Move nf_conntrack_helper disabling into separate file

README.md

@@ -124,16 +124,16 @@ modules for the user, like drivers etc., given they are plugged in on startup.
 
 #### Blacklist and disable kernel modules
 
+Conntrack: Deactivates Netfilter's connection tracking helper module which
+increases kernel attack surface by enabling superfluous functionality such
+as IRC parsing in the kernel. See `/etc/modprobe.d/30_security-misc_conntrack.conf`.
+
 Certain kernel modules are blacklisted by default to reduce attack surface via
 `/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel
 modules from automatically starting.
 
 -   CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices.
 
--   Conntrack: Deactivates Netfilter's connection tracking helper - this module
-    increases kernel attack surface by enabling superfluous functionality such
-    as IRC parsing in the kernel. Hence, this feature is disabled.
-
 -   Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause 
     kernel panics, and are generally only used by legacy devices. 
 

debian/security-misc.maintscript

@@ -24,7 +24,7 @@ rm_conffile /etc/sysctl.d/kexec.conf
 rm_conffile /etc/sysctl.d/tcp_hardening.conf
 rm_conffile /etc/sysctl.d/tcp_sack.conf
 
-## merged into 2 files /etc/modprobe.d/30_security-misc_blacklist.conf and /etc/modprobe.d/30_security-misc_disable.conf
+## merged into 3 files /etc/modprobe.d/30_security-misc_blacklist.conf, 30_security-misc_conntrack.conf, and /etc/modprobe.d/30_security-misc_disable.conf
 rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf
 rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf
 rm_conffile /etc/modprobe.d/vivid.conf

etc/modprobe.d/30_security-misc_blacklist.conf

@@ -21,13 +21,6 @@ blacklist sr_mod
 #install cdrom /usr/bin/disabled-cdrom-by-security-misc
 #install sr_mod /usr/bin/disabled-cdrom-by-security-misc
 
-## Conntrack:
-## Disable automatic conntrack helper assignment.
-##
-## https://phabricator.whonix.org/T486
-##
-options nf_conntrack nf_conntrack_helper=0
-
 ## Framebuffer Drivers:
 ##
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco

etc/modprobe.d/30_security-misc_conntrack.conf

@@ -0,0 +1,11 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Conntrack:
+## Disable Netfilter's automatic connection tracking helper assignment.
+## Increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel.
+##
+## https://conntrack-tools.netfilter.org/manual.html
+## https://forums.whonix.org/t/disable-conntrack-helper/18917
+##
+options nf_conntrack nf_conntrack_helper=0