diff --git a/Shorewall/Macros/macro.Amanda b/Shorewall/Macros/macro.Amanda
index 7d9197813..bf45c2d69 100644
--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -12,11 +12,11 @@ FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
-?IF ( __CT_TARGET && $HELPERS && __AMANDA_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
PARAM - - udp 10080 ; helper=amanda
-?ELSE
+?else
PARAM - - udp 10080
-?ENDIF
+?endif
PARAM - - tcp 10080
#
diff --git a/Shorewall/Macros/macro.BLACKLIST b/Shorewall/Macros/macro.BLACKLIST
index c51675fb1..cebff9453 100644
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -8,8 +8,8 @@
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
-?IF $BLACKLIST_LOGLEVEL
+?if $BLACKLIST_LOGLEVEL
blacklog
-?ELSE
+?else
$BLACKLIST_DISPOSITION
-?ENDIF
+?endif
diff --git a/Shorewall/Macros/macro.FTP b/Shorewall/Macros/macro.FTP
index 40ac654d5..038857a53 100644
--- a/Shorewall/Macros/macro.FTP
+++ b/Shorewall/Macros/macro.FTP
@@ -9,8 +9,8 @@
FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
-?IF ( __CT_TARGET && $HELPERS && __FTP_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER )
PARAM - - tcp 21 ; helper=ftp
-?ELSE
+?else
PARAM - - tcp 21
-?ENDIF
+?endif
diff --git a/Shorewall/Macros/macro.IRC b/Shorewall/Macros/macro.IRC
index 07cd26dec..020bee064 100644
--- a/Shorewall/Macros/macro.IRC
+++ b/Shorewall/Macros/macro.IRC
@@ -10,8 +10,8 @@ FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
-?IF ( __CT_TARGET && $HELPERS && __IRC_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER )
PARAM - - tcp 6667 ; helper=irc
-?ELSE
+?else
PARAM - - tcp 6667
-?ENDIF
+?endif
diff --git a/Shorewall/Macros/macro.PPtP b/Shorewall/Macros/macro.PPtP
index 330f2e128..b4ba427e8 100644
--- a/Shorewall/Macros/macro.PPtP
+++ b/Shorewall/Macros/macro.PPtP
@@ -12,8 +12,8 @@
PARAM - - 47
PARAM DEST SOURCE 47
-?IF ( __CT_TARGET && $HELPERS && __PPTP_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
PARAM - - tcp 1723 ; helper=pptp
-?ELSE
+?else
PARAM - - tcp 1723
-?ENDIF
+?endif
diff --git a/Shorewall/Macros/macro.SANE b/Shorewall/Macros/macro.SANE
index 4013737f8..40721e64d 100644
--- a/Shorewall/Macros/macro.SANE
+++ b/Shorewall/Macros/macro.SANE
@@ -10,11 +10,11 @@ FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
-?IF ( __CT_TARGET && $HELPERS && __SANE_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
PARAM - - tcp 6566 ; helper=sane
-?ELSE
+?else
PARAM - - tcp 6566
-?ENDIF
+?endif
#
# Kernels 2.6.23+ has nf_conntrack_sane module which will handle
diff --git a/Shorewall/Macros/macro.SIP b/Shorewall/Macros/macro.SIP
index 318217df7..015d8b688 100644
--- a/Shorewall/Macros/macro.SIP
+++ b/Shorewall/Macros/macro.SIP
@@ -10,8 +10,8 @@ FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
-?IF ( __CT_TARGET && $HELPERS && __SIP_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER )
PARAM - - udp 5060 ; helper=sip
-?ELSE
+?else
PARAM - - udp 5060
-?ENDIF
+?endif
diff --git a/Shorewall/Macros/macro.SMB b/Shorewall/Macros/macro.SMB
index 12a954846..20208fdf3 100644
--- a/Shorewall/Macros/macro.SMB
+++ b/Shorewall/Macros/macro.SMB
@@ -15,12 +15,12 @@ FORMAT 2
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 135,445
-?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
PARAM - - udp 137 ; helper=netbios-ns
PARAM - - udp 138:139
-?ELSE
+?else
PARAM - - udp 137:139
-?ENDIF
+?endif
PARAM - - udp 1024: 137
PARAM - - tcp 135,139,445
diff --git a/Shorewall/Macros/macro.SMBBI b/Shorewall/Macros/macro.SMBBI
index 09d833cf7..08311d3fe 100644
--- a/Shorewall/Macros/macro.SMBBI
+++ b/Shorewall/Macros/macro.SMBBI
@@ -15,23 +15,23 @@ FORMAT 2
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 135,445
-?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
PARAM - - udp 137 ; helper=netbios-ns
PARAM - - udp 138:139
-?ELSE
+?else
PARAM - - udp 137:139
-?ENDIF
+?endif
PARAM - - udp 1024: 137
PARAM - - tcp 135,139,445
PARAM DEST SOURCE udp 135,445
-?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
PARAM DEST SOURCE udp 137 ; helper=netbios-ns
PARAM DEST SOURCE udp 138:139
-?ELSE
+?else
PARAM DEST SOURCE udp 137:139
-?ENDIF
+?endif
PARAM DEST SOURCE udp 1024: 137
PARAM DEST SOURCE tcp 135,139,445
diff --git a/Shorewall/Macros/macro.SNMP b/Shorewall/Macros/macro.SNMP
index d1e26b598..bbc906fbc 100644
--- a/Shorewall/Macros/macro.SNMP
+++ b/Shorewall/Macros/macro.SNMP
@@ -10,11 +10,11 @@ FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
-?IF ( __CT_TARGET && $HELPERS && __SNMP_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
PARAM - - udp 161 ; helper=snmp
PARAM - - udp 162
-?ELSE
+?else
PARAM - - udp 161:162
-?ENDIF
+?endif
PARAM - - tcp 161
diff --git a/Shorewall/Macros/macro.TFTP b/Shorewall/Macros/macro.TFTP
index bd303f322..8e7ccb4f3 100644
--- a/Shorewall/Macros/macro.TFTP
+++ b/Shorewall/Macros/macro.TFTP
@@ -12,8 +12,8 @@ FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
-?IF ( __CT_TARGET && $HELPERS && __TFTP_HELPER )
+?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
PARAM - - udp 69 ; helper=tftp
-?ELSE
+?else
PARAM - - udp 69
-?ENDIF
+?endif
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index b0103c3b8..5a2d46206 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -730,6 +730,7 @@ sub initialize( $;$ ) {
