Provided by: firehol-doc_3.1.7+ds-2_all bug


       firehol-cthelper - control connection tracking helpers


       { cthelper | cthelper4 | cthelper6 } protocol helper where [rule-params]


       The  netfilter team has included in the Linux kernel protocol helpers that monitor traffic
       and allow them to work under the connection tracker.

       The following protocol helpers have been provided:

       • amanda

       • ftp

       • tftp (cannot be configured)

       • h323 (cannot be configured)

       • irc (does not support IPv6)

       • netbios_ns (cannot be configured)

       • pptp (does not support IPv6)

       • gre (cannot be configured)

       • sane

       • sip

       By default, the helpers will trust either side of the communication.  This is considered a
       security issue and should be avoided.

       Using  cthelper  the helpers that can be configured, can be instructed to trust a specific
       side of the communication.

       Before doing so,  the  variable  FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT  should  be  set  to

       where defines where the trusted traffic is expected.  It can be:

       • IN, INPUT, or PREROUTING to match incoming packets

       • OUT, OUTPUT to match outgoing packets

       • BOTH, BIDIRECTIONAL, or INOUT to match all packets

       The  rule-params  define  a set of rule parameters to further restrict the traffic that is
       matched.  See firehol-params(5) for more details.

       FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT accepts the following values:

       • kernel which is the default, allows the kernel to determine  by  itself  which  side  to

       • firehol  to  have  FireHOL  automatically generate cthelper statements keeping src, dst,
         inface and outface from the statements that require each helper.  Keep in mind this will
         only  generate  valid  statements  if you don’t use NAT at all.  cthelper statements are
         executed by iptables before any NAT is applied, while  packet  filtering  is  configured
         after DNAT and before SNAT, resulting in wrong statements when NAT is applied.

       • manual to use the cthelper helper to configure the trusts in firehol.conf.

       When  set  to  kernel, FireHOL will set net.netfilter.nf_conntrack_helper=1.  In all other
       cases, FireHOL will set net.netfilter.nf_conntrack_helper=0.


               # enable manual protocol helpers mode

               # trust SIP packets we send via interface dsl0
               cthelper sip out outface dsl0

               # trust SIP packets we receive from via eth0
               cthelper sip in inface eth0 src

               # trust pptp packets we send via interface wan0 (IPv4 only)
               cthelper4 pptp out outface wan0


firehol(1) - FireHOL program

       • firehol.conf(5) - FireHOL configuration

       • FireHOL Website (

       • FireHOL Online PDF Manual (

       • FireHOL Online Documentation (


       FireHOL Team.