Page MenuHomeVyOS Platform
Create Task
Maniphest T3275

Disable conntrack helpers by default
Open, NormalPublic
Actions

Description

Conntrack/NAT helpers can sometimes be useful, but a lot of the time they were useless or, as the latest security research shows, outright dangerous: https://www.armis.com/resources/iot-security-blog/nat-slipstreaming-v2-0-new-attack-variant-can-expose-all-internal-network-devices-to-the-internet/

I believe we should change that syntax to disable them all by default and allow enabling them.

This will break configs for existing users who rely on them though. It should be relatively simple to make a migration script that creates a config with all modules enabled on updating from 1.2.x.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change
Issue type
Unspecified (please specify)

Related Objects
Search...

Event Timeline

dmbaturin created this task.Jan 31 2021, 8:16 AM
pasik added a subscriber: pasik.Jan 31 2021, 11:01 AM
dmbaturin added a project: test.Jul 29 2021, 8:59 AM
erkin changed the task status from Open to In progress.Aug 8 2021, 12:14 PM
erkin claimed this task.
erkin triaged this task as Normal priority.
erkin closed this task as Resolved.Aug 15 2021, 10:55 AM
stepler added a subscriber: stepler.Aug 30 2021, 5:58 PM

Not working on 1.4-rolling-202108300430 (results from livecd, same as new install; note the conntrack entries):

vyos@vyos:~$ show configuration commands
set interfaces ethernet eth0 hw-id '52:54:00:8e:dc:fe'
set interfaces loopback lo
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$QxPS.uk6mfo$9QBSo8u1FkH16gMyAVhus6fU3LOzvLR9Z9.82m3tiHFAxTtIkhaZSWssSgzt4v4dGAL8rhVQxTg0oAG9/q11h/'
set system login user vyos authentication plaintext-password ''
set system ntp server time1.vyos.net
set system ntp server time2.vyos.net
set system ntp server time3.vyos.net
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
vyos@vyos:~$ show version

Version:          VyOS 1.4-rolling-202108300430
Release Train:    sagitta

Built by:         [email protected]
Built on:         Mon 30 Aug 2021 04:30 UTC
Build UUID:       1f5fc6a3-24fb-4e92-a360-13b095e279b1
Build Commit ID:  393ad560653dc2

Architecture:     x86_64
Boot via:         livecd
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:     
Hardware UUID:    923fecb5-756d-441a-b19e-3614183e0126

Copyright:        VyOS maintainers and contributors

Looks like it runs all the migration scripts when loading the default config:

