diff --git a/config/etc/modprobe.d/nf_conntrack.conf b/config/etc/modprobe.d/nf_conntrack.conf
new file mode 100644
index 000000000..d5a181306
--- /dev/null
+++ b/config/etc/modprobe.d/nf_conntrack.conf
@@ -0,0 +1,2 @@
+# Disable automatic conntrack helper assignment
+options nf_conntrack nf_conntrack_helper=0
diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2
index 5b763fd87..07446b73b 100644
--- a/config/rootfiles/common/stage2
+++ b/config/rootfiles/common/stage2
@@ -22,6 +22,7 @@ etc/mime.types
 etc/modprobe.d
 etc/modprobe.d/btmrvl_sdio.conf
 etc/modprobe.d/cfg80211.conf
+etc/modprobe.d/nf_conntrack.conf
 etc/modprobe.d/pcspeaker.conf
 etc/modules.conf
 etc/mtab
diff --git a/doc/language_issues.es b/doc/language_issues.es
index d375f6962..f3c46504f 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -640,6 +640,7 @@ WARNING: untranslated string: advproxy group access control
 WARNING: untranslated string: advproxy group required
 WARNING: untranslated string: advproxy proxy port transparent
 WARNING: untranslated string: age second
+WARNING: untranslated string: application layer gateways
 WARNING: untranslated string: atm device
 WARNING: untranslated string: attention
 WARNING: untranslated string: bit
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index f0f5ec4e4..38f3d26aa 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -647,6 +647,7 @@ WARNING: untranslated string: advproxy group access control
 WARNING: untranslated string: advproxy group required
 WARNING: untranslated string: advproxy proxy port transparent
 WARNING: untranslated string: age second
+WARNING: untranslated string: application layer gateways
 WARNING: untranslated string: atm device
 WARNING: untranslated string: attention
 WARNING: untranslated string: bit
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 65643e875..fd64d9564 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -700,6 +700,7 @@ WARNING: untranslated string: advproxy AUTH method ntlm auth
 WARNING: untranslated string: advproxy basic authentication
 WARNING: untranslated string: advproxy group access control
 WARNING: untranslated string: advproxy group required
+WARNING: untranslated string: application layer gateways
 WARNING: untranslated string: bytes
 WARNING: untranslated string: check all
 WARNING: untranslated string: dhcp dns enable update
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 3b57bdfe9..8052e1ff8 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -697,6 +697,7 @@ WARNING: untranslated string: advproxy AUTH method ntlm auth
 WARNING: untranslated string: advproxy basic authentication
 WARNING: untranslated string: advproxy group access control
 WARNING: untranslated string: advproxy group required
+WARNING: untranslated string: application layer gateways
 WARNING: untranslated string: atm device
 WARNING: untranslated string: bytes
 WARNING: untranslated string: capabilities
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index d375f6962..f3c46504f 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -640,6 +640,7 @@ WARNING: untranslated string: advproxy group access control
 WARNING: untranslated string: advproxy group required
 WARNING: untranslated string: advproxy proxy port transparent
 WARNING: untranslated string: age second
+WARNING: untranslated string: application layer gateways
 WARNING: untranslated string: atm device
 WARNING: untranslated string: attention
 WARNING: untranslated string: bit
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 05d9e9119..b9dd90c21 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -640,6 +640,7 @@ WARNING: untranslated string: advproxy group access control
 WARNING: untranslated string: advproxy group required
 WARNING: untranslated string: advproxy proxy port transparent
 WARNING: untranslated string: age second
+WARNING: untranslated string: application layer gateways
 WARNING: untranslated string: atm device
 WARNING: untranslated string: attention
 WARNING: untranslated string: bit
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index a419afa9d..b701bdf93 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -703,6 +703,7 @@ WARNING: translation string unused: xtaccess bad transfert
 WARNING: translation string unused: year-graph
 WARNING: translation string unused: yearly firewallhits
 WARNING: untranslated string: Scan for Songs
+WARNING: untranslated string: application layer gateways
 WARNING: untranslated string: bytes
 WARNING: untranslated string: fwhost cust geoipgrp
 WARNING: untranslated string: fwhost err hostip
diff --git a/doc/language_missings b/doc/language_missings
index c490f2df9..32e1e48ec 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -26,6 +26,7 @@
 < age shour
 < age sminute
 < age ssecond
+< application layer gateways
 < atm device
 < attention
 < bit
@@ -636,6 +637,7 @@
 < age shour
 < age sminute
 < age ssecond
+< application layer gateways
 < Async logging enabled
 < atm device
