T5614: extend ipv4 firewall documentation on conntrack-helper matching

2025-10-26 08:41:46 +01:00 · 2024-03-25 10:50:42 -04:00 · 2024-03-25 10:50:42 -04:00 · 27970f7a20
commit 27970f7a20
parent f78f351670
1 changed files with 24 additions and 0 deletions
--- a/docs/configuration/firewall/ipv4.rst
+++ b/docs/configuration/firewall/ipv4.rst
@ -906,6 +906,30 @@ geoip) to keep database and rules updated.
   Match when 'count' amount of connections are seen within 'time'. These
   matching criteria can be used to block brute-force attempts.

+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+   conntrack-helper <module>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+   conntrack-helper <module>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+   conntrack-helper <module>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+   conntrack-helper <module>
+
+   Match based on connection tracking protocol helper module to secure use of 
+   that helper module. See below for possible completions `<module>`. 
+
+   .. code-block:: none
+
+      Possible completions:
+          ftp                  Related traffic from FTP helper
+          h323                 Related traffic from H.323 helper
+          pptp                 Related traffic from PPTP helper
+          nfs                  Related traffic from NFS helper
+          sip                  Related traffic from SIP helper
+          tftp                 Related traffic from TFTP helper
+          sqlnet               Related traffic from SQLNet helper
+
+
 ********
 Synproxy
 ********