nf_conntrack automatic helper assignment deprecated

For quite a while, I've been getting the "nf_conntrack: automatic helper assignment is deprecated and it will be removed soon" warning at boot. So I can't say I was too surprised when I started getting "kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead."

Back in January/February 2017 there was a post on the Linux-Kernel mailing list submitting a patch to print out the warning so firewall admins would at least have notice. As best as I can tell from reading a ton of stuff, the warning is logged if a packet which would have otherwise traversed your firewall didn't because there was no helper available. More information can be found at Secure use of iptables and connection tracking helpers.

It seems there are two options - turn the helpers on (not recommended, security risk) or modify your IP rules. The article cited above has some great examples. If you're using ConfigServer Security & Firewall, you'll need to turn the helpers back on as they haven't modified their script yet to include helpers. See this post for info on turning the helpers on. Firehol has. Not sure about any of the others.

Published Date