 < attention
@@ -1229,6 +1231,7 @@
 < age shour
 < age sminute
 < age ssecond
+< application layer gateways
 < atm device
 < attention
 < bit
@@ -1808,6 +1811,7 @@
 < age shour
 < age sminute
 < age ssecond
+< application layer gateways
 < atm device
 < attention
 < bit
diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index 34e0cdcab..7a0e8e0c4 100644
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -120,6 +120,21 @@ $checked{'SHOWTABLES'}{$settings{'SHOWTABLES'}} = "checked='checked'";
 $checked{'SHOWDROPDOWN'}{'off'} = '';
 $checked{'SHOWDROPDOWN'}{'on'} = '';
 $checked{'SHOWDROPDOWN'}{$settings{'SHOWDROPDOWN'}} = "checked='checked'";
+$checked{'CONNTRACK_FTP'}{'off'} = '';
+$checked{'CONNTRACK_FTP'}{'on'} = '';
+$checked{'CONNTRACK_FTP'}{$settings{'CONNTRACK_FTP'}} = "checked='checked'";
+$checked{'CONNTRACK_H323'}{'off'} = '';
+$checked{'CONNTRACK_H323'}{'on'} = '';
+$checked{'CONNTRACK_H323'}{$settings{'CONNTRACK_H323'}} = "checked='checked'";
+$checked{'CONNTRACK_IRC'}{'off'} = '';
+$checked{'CONNTRACK_IRC'}{'on'} = '';
+$checked{'CONNTRACK_IRC'}{$settings{'CONNTRACK_IRC'}} = "checked='checked'";
+$checked{'CONNTRACK_SIP'}{'off'} = '';
+$checked{'CONNTRACK_SIP'}{'on'} = '';
+$checked{'CONNTRACK_SIP'}{$settings{'CONNTRACK_SIP'}} = "checked='checked'";
+$checked{'CONNTRACK_TFTP'}{'off'} = '';
+$checked{'CONNTRACK_TFTP'}{'on'} = '';
+$checked{'CONNTRACK_TFTP'}{$settings{'CONNTRACK_TFTP'}} = "checked='checked'";
 $selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected';
 $selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected';
 $selected{'FWPOLICY2'}{$settings{'FWPOLICY2'}}= 'selected';
@@ -223,7 +238,22 @@ END
 																						<input type='radio' name='SHOWTABLES' value='off' $checked{'SHOWTABLES'}{'off'} /> off</td></tr>
 <tr><td align='left' width='60%'>$Lang::tr{'fw settings dropdown'}</td><td align='left'>on <input type='radio' name='SHOWDROPDOWN' value='on' $checked{'SHOWDROPDOWN'}{'on'} />/
 																						<input type='radio' name='SHOWDROPDOWN' value='off' $checked{'SHOWDROPDOWN'}{'off'} /> off</td></tr>																																																												
-</table>																						
+</table>
+<br />
+<table width='95%' cellspacing='0'>
+<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'application layer gateways'}</b></td></tr>
+<tr><td align='left' width='60%'>FTP</td><td align='left'>on <input type='radio' name='CONNTRACK_FTP' value='on' $checked{'CONNTRACK_FTP'}{'on'} />/
+																						<input type='radio' name='CONNTRACK_FTP' value='off' $checked{'CONNTRACK_FTP'}{'off'} /> off</td></tr>
+<tr><td align='left' width='60%'>H.323</td><td align='left'>on <input type='radio' name='CONNTRACK_H323' value='on' $checked{'CONNTRACK_H323'}{'on'} />/
+																						<input type='radio' name='CONNTRACK_H323' value='off' $checked{'CONNTRACK_H323'}{'off'} /> off</td></tr>
+<tr><td align='left' width='60%'>IRC</td><td align='left'>on <input type='radio' name='CONNTRACK_IRC' value='on' $checked{'CONNTRACK_IRC'}{'on'} />/
+																						<input type='radio' name='CONNTRACK_IRC' value='off' $checked{'CONNTRACK_IRC'}{'off'} /> off</td></tr>
+<tr><td align='left' width='60%'>SIP</td><td align='left'>on <input type='radio' name='CONNTRACK_SIP' value='on' $checked{'CONNTRACK_SIP'}{'on'} />/
+																						<input type='radio' name='CONNTRACK_SIP' value='off' $checked{'CONNTRACK_SIP'}{'off'} /> off</td></tr>
+<tr><td align='left' width='60%'>TFTP</td><td align='left'>on <input type='radio' name='CONNTRACK_TFTP' value='on' $checked{'CONNTRACK_TFTP'}{'on'} />/
+																						<input type='radio' name='CONNTRACK_TFTP' value='off' $checked{'CONNTRACK_TFTP'}{'off'} /> off</td></tr>
+
+</table>
 <br />
 <table width='95%' cellspacing='0'>
 <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw default drop'}</b></td></tr>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 2bca854ff..7c330bb0f 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -367,6 +367,7 @@
 'alt vpn' => 'VPNs',
 'and' => 'Und',
 'apcupsd' => 'APC-UPS Status',
+'application layer gateways' => 'Application-Layer-Gateways',
 'apply' => 'Jetzt anwenden',
 'april' => 'April',
 'archive not exist' => 'Konfigurationsarchiv existiert nicht',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 4c523921c..23f63102b 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -369,6 +369,7 @@
 'and' => 'And',
 'ansi t1.483' => 'TO BE REMOVED',
 'apcupsd' => 'APC-UPS status',
+'application layer gateways' => 'Application Layer Gateways',
 'apply' => 'Apply now',
 'april' => 'April',
 'archive not exist' => 'Configuration archive does not exist',
diff --git a/lfs/configroot b/lfs/configroot
index cb7499694..f8e9ce417 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -135,6 +135,16 @@ $(TARGET) :
 	echo  "POLICY=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
 	echo  "POLICY1=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
 
