New firewall maintainer here. I'm working on the backlog bugs. Sorry for the delay. Is this line really in your sysctl.conf? As I see it the default for this setting was changed in the Linux kernel starting in version 4.7. Thus it wasn't an explicit decision of