don't need.

If I understood correctly, "conntrack helpers" may allow some communications like ssh or tftp to take a different path, temporarily open a channel for communication. There are couple of helpers: https://wiki.nftables.org/wiki-nftables/index.php/Conntrack_helpers

Conntrack provides the following helpers:

  • FTP
  • TFTP
  • NetBIOS
  • IRC
  • SIP
  • H.323
  • SNMP
  • PPTP
  • SANE
  • Amanda

The [conntrackd] daemon also provides support for userspace helpers, such as:

  • DHCPv6
  • MDNS
  • SLP
  • SSDP
  • RPC
  • NFS version 3
  • Oracle TNS

Does that RPC has anything to do with "Remote Procedure Call"? -.-

I've seen the first set of helpers on LUCI, do we also have the second set of helpers (conntrackd daemon) running in the background?

If so, how should I disable them? Including the first set of helpers. I would like to even go one step further and block/drop all of these protocols (both incoming and outgoing) on the firewall.

If you don't use those applications there isn't going to be any relevant traffic?

Disable conntrac instead, and those protocols/applications will fail to connect.

1 Like

OpenWrt is secure by default since those packages are not preinstalled:

1 Like

You can also disable automatic helper assignment in the firewall by setting option auto_helper 0 in the defaults section of /etc/config/firewall.

This will prevent conntrack helpers from getting used even if they happen to be installed.

5 Likes

Does everyone think this is an "ok" idea? I remember reading conntrack having more functions like tracking UDP packets or something, so I'm guessing it's assisting firewall to do its job with udp packets. So now I'm not sure if disabling conntrack (instead of just helpers) is a good idea. But I'd love to disable/remove/make everything simpler as long as it wont negatively affect an important module like the firewall.

Trial and error?

If stuff will stop working, you'll know who to blame....

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.