10844 – Make conntrack helper modules configurable in the GUI

Bug 10844 - Make conntrack helper modules configurable in the GUI

Summary: Make conntrack helper modules configurable in the GUI

Status:	CLOSED FIXED

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	unspecified Unspecified

Importance:	- Unknown - - Unknown -
Assignee:	Alexander Marx
QA Contact:

URL:
Keywords:

Depends on:
Blocks:	10665 10908
	Show dependency tree / graph

Reported:	2015-05-12 13:07 UTC by Michael Tremer
Modified:	2016-03-03 17:10 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
no default selections (4.25 KB, image/png) 2016-03-03 16:28 UTC, Tom Rymes	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Tremer 2015-05-12 13:07:48 UTC

In #10665 we rewrite handling of the conntrack helper modules. For that we should add the possibility for the user to enable and disable them on the GUI.

I suggest adding that to the Firewall Options page by adding a new section headlined "Application Layer Gateways" and have a list of protocols which can be individually enabled/disabled by clicking on the right radio button.

The protocols are as follows:

* amanda
* ftp
* h323
* irc
* pptp
* sip
* tftp

The current default settings is that they are all enabled except SIP. I think it is probably best to enable the all by default.

The configuration should be stored in /var/ipfire/optionsfw/settings with the key name: CONNTRACK_<PROTOCOL>=bool where <PROTOCOL> is the name of the protocol as stated above in uppercase letters and bool is either "on" or "off".

Comment 1 Michael Tremer 2015-05-12 13:34:54 UTC

Check the latest commits on the iptables-conntrack branch for reference:

http://git.ipfire.org/?p=people/ms/ipfire-2.x.git;a=shortlog;h=refs/heads/iptables-conntrack

Comment 2 Alexander Marx 2015-07-02 05:28:52 UTC

What is the sense of having the possibillity to disable these protocols?
does it improve load on the firewall?

Comment 3 Michael Tremer 2015-07-03 23:46:32 UTC

(In reply to Alexander Marx from comment #2)
> What is the sense of having the possibillity to disable these protocols?
> does it improve load on the firewall?

No, the performance penalty is really small.

The SIP handler for example can cause some problems with some phones or PBXes registering at providers. So this is intended as a workaround for these faulty phones.

Comment 4 Michael Tremer 2015-08-12 15:33:29 UTC

Please remove amanda and pptp from the list which do not work.

Comment 5 Alexander Marx 2015-08-20 10:58:57 UTC

Simple commit, please check this.
I did not edit languagefiles becaus ei think the protocol names should be sufficient in all languages.
If not, contact me.

http://git.ipfire.org/?p=people/amarx/ipfire-2.x.git;a=commit;h=b09802d40ea5f277f3d17086fbd58fd7c9d795ea

Comment 6 Tom Rymes 2016-03-03 16:28:24 UTC

Created attachment 419 [details]
no default selections

Comment 7 Tom Rymes 2016-03-03 16:29:12 UTC

I downloaded the latest nightly build and this change was not present, but I copied the optionsfw.cgi file to /srv/web/ipfire/cgi-bin/ and the en.pl file to /var/ipfire/langs/the install and the new options showed up.

One thing I noticed is that the header "Application Layer Gateway" does not appear above the new options, perhaps I placed the en_pl file in the wrong place?

Next, none of the options are populated with a default setting: ie: neither "on" not "off" is selected. Is this intended?

Comment 8 Tom Rymes 2016-03-03 17:10:29 UTC

OK, I fixed the issue with "Application Layer Gateways" not showing up by excuting the following command (found in lang.pl):

perl -e "require '//var/ipfire/lang.pl'; &Lang::BuildCacheLang"