vyos@vyos:~$ cat /opt/vyatta/etc/config/vyos-migrate.log 
List of executed migration scripts:
/opt/vyatta/etc/config-migrate/migrate/bgp/0-to-1
/opt/vyatta/etc/config-migrate/migrate/broadcast-relay/0-to-1
/opt/vyatta/etc/config-migrate/migrate/cluster/0-to-1
/opt/vyatta/etc/config-migrate/migrate/config-management/0-to-1
/opt/vyatta/etc/config-migrate/migrate/conntrack/0-to-1
/opt/vyatta/etc/config-migrate/migrate/conntrack/1-to-2
/opt/vyatta/etc/config-migrate/migrate/conntrack/2-to-3
/opt/vyatta/etc/config-migrate/migrate/conntrack-sync/0-to-1
/opt/vyatta/etc/config-migrate/migrate/conntrack-sync/1-to-2
/opt/vyatta/etc/config-migrate/migrate/dhcp-relay/0-to-1
/opt/vyatta/etc/config-migrate/migrate/dhcp-relay/1-to-2
/opt/vyatta/etc/config-migrate/migrate/dhcp-server/0-to-1
/opt/vyatta/etc/config-migrate/migrate/dhcp-server/1-to-2
/opt/vyatta/etc/config-migrate/migrate/dhcp-server/2-to-3
/opt/vyatta/etc/config-migrate/migrate/dhcp-server/3-to-4
/opt/vyatta/etc/config-migrate/migrate/dhcp-server/4-to-5
/opt/vyatta/etc/config-migrate/migrate/dhcpv6-server/0-to-1
/opt/vyatta/etc/config-migrate/migrate/dns-forwarding/0-to-1
/opt/vyatta/etc/config-migrate/migrate/dns-forwarding/1-to-2
/opt/vyatta/etc/config-migrate/migrate/dns-forwarding/2-to-3
/opt/vyatta/etc/config-migrate/migrate/firewall/0-to-1
/opt/vyatta/etc/config-migrate/migrate/firewall/1-to-2
/opt/vyatta/etc/config-migrate/migrate/firewall/2-to-3
/opt/vyatta/etc/config-migrate/migrate/firewall/3-to-4
/opt/vyatta/etc/config-migrate/migrate/firewall/4-to-5
/opt/vyatta/etc/config-migrate/migrate/firewall/5-to-6
/opt/vyatta/etc/config-migrate/migrate/https/0-to-1
/opt/vyatta/etc/config-migrate/migrate/https/1-to-2
/opt/vyatta/etc/config-migrate/migrate/https/2-to-3
/opt/vyatta/etc/config-migrate/migrate/interfaces/0-to-1
/opt/vyatta/etc/config-migrate/migrate/interfaces/1-to-2
/opt/vyatta/etc/config-migrate/migrate/interfaces/2-to-3
/opt/vyatta/etc/config-migrate/migrate/interfaces/3-to-4
/opt/vyatta/etc/config-migrate/migrate/interfaces/4-to-5
/opt/vyatta/etc/config-migrate/migrate/interfaces/5-to-6
/opt/vyatta/etc/config-migrate/migrate/interfaces/6-to-7
/opt/vyatta/etc/config-migrate/migrate/interfaces/7-to-8
/opt/vyatta/etc/config-migrate/migrate/interfaces/8-to-9
/opt/vyatta/etc/config-migrate/migrate/interfaces/9-to-10
/opt/vyatta/etc/config-migrate/migrate/interfaces/10-to-11
/opt/vyatta/etc/config-migrate/migrate/interfaces/11-to-12
/opt/vyatta/etc/config-migrate/migrate/interfaces/12-to-13
/opt/vyatta/etc/config-migrate/migrate/interfaces/13-to-14
/opt/vyatta/etc/config-migrate/migrate/interfaces/14-to-15
/opt/vyatta/etc/config-migrate/migrate/interfaces/15-to-16
/opt/vyatta/etc/config-migrate/migrate/interfaces/16-to-17
/opt/vyatta/etc/config-migrate/migrate/interfaces/17-to-18
/opt/vyatta/etc/config-migrate/migrate/interfaces/18-to-19
/opt/vyatta/etc/config-migrate/migrate/interfaces/19-to-20
/opt/vyatta/etc/config-migrate/migrate/interfaces/20-to-21
/opt/vyatta/etc/config-migrate/migrate/interfaces/21-to-22
/opt/vyatta/etc/config-migrate/migrate/interfaces/22-to-23
/opt/vyatta/etc/config-migrate/migrate/ipoe-server/0-to-1
/opt/vyatta/etc/config-migrate/migrate/ipsec/0-to-1
/opt/vyatta/etc/config-migrate/migrate/ipsec/1-to-2
/opt/vyatta/etc/config-migrate/migrate/ipsec/2-to-3
/opt/vyatta/etc/config-migrate/migrate/ipsec/3-to-4
/opt/vyatta/etc/config-migrate/migrate/ipsec/4-to-5
/opt/vyatta/etc/config-migrate/migrate/ipsec/5-to-6
/opt/vyatta/etc/config-migrate/migrate/ipsec/6-to-7
/opt/vyatta/etc/config-migrate/migrate/ipsec/7-to-8
/opt/vyatta/etc/config-migrate/migrate/isis/0-to-1
/opt/vyatta/etc/config-migrate/migrate/l2tp/0-to-1
/opt/vyatta/etc/config-migrate/migrate/l2tp/1-to-2
/opt/vyatta/etc/config-migrate/migrate/l2tp/2-to-3
/opt/vyatta/etc/config-migrate/migrate/l2tp/3-to-4
/opt/vyatta/etc/config-migrate/migrate/lldp/0-to-1
