Move nf_conntrack_helper disabling into separate file

2024-10-01 08:25:45 -04:00 · 2024-07-13 23:32:01 +10:00 · 2024-07-13 23:32:01 +10:00 · 9f58266546
commit 9f58266546
parent 8f2ec75f81
4 changed files with 16 additions and 12 deletions
--- a/README.md
+++ b/README.md
@ -124,16 +124,16 @@ modules for the user, like drivers etc., given they are plugged in on startup.

 #### Blacklist and disable kernel modules

+Conntrack: Deactivates Netfilter's connection tracking helper module which
+increases kernel attack surface by enabling superfluous functionality such
+as IRC parsing in the kernel. See `/etc/modprobe.d/30_security-misc_conntrack.conf`.
+
 Certain kernel modules are blacklisted by default to reduce attack surface via
 `/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel
 modules from automatically starting.

 -   CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices.

-   Conntrack: Deactivates Netfilter's connection tracking helper - this module
-    increases kernel attack surface by enabling superfluous functionality such
-    as IRC parsing in the kernel. Hence, this feature is disabled.
-
 -   Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause 
    kernel panics, and are generally only used by legacy devices. 

--- a/debian/security-misc.maintscript
+++ b/debian/security-misc.maintscript
@ -24,7 +24,7 @@ rm_conffile /etc/sysctl.d/kexec.conf
 rm_conffile /etc/sysctl.d/tcp_hardening.conf
 rm_conffile /etc/sysctl.d/tcp_sack.conf

-## merged into 2 files /etc/modprobe.d/30_security-misc_blacklist.conf and /etc/modprobe.d/30_security-misc_disable.conf
+## merged into 3 files /etc/modprobe.d/30_security-misc_blacklist.conf, 30_security-misc_conntrack.conf, and /etc/modprobe.d/30_security-misc_disable.conf
 rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf
 rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf
 rm_conffile /etc/modprobe.d/vivid.conf
--- a/etc/modprobe.d/30_security-misc_blacklist.conf
+++ b/etc/modprobe.d/30_security-misc_blacklist.conf
@ -21,13 +21,6 @@ blacklist sr_mod
 #install cdrom /usr/bin/disabled-cdrom-by-security-misc
 #install sr_mod /usr/bin/disabled-cdrom-by-security-misc

-## Conntrack:
-## Disable automatic conntrack helper assignment.
-##
-## https://phabricator.whonix.org/T486
-##
-options nf_conntrack nf_conntrack_helper=0
-
 ## Framebuffer Drivers:
 ##
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
--- a/etc/modprobe.d/30_security-misc_conntrack.conf
+++ b/etc/modprobe.d/30_security-misc_conntrack.conf
@ -0,0 +1,11 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Conntrack:
+## Disable Netfilter's automatic connection tracking helper assignment.
+## Increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel.
+##
+## https://conntrack-tools.netfilter.org/manual.html
+## https://forums.whonix.org/t/disable-conntrack-helper/18917
+##
+options nf_conntrack nf_conntrack_helper=0