From 6cda8b1496795422d4c0bfcea2ea2bf29c32daa0 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon, 10 Oct 2016 16:10:30 +0000
Subject: [PATCH] disable conntrack helper for better security

https://phabricator.whonix.org/T486
---
 etc/modprobe.d/30_nf_conntrack_helper_disable.conf | 2 ++
 etc/sysctl.d/nf_conntrack_helper.conf              | 4 ----
 2 files changed, 2 insertions(+), 4 deletions(-)
 create mode 100644 etc/modprobe.d/30_nf_conntrack_helper_disable.conf
 delete mode 100644 etc/sysctl.d/nf_conntrack_helper.conf

diff --git a/etc/modprobe.d/30_nf_conntrack_helper_disable.conf b/etc/modprobe.d/30_nf_conntrack_helper_disable.conf
new file mode 100644
index 0000000..bd42a28
--- /dev/null
+++ b/etc/modprobe.d/30_nf_conntrack_helper_disable.conf
@@ -0,0 +1,2 @@
+## https://phabricator.whonix.org/T486
+options nf_conntrack nf_conntrack_helper=0
diff --git a/etc/sysctl.d/nf_conntrack_helper.conf b/etc/sysctl.d/nf_conntrack_helper.conf
deleted file mode 100644
index 69b751d..0000000
--- a/etc/sysctl.d/nf_conntrack_helper.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-## TODO
-## Disable conntrack helper?
-## https://phabricator.whonix.org/T486
-#net.netfilter.nf_conntrack_helper=0