diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index bc443d3f4..c029e8e06 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1823,7 +1823,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
if ( $blacklist ) {
$action = 'RETURN';
} elsif ( $helper ne '-' ) {
- $actiontype |= HELPER;
+ $actiontype |= HELPER if $section eq 'NEW';
}
} ,
@@ -2029,6 +2029,18 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
do_headers( $headers ) ,
do_condition( $condition ) ,
);
+ } elsif ( $section eq 'RELATED' ) {
+ $rule = join( '',
+ do_proto($proto, $ports, $sports),
+ do_ratelimit( $ratelimit, $basictarget ) ,
+ do_user( $user ) ,
+ do_test( $mark , $globals{TC_MASK} ) ,
+ do_connlimit( $connlimit ),
+ do_time( $time ) ,
+ do_headers( $headers ) ,
+ do_condition( $condition ) ,
+ do_helper( $helper ) ,
+ );
} else {
$rule = join( '',
do_proto($proto, $ports, $sports),
diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml
index 078e7fbf0..e13749c49 100644
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -1369,11 +1369,18 @@
HELPER - [helper]
- Added in Shorewall 4.5.7. Causes the named conntrack
+ Added in Shorewall 4.5.7.
+
+ In the NEW section, causes the named conntrack
helper to be associated with this
- connection. The contents of this column are ignored unless ACTION is
- ACCEPT*, DNAT* or REDIRECT*. The helper
- may be one of:
+ connection; the contents of this column are ignored unless ACTION is
+ ACCEPT*, DNAT* or REDIRECT*.
+
+ In the RELATED section, will only match if the related
+ connection has the named helper
+ associated with it.
+
+ The helper may be one of:
diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml
index 473614e4b..8cfb4ea03 100644
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -1207,11 +1207,18 @@
HELPER - [helper]
- Added in Shorewall 4.5.7. Causes the named conntrack
+ Added in Shorewall 4.5.7.
+
+ In the NEW section, causes the named conntrack
helper to be associated with this
- connection. The contents of this column are ignored unless ACTION is
- ACCEPT*, DNAT* or REDIRECT*. The helper
- may be one of:
+ connection; the contents of this column are ignored unless ACTION is
+ ACCEPT*, DNAT* or REDIRECT*.
+
+ In the RELATED section, will only match if the related
+ connection has the named helper
+ associated with it.
+
+ The helper may be one of:
@@ -1238,8 +1245,8 @@
If the HELPERS option is specified in shorewall6.conf(5), then any
- module specified in this column most be listed in the HELPERS
+ url="shorewall.conf.html">shorewall.conf(5), then any module
+ specified in this column most be listed in the HELPERS
setting.
diff --git a/docs/Helpers.xml b/docs/Helpers.xml
index 589180f64..673d3dc7a 100644
--- a/docs/Helpers.xml
+++ b/docs/Helpers.xml
@@ -388,10 +388,18 @@
iptables; see the table above.
Beginning with Shorewall 4.5.7, there is a HELPER column in shorewall-rules (5). This
- column allows the explicit association of a helper with connections
- allowed by a given rules. The column may contain any of the helper names
- recognized by iptables (see the table above).
+ url="manpages/shorewall-rules.html">shorewall-rules (5). In the
+ NEW section, this column allows the explicit association of a helper
+ with connections allowed by a given rules. The column may contain any of
+ the helper names recognized by iptables (see the table above). In the
+ RELATED section, the rule will only match the packet if the related
+ connection has the named helper attached.
+
+ Also added in Shorewall 4.5.7 is the HELPER action in shorewall-rules (5). HELPER
+ rules associate the helper listed in the HELPER column with connections
+ that match the rule. A destination zone should not be specified in
+ HELPER rules.
@@ -447,4 +455,42 @@ loadmodule nf_conntrack_sane ports=0
module name.
+
+
+ Kernel >= 3.5 and Shorewall >= 4.5.7
+
+ While the AUTOHELPER option described above provides for seamless
+ migration to kernel 3.5 and beyond, we recommend setting AUTOHELPER=No at
+ the first opportunity after migrating. Additionally, you should:
+
+
+
+ Use the HELPER action and the HELPER column in shorewall-rules (5) to
+ attach helpers to only those connections that you need to
+ support.
+
+
+
+ If you run one or more servers (such as an FTP server) that
+ interact with helpers, you should consider adding rules to the RELATED
+ section of shorewall-rules (5) to
+ limit the scope of the helper. Suppose that your Linux FTP server is
+ in zone dmz and has address 70.90.191.123.
+
+ #ACTION SOURCE DEST PROTO DEST SOURCE
+# PORT(S) PORT(2)
+SECTION RELATED
+ACCEPT all dmz:70.90.191.123 32768: ; helper=ftp # passive FTP to dmz server; /proc/sys/net/ipv4/ip_local_port_range == 32760:65535
+ACCEPT dmz:70.90.191.123 all tcp 1024: 20 ; helper=ftp # active FTP to dmz server
+ACCEPT loc,dmz,$FW net tcp - 1024: ; helper=ftp # passive FTP to net
+ACCEPT net all tcp 1024: 20 ; helper=ftp # active FTP from net
+DROP:info all all ; helper=ftp #
+SECTION NEW
+HELPER all net tcp 21 ; helper=ftp
+ACCEPT all dmz:70.90.191.123 tcp 21 ; helper=ftp
+
+
+