Secure use of nft helpers like for ftp

Installing and Using OpenWrt
1

Hi,

What is a secure way of enabling NFT helpers through Luci?
In Firewall -> Traffic Rules or Port Forwards -> Advanced Setting
there is only a "Match helper".

However the helper does not scan and classifying traffic at all.
It only stared doing this after:
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
This approach however seems to be listed as insecure on linux related forums.

What is the correct way to pass (not match) only specific traffic through the nft helpers for it to be scanned? Like scanning traffic only on port 21.

Regards,
Piotr

2

It should just work after installing the package and restarting the firewall service: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_nat#ftp_passthrough

> nft list chain inet fw4 helper_lan | grep -e ftp
		tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
1 Like