Hello Mauro, On 10.04.2017 23:22, Mauro Santos wrote: > Hello, > > I'm running linux 4.10.8 and I am aware that automatic connection > tracker loading has been disabled by default for security reasons. > s/loading/assignment/ > > What I would like some help/guidance with is finding out what is causing > this, that is, finding out which program would cause an automatic helper > to be loaded if automatic loading was enabled. > Receiving of packets of protocols (or ports) for which helpers exist, but aren't assigned. > I have currently setup two helpers, one for ftp and one for pptp (which > pulls the gre helper if I'm not mistaken). These two helpers have been > added with: > iptables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp > iptables -t raw -A OUTPUT -p tcp --dport 1723 -j CT --helper pptp > I have tried monitoring incoming and outgoing connections with source > and destination ports that the other helpers should work with (I've > taken the list from here http://www.shorewall.net/Helpers.html) but the > timestamps of the messages (ports log and nf_conntrack message) are too > far for me to believe I'm catching what is causing this. The helpers and what packets are not handled are obviously not the same! The two groups also do not intersect! Receiving a GRE packet can cause this message, too! > > Short of logging everything in bulk, is there anything else I can try to > catch the culprit? I'd like to avoid logging in bulk because I have not > found a way to trigger this on demand and sometimes I see the > nf_conntrack message several hours after boot, which would make for huge > logs with normal machine usage (youtube, video calls, etc). The list of conntrack helpers is limited. You don't need to log everything. See this[1] blog article. [1] https://home.regit.org/netfilter-en/secure-use-of-helpers/ -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Attachment:
signature.asc
Description: OpenPGP digital signature
