.\" Automatically generated by Pandoc 3.1.3
.nh
.\"
.\" Define V font for inline verbatim, using C font in formats
.\" that render this, and otherwise B font.
.ie "\f[CB]x\f[]"x" \{\
. ftr V B
. ftr VI BI
. ftr VB B
. ftr VBI BI
.\}
.el \{\
. ftr V CR
. ftr VI CI
. ftr VB CB
. ftr VBI CBI
.\}
.TH "firehol-cthelper" "5" "Built 30 Mar 2024" "FireHOL Reference" "3.1.7"
.hy
.SH NAME
.PP
firehol-cthelper - control connection tracking helpers
.SH SYNOPSIS
.PP
{ cthelper | cthelper4 | cthelper6 } \f[I]protocol helper\f[R]
\f[I]where\f[R] [\f[I]rule-params\f[R]]
.SH DESCRIPTION
.PP
The netfilter team has included in the Linux kernel protocol helpers
that monitor traffic and allow them to work under the connection
tracker.
.PP
The following protocol helpers have been provided:
.IP \[bu] 2
\f[V]amanda\f[R]
.IP \[bu] 2
\f[V]ftp\f[R]
.IP \[bu] 2
\f[V]tftp\f[R] (cannot be configured)
.IP \[bu] 2
\f[V]h323\f[R] (cannot be configured)
.IP \[bu] 2
\f[V]irc\f[R] (does not support IPv6)
.IP \[bu] 2
\f[V]netbios_ns\f[R] (cannot be configured)
.IP \[bu] 2
\f[V]pptp\f[R] (does not support IPv6)
.IP \[bu] 2
\f[V]gre\f[R] (cannot be configured)
.IP \[bu] 2
\f[V]sane\f[R]
.IP \[bu] 2
\f[V]sip\f[R]
.PP
By default, the helpers will trust either side of the communication.
This is considered a security issue and should be avoided.
.PP
Using \f[V]cthelper\f[R] the helpers that can be configured, can be
instructed to trust a specific side of the communication.
.PP
Before doing so, the variable
\f[V]FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT\f[R] should be set to
\f[V]manual\f[R].
.PP
\f[V]where\f[R] defines where the trusted traffic is expected.
It can be:
.IP \[bu] 2
\f[V]IN\f[R], \f[V]INPUT\f[R], or \f[V]PREROUTING\f[R] to match incoming
packets
.IP \[bu] 2
\f[V]OUT\f[R], \f[V]OUTPUT\f[R] to match outgoing packets
.IP \[bu] 2
\f[V]BOTH\f[R], \f[V]BIDIRECTIONAL\f[R], or \f[V]INOUT\f[R] to match all
packets
.PP
The \f[I]rule-params\f[R] define a set of rule parameters to further
restrict the traffic that is matched.
See firehol-params(5) for more details.
.PP
\f[V]FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT\f[R] accepts the following
values:
.IP \[bu] 2
\f[V]kernel\f[R] which is the default, allows the kernel to determine by
itself which side to trust.
.IP \[bu] 2
\f[V]firehol\f[R] to have FireHOL automatically generate
\f[V]cthelper\f[R] statements keeping \f[V]src\f[R], \f[V]dst\f[R],
\f[V]inface\f[R] and \f[V]outface\f[R] from the statements that require
each helper.
Keep in mind this will only generate valid statements if you don\[cq]t
use NAT at all.
\f[V]cthelper\f[R] statements are executed by iptables before any NAT is
applied, while packet filtering is configured after DNAT and before
SNAT, resulting in wrong statements when NAT is applied.
.IP \[bu] 2
\f[V]manual\f[R] to use the \f[V]cthelper\f[R] helper to configure the
trusts in \f[V]firehol.conf\f[R].
.PP
When set to \f[V]kernel\f[R], FireHOL will set
\f[V]net.netfilter.nf_conntrack_helper=1\f[R].
In all other cases, FireHOL will set
\f[V]net.netfilter.nf_conntrack_helper=0\f[R].
.SH EXAMPLES
.IP
.nf
\f[C]
 # enable manual protocol helpers mode
 FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT=\[dq]manual\[dq]

 # trust SIP packets we send via interface dsl0
 cthelper sip out outface dsl0

 # trust SIP packets we receive from 10.0.0.1 via eth0
 cthelper sip in inface eth0 src 10.0.0.1

 # trust pptp packets we send via interface wan0 (IPv4 only)
 cthelper4 pptp out outface wan0
\f[R]
.fi
.SH SEE ALSO
.IP \[bu] 2
firehol(1) - FireHOL program
.IP \[bu] 2
firehol.conf(5) - FireHOL configuration
.IP \[bu] 2
FireHOL Website (http://firehol.org/)
.IP \[bu] 2
FireHOL Online PDF Manual (http://firehol.org/firehol-manual.pdf)
.IP \[bu] 2
FireHOL Online Documentation (http://firehol.org/documentation/)
.SH AUTHORS
FireHOL Team.