Differences

This shows you the differences between two versions of the page.

--- doc:appunti:linux:sa:nf_conntrack_expect [2025/01/10 16:11] – [Shorewall and helpers] niccolo
+++ doc:appunti:linux:sa:nf_conntrack_expect [2025/06/09 09:57] (current) – [Shorewall and helpers] niccolo
@@ Line 156: / Line 156: @@
 </code>
-Or you can add this into **/etc/shorewall/conntrack**:
+The default **Debian 12 Bookworm** configuration for Shorewall provides a **conntrack** file where helpers can be enabled only if the Shorewall **AUTOHELPERS** option is enabled (in ''shorewall.conf'') and if the **CT_TARGET** iptables/netfilter capability is available (verify the output of ''shorewall show capabilities'').
+For example you can enable the sip helper adding this line in **/etc/shorewall/conntrack**:
 <code>
@@ Line 164: / Line 166: @@
 In this case the helper is instantiated into the raw table in both PREROUTING and OUTPUT chains.
-The default **Debian 12 Bookworm** configuration for Shorewall provides a **conntrack** file where helpers are enabled only if the Shorewall **AUTOHELPERS** option is enabled (in ''shorewall.conf'') and if the **CT_TARGET** iptables/netfilter capability is available (verify with ''shorewall show capabilities'' output).
+==== Shorewall upgrade from Debian 11 to 12 ====
+In Debian, upgrading to **Shorewall 5.2.8** as per upgrade from **Debian 11 Bullseye** to **Debian 12 Bookworm**, connection tracking protocol helpers are no longer globally enabled by default; use **shorewall-conntrack(5)** or **shorewall-rules(5)** to enable them as appropriate where they are required.
+Setting **AUTOHELPERS** to 'Yes' in shorewall.conf restores the previous behavior.
 ===== Web references =====