/opt/vyatta/etc/config-migrate/migrate/mdns/0-to-1
/opt/vyatta/etc/config-migrate/migrate/nat/0-to-1
/opt/vyatta/etc/config-migrate/migrate/nat/1-to-2
/opt/vyatta/etc/config-migrate/migrate/nat/2-to-3
/opt/vyatta/etc/config-migrate/migrate/nat/3-to-4
/opt/vyatta/etc/config-migrate/migrate/nat/4-to-5
/opt/vyatta/etc/config-migrate/migrate/nat66/0-to-1
/opt/vyatta/etc/config-migrate/migrate/ntp/0-to-1
/opt/vyatta/etc/config-migrate/migrate/openconnect/0-to-1
/opt/vyatta/etc/config-migrate/migrate/policy/0-to-1
/opt/vyatta/etc/config-migrate/migrate/pppoe-server/0-to-1
/opt/vyatta/etc/config-migrate/migrate/pppoe-server/1-to-2
/opt/vyatta/etc/config-migrate/migrate/pppoe-server/2-to-3
/opt/vyatta/etc/config-migrate/migrate/pppoe-server/3-to-4
/opt/vyatta/etc/config-migrate/migrate/pppoe-server/4-to-5
/opt/vyatta/etc/config-migrate/migrate/pptp/0-to-1
/opt/vyatta/etc/config-migrate/migrate/pptp/1-to-2
/opt/vyatta/etc/config-migrate/migrate/qos/0-to-1
/opt/vyatta/etc/config-migrate/migrate/quagga/0-to-1
/opt/vyatta/etc/config-migrate/migrate/quagga/1-to-2
/opt/vyatta/etc/config-migrate/migrate/quagga/2-to-3
/opt/vyatta/etc/config-migrate/migrate/quagga/3-to-4
/opt/vyatta/etc/config-migrate/migrate/quagga/4-to-5
/opt/vyatta/etc/config-migrate/migrate/quagga/5-to-6
/opt/vyatta/etc/config-migrate/migrate/quagga/6-to-7
/opt/vyatta/etc/config-migrate/migrate/quagga/7-to-8
/opt/vyatta/etc/config-migrate/migrate/quagga/8-to-9
/opt/vyatta/etc/config-migrate/migrate/rpki/0-to-1
/opt/vyatta/etc/config-migrate/migrate/salt/0-to-1
/opt/vyatta/etc/config-migrate/migrate/snmp/0-to-1
/opt/vyatta/etc/config-migrate/migrate/snmp/1-to-2
/opt/vyatta/etc/config-migrate/migrate/ssh/0-to-1
/opt/vyatta/etc/config-migrate/migrate/ssh/1-to-2
/opt/vyatta/etc/config-migrate/migrate/sstp/0-to-1
/opt/vyatta/etc/config-migrate/migrate/sstp/1-to-2
/opt/vyatta/etc/config-migrate/migrate/sstp/2-to-3
/opt/vyatta/etc/config-migrate/migrate/sstp/3-to-4
/opt/vyatta/etc/config-migrate/migrate/system/0-to-1
/opt/vyatta/etc/config-migrate/migrate/system/1-to-2
/opt/vyatta/etc/config-migrate/migrate/system/2-to-3
/opt/vyatta/etc/config-migrate/migrate/system/3-to-4
/opt/vyatta/etc/config-migrate/migrate/system/4-to-5
/opt/vyatta/etc/config-migrate/migrate/system/5-to-6
/opt/vyatta/etc/config-migrate/migrate/system/6-to-7
/opt/vyatta/etc/config-migrate/migrate/system/7-to-8
/opt/vyatta/etc/config-migrate/migrate/system/8-to-9
/opt/vyatta/etc/config-migrate/migrate/system/9-to-10
/opt/vyatta/etc/config-migrate/migrate/system/10-to-11
/opt/vyatta/etc/config-migrate/migrate/system/11-to-12
/opt/vyatta/etc/config-migrate/migrate/system/12-to-13
/opt/vyatta/etc/config-migrate/migrate/system/13-to-14
/opt/vyatta/etc/config-migrate/migrate/system/14-to-15
/opt/vyatta/etc/config-migrate/migrate/system/15-to-16
/opt/vyatta/etc/config-migrate/migrate/system/16-to-17
/opt/vyatta/etc/config-migrate/migrate/system/17-to-18
/opt/vyatta/etc/config-migrate/migrate/system/18-to-19
/opt/vyatta/etc/config-migrate/migrate/system/19-to-20
/opt/vyatta/etc/config-migrate/migrate/system/20-to-21
/opt/vyatta/etc/config-migrate/migrate/vrf/0-to-1
/opt/vyatta/etc/config-migrate/migrate/vrf/1-to-2
/opt/vyatta/etc/config-migrate/migrate/vrf/2-to-3
/opt/vyatta/etc/config-migrate/migrate/vrrp/0-to-1
/opt/vyatta/etc/config-migrate/migrate/vrrp/1-to-2
/opt/vyatta/etc/config-migrate/migrate/vyos-accel-ppp/0-to-1
/opt/vyatta/etc/config-migrate/migrate/vyos-accel-ppp/1-to-2
/opt/vyatta/etc/config-migrate/migrate/wanloadbalance/0-to-1
/opt/vyatta/etc/config-migrate/migrate/wanloadbalance/1-to-2
/opt/vyatta/etc/config-migrate/migrate/wanloadbalance/2-to-3
/opt/vyatta/etc/config-migrate/migrate/webproxy/0-to-1
/opt/vyatta/etc/config-migrate/migrate/webproxy/1-to-2
/opt/vyatta/etc/config-migrate/migrate/zone-policy/0-to-1
jestabro added a subscriber: jestabro.Aug 30 2021, 6:57 PM

