Hi Tom Thanks for the explicit information.
Am 10.01.2016 um 17:59 schrieb Tom Eastep: > On 01/10/2016 02:36 AM, Erich Titl wrote: >> Hi Tom ... > > Netfilter's automatic helper assignment is controlled by > /proc/sys/net/netfilter/nf_conntrack_helper. > > Shorewall: > > - always sets that to 0 during start/restart/reload if it exists, thus > disabling it. > - always sets it to 1 when executing the 'clear' command. This is a > possible cause of the messages that you are seeing. Well, it shows up well after shorewall start, so it is possible the message cannot be disabled. I will check the state be > > AUTOHELPERS determines whether *Shorewall* enables automatic helper > assignment via entries in the conntrack file. Changing its default value > to No would result in a lot of problems for new users who don't use the > Shorewall-provided macros. > > Automatic helper assignment is dangerous because there is an exploit > allowing attackers to open ports on the firewall. Shorewall's 'sfilter' > implementation blocks that exploit, independent of the AUTOHELPERS setting. Then the default setting of shorwall should be sufficient if one uses the macros to allow/reject known traffic on the respective zones. Thanks Erich ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