LEGACY_FASTSTART => undef,
USE_PHYSICAL_NAMES => undef,
HELPERS => undef,
+ AUTOHELPERS => undef,
#
# Packet Disposition
#
@@ -4524,6 +4525,7 @@ sub get_configuration( $$$ ) {
default_yes_no 'LEGACY_FASTSTART' , 'Yes';
default_yes_no 'USE_PHYSICAL_NAMES' , '';
default_yes_no 'IPSET_WARNINGS' , 'Yes';
+ default_yes_no 'AUTOHELPERS' , 'Yes';
if ( supplied $config{HELPERS} ) {
my %helpers_temp = %helpers_enabled;
diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf
index d334682db..512802886 100644
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -116,6 +116,8 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
+AUTOHELPERS=Yes
+
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf
index 38af1be72..6eabebf6d 100644
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -127,6 +127,8 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
+AUTOHELPERS=Yes
+
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf
index e4f7b5142..9d6ba575f 100644
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -125,6 +125,8 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
+AUTOHELPERS=Yes
+
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf
index 58ff0e882..2db35263c 100644
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -128,6 +128,8 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
+AUTOHELPERS=Yes
+
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
diff --git a/Shorewall/configfiles/conntrack b/Shorewall/configfiles/conntrack
index 3ff7ec943..dbb55854d 100644
--- a/Shorewall/configfiles/conntrack
+++ b/Shorewall/configfiles/conntrack
@@ -7,7 +7,7 @@
FORMAT 2
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT(S) PORT(S) GROUP
-?IF __CT_TARGET
+?IF $AUTOHELPERS && __CT_TARGET
?IF __AMANDA_HELPER
CT:helper:amanda all - udp 10080
diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf
index 8d7f3a0df..68b6b97c7 100644
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -116,6 +116,8 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
+AUTOHELPERS=Yes
+
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index 4cd86e8f6..ef09c1dd6 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -96,7 +96,7 @@
role="bold">none}
-
If this variable is not set or is given an empty value @@ -1099,7 +1142,7 @@ net all DROP infothen the chain name is 'net2all' - + For example, using the default LOGFORMAT, the log prefix for @@ -1116,7 +1159,7 @@ net all DROP infothen the chain name is 'net2all' control your firewall after you enable this option. -+ Do not use this option if the resulting log messages will @@ -1780,7 +1823,7 @@ net all DROP infothen the chain name is 'net2all' role="bold">" @@ -962,7 +1005,7 @@ net all DROP infothen the chain name is 'net2all' -- diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index af44a223e..826db4099 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes + AUTOMAKE=No BLACKLISTNEWONLY=Yes diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index 5b2864e23..518ac9030 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes + AUTOMAKE=No BLACKLISTNEWONLY=Yes diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index 3cf36656e..01b81f97f 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes + AUTOMAKE=No BLACKLISTNEWONLY=Yes diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index 35beedfbd..0d9360a14 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes + AUTOMAKE=No BLACKLISTNEWONLY=Yes diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index 096f64b58..946060722 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes + AUTOMAKE=No BLACKLISTNEWONLY=Yes diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index 1eda02d4f..48d48d08b 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -82,7 +82,7 @@ role="bold">none}+ - @@ -92,7 +92,7 @@ role="bold">none}+ - @@ -102,7 +102,7 @@ role="bold">none}+ - @@ -112,7 +112,7 @@ role="bold">none}+ - @@ -228,6 +228,49 @@ ++ + ++ + AUTOHELPERS= [Yes |No ]+ +Added in Shorewall 4.5.8. When set to + (the default), the generated ruleset will automatically associate + helpers with applications that require them (FTP, IRC, etc.). When + configuring your firewall on systems running kernel 3.5 or later, it + is recommended that you: + ++ ++ + +Set AUTOHELPERS=No. ++ +Either: + ++ ++ + +Modify +shorewall6-conntrack + (5) to only apply helpers where they are required; or+ +Specify the appropriate helper in the HELPER column in + + +shorewall6-rules + (5).+ +The macros for those applications requiring a helper + automatically specify the appropriate HELPER where + required. +@@ -648,8 +691,8 @@ net all DROP infothen the chain name is 'net2all' AUTOMAKE= [Yes |No ]When HELPERS is specified on a system running Kernel 3.5.0 or - later, automatic association of helpers to connections is disabled. - + later, automatic association of helpers to connections is + disabled.+ For example, using the default LOGFORMAT, the log prefix for @@ -979,7 +1022,7 @@ net all DROP infothen the chain name is 'net2all' control your firewall after you enable this option. -+ Do not use this option if the resulting log messages will @@ -1578,7 +1621,7 @@ net all DROP infothen the chain name is 'net2all' role="bold">" - +