@stepler on a fresh installation, all migration scripts will be run, as the default config contains no component version string, and has to be incrementally migrated.

stepler added a comment.Aug 31 2021, 1:57 PM

@jestabro, I see that, but it defeats the intent of disabling conntrack modules by default.

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0-epa1); removed test, VyOS 1.3 Equuleus.Sep 5 2021, 7:06 AM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.Sep 5 2021, 4:08 PM
stepler added a comment.Sep 7 2021, 6:16 PM

PR https://github.com/vyos/vyos-build/pull/185

stepler added a comment.Sep 7 2021, 6:18 PM

Note also that nothing here has been backported to 1.3 yet.

Viacheslav reopened this task as Open.Sep 7 2021, 6:34 PM
Viacheslav moved this task from Finished to In Progress on the VyOS 1.3 Equuleus (1.3.0-epa1) board.
Viacheslav added a project: VyOS 1.4 Sagitta.
erkin closed this task as Resolved.Sep 11 2021, 7:50 PM
erkin mentioned this in T3821: Add latest versions to default config files.

Backport to 1.3 is complete. See T3821 for further discussion.

c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.Sep 19 2021, 7:04 AM
c-po moved this task from In Progress to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.Sep 19 2021, 10:44 AM
stepler mentioned this in T5080: Conntrack enabled by default.Mar 12 2023, 3:16 PM
sarthurdev mentioned this in T5515: Conntrack helpers should be disabled by default.Aug 27 2023, 10:56 AM
sarthurdev added a subscriber: sarthurdev.Aug 27 2023, 10:58 AM

This does still need to be addressed in 1.4. Without a version string, the 2-to-3 migrator is adding the conntrack helpers to the default config.

jestabro reopened this task as Open.Aug 27 2023, 1:29 PM
jestabro claimed this task.
jestabro added a subscriber: erkin.

Reopen to investigate, as unresolved ... cf. T5515, T3821

dmbaturin edited projects, added Restricted Project; removed VyOS 1.3 Equuleus (1.3.0-epa1).Feb 15 2024, 12:42 PM
dmbaturin set Issue type to Unspecified (please specify).
jestabro added a subtask: T3821: Add latest versions to default config files.Feb 15 2024, 1:31 PM
jestabro removed a subtask: T3821: Add latest versions to default config files.
jestabro added a subtask: T6006: Configure system-specific capabilities independently of migration scripts.
jestabro added a subtask: T3821: Add latest versions to default config files.Feb 15 2024, 1:39 PM
jestabro added a comment.Feb 15 2024, 1:44 PM

This will follow from the solutions in subtask T6006.

dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa1); removed VyOS 1.4 Sagitta.Feb 15 2024, 3:05 PM
jestabro edited projects, added VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta (1.4.0-epa1), Restricted Project.Feb 15 2024, 3:45 PM