This is a very delayed response, but I finally got around to testing @jack findings above, and it doesn’t seem to be working. I may have missed something, but this is printed from my testing tonight.
root@Route10:~# uci set firewall.@zone[0].auto_helper='0'
root@Route10:~# uci set firewall.@zone[0].helper='amanda ftp RAS Q.931 irc pptp snmp tftp'
root@Route10:~# uci commit
root@Route10:~# iptables -traw -vL |grep helper
2520 533K zone_lan_helper all -- br-lan any anywhere anywhere /* !fw3: lan CT helper assignment */
7294 1836K zone_lan_helper all -- br-lan_10 any anywhere anywhere /* !fw3: lan CT helper assignment */
Chain zone_lan_helper (2 references)
0 0 CT udp -- any any anywhere anywhere /* !fw3: Amanda backup and archiving proto */ udp dpt:10080 CT helper amanda
0 0 CT tcp -- any any anywhere anywhere /* !fw3: FTP passive connection tracking */ tcp dpt:ftp CT helper ftp
0 0 CT udp -- any any anywhere anywhere /* !fw3: RAS proto tracking */ udp dpt:1719 CT helper RAS
0 0 CT tcp -- any any anywhere anywhere /* !fw3: Q.931 proto tracking */ tcp dpt:1720 CT helper Q.931
0 0 CT tcp -- any any anywhere anywhere /* !fw3: IRC DCC connection tracking */ tcp dpt:ircd CT helper irc
0 0 CT tcp -- any any anywhere anywhere /* !fw3: PPTP VPN connection tracking */ tcp dpt:1723 CT helper pptp
79 32420 CT tcp -- any any anywhere anywhere /* !fw3: SIP VoIP connection tracking */ tcp dpt:sip CT helper sip
183 98152 CT udp -- any any anywhere anywhere /* !fw3: SIP VoIP connection tracking */ udp dpt:sip CT helper sip
0 0 CT udp -- any any anywhere anywhere /* !fw3: SNMP monitoring connection tracking */ udp dpt:snmp CT helper snmp
0 0 CT udp -- any any anywhere anywhere /* !fw3: TFTP connection tracking */ udp dpt:tftp CT helper tftp
after the commit. I’m not sure when that’s needed. It’s not needed on reboot, but I did just see the same thing you saw - and it was fixed by doing the reload. Perhaps it’s an issue when doing configuration changes? I’ll update what I labeled a “solution”.
I was able to disable SIP before using the information in this thread, but now I can’t make it work. Has something changed in the recent updates, and does something else need to be done? Below is what I have in the post-cfg.sh. I run it and /etc/init.d/firewall reload, but after using iptables -t raw -vL | grep helper, I still see:
/* !fw3: SIP VoIP connection tracking */ tcp dpt:sip CT helper sip
0 0 CT udp -- any any anywhere anywhere
/* !fw3: SIP VoIP connection tracking */ udp dpt:sip CT helper sip
0 0 CT udp -- any any anywhere anywhere
# Remove SIP lines from modules.d
sed -i -e '/^nf_conntrack_sip$/d' -e '/^nf_nat_sip$/d' /etc/modules.d/nf-nathelper-extra
# Unload modules if they were already loaded
rmmod nf_nat_sip 2>/dev/null
rmmod nf_conntrack_sip 2>/dev/null
uci set firewall.@zone[0].auto_helper='0'
uci set firewall.@zone[0].helper='amanda ftp RAS Q.931 irc pptp snmp tftp'
uci commit
I see those. Those are in the zone_vpn_helper chain. They should only come into play when going over a vpn. They probably appeared when Alta Labs added a zone for vpn. I’ll see how to get rid of them though. This is all controllable through openwrt and uci.
This should be pretty easy to implement. Openwrt already supports this. I’d suggest checkboxes for all the ALGs openwrt supports - with SIP defaulted to off. Ideally, include some info as to what they do - so they’re not just magic buttons people can press.
Instead of setting zone[0] should instead set defaults[0] - which applies to all zones.
uci set firewall.@defaults[0].helper='amanda ftp RAS Q.931 irc pptp snmp tftp'
# I instead get rid of all of them with: uci set firewall.@defaults[0].helper=''
uci set firewall.@defaults[0].auto_helper='0'
uci commit
/etc/init.d/firewall reload