+	# Add conntrack helper default settings
+	for proto in FTP H323 IRC SIP TFTP; do \
+		echo "CONNTRACK_$${proto}=on" >> $(CONFIG_ROOT)/optionsfw/settings; \
+	done
+
+	# Do not enable these by default because these are broken
+	for proto in AMANDA PPTP; do \
+		echo "CONNTRACK_$${proto}=off" >> $(CONFIG_ROOT)/optionsfw/settings; \
+	done
+
 	# set converters executable
 	chmod 755 /usr/sbin/convert-*
 
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 662207153..cb52670d6 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -21,9 +21,11 @@ iptables_init() {
 	iptables -F
 	iptables -t nat -F
 	iptables -t mangle -F
+	iptables -t raw -F
 	iptables -X
 	iptables -t nat -X
 	iptables -t mangle -X
+	iptables -t raw -X
 
 	# Set up policies
 	iptables -P INPUT DROP
@@ -84,10 +86,71 @@ iptables_init() {
 	iptables -A INPUT   -p tcp -j BADTCP
 	iptables -A FORWARD -p tcp -j BADTCP
 
-	# Connection tracking chain
+	# Connection tracking chains
 	iptables -N CONNTRACK
-	iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+	iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
 	iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP
+	iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
+	iptables -t raw -N CONNTRACK
+	iptables -t raw -A PREROUTING -j CONNTRACK
+
+	# Conntrack helpers (https://home.regit.org/netfilter-en/secure-use-of-helpers/)
+
+	# SIP
+	if [ "${CONNTRACK_SIP}" = "on" ]; then
+		iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+			-m helper --helper sip -j ACCEPT
+		for proto in udp tcp; do
+			iptables -t raw -A CONNTRACK -p "${proto}" --dport 5060 -j CT --helper sip
+		done
+	fi
+
+	# H.323
+	if [ "${CONNTRACK_H323}" = "on" ]; then
+		iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+			-m helper --helper h323 -j ACCEPT
+
+		# Gatekeeper RAS
+		iptables -t raw -A CONNTRACK -p udp --dport 1719 -j CT --helper RAS
+
+		# Q.931
+		iptables -t raw -A CONNTRACK -p tcp --dport 1720 -j CT --helper Q.931
+	fi
+
+	# FTP
+	if [ "${CONNTRACK_FTP}" = "on" ]; then
+		iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+			-m helper --helper ftp -p tcp --dport 1024: -j ACCEPT
+		iptables -t raw -A CONNTRACK -p tcp --dport 21 -j CT --helper ftp
+	fi
+
+	# PPTP
+	if [ "${CONNTRACK_PPTP}" = "on" ]; then
+		iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+			-m helper --helper pptp -j ACCEPT
+		iptables -t raw -A CONNTRACK -p udp --dport 1723 -j CT --helper pptp
+	fi
+
+	# TFTP
+	if [ "${CONNTRACK_TFTP}" = "on" ]; then
+		iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+			-m helper --helper tftp -j ACCEPT
+		iptables -t raw -A CONNTRACK -p udp --dport 69 -j CT --helper tftp
+	fi
+
+	# IRC
+	if [ "${CONNTRACK_IRC}" = "on" ]; then
+		iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+			-m helper --helper irc -j ACCEPT
+		iptables -t raw -A CONNTRACK -p tcp --dport 6667 -j CT --helper irc
+	fi
+
+	# Amanda
+	if [ "${CONNTRACK_AMANDA}" = "on" ]; then
+		iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+			-m helper --helper amanda -j ACCEPT
+		iptables -t raw -A CONNTRACK -p tcp -j CT --helper amanda
+	fi
 
 	# Fix for braindead ISP's
 	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
@@ -400,24 +463,6 @@ iptables_red_down() {
 # See how we were called.
 case "$1" in
   start)
-	boot_mesg "Loading firewall modules into the kernel"
-	modprobe iptable_nat || failed=1
-	for i in $(find /lib/modules/$(uname -r) -name nf_conntrack*); do
-		modprobe $(basename $i | cut -d. -f1) || failed=1
-	done
-	for i in $(find /lib/modules/$(uname -r) -name nf_nat*); do
-		modprobe $(basename $i | cut -d. -f1) || failed=1
-	done
-	(exit ${failed})
-	evaluate_retval
-
-	if [ -e /var/ipfire/main/disable_nf_sip ]; then
-		rmmod nf_nat_sip
-		rmmod nf_conntrack_sip
-		rmmod nf_nat_h323
-		rmmod nf_conntrack_h323
-	fi
-
 	boot_mesg "Setting up firewall"
 	iptables_init
 	evaluate_retval