3

I'm receiving the message

nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.

The kernel is 5.4.23 and nftables version is 0.9.3. How can i assign a helper to that ct state?

table ip filter {
        chain input {
                type filter hook input priority filter; policy accept;
                ct state established,related accept
                iif "lo" accept
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}
isglin
  • 31
  • 1
  • 2

1 Answers1

0

I got the same error on CentOS 8. to resolved it enable automatic conntrack helper assignment by:

echo "net.netfilter.nf_conntrack_helper = 1" >> /etc/sysctl.conf
sysctl -p

-- Edit: As per the below comments from @2072 and @Gwyneth Llewelyn, it's not advised at all to perform the above change unless for testing only. Instead, proper solution can be found here

Yasir Elsharif
  • 11
  • 3
  • 1
    These connection trackers are now disabled by default because they can be abused to bypass firewall rules in certain condition. Re-enabling them is not a real solution. If you use `ufw` and you receive this message a solution can be found by reading this thread: https://bugs.launchpad.net/ufw/+bug/1782969 and `ufw` connection helper's manual entry: http://manpages.ubuntu.com/manpages/focal/man8/ufw-framework.8.html#connection%20helpers – 2072 Apr 13 '21 at 07:28
  • For runtime-only change (non-permanent) run: `sysctl -w net.netfilter.nf_conntrack_helper=1`. – reddot Oct 20 '21 at 14:15
  • @2072 you ought to put that comment into a proper answer! I agree that it's a 'bad idea' to simply override the deprecation mechanism nilly-willy and exposing the firewall to potential abuse. Note also that a freshly installed Ubuntu 22.04/Debian Bullseye will already have the appropriate `IPT_MODULES=""` line for `ufw` (which notoriously uses `nf_conntrack_*`) – Gwyneth Llewelyn Oct 16 '22 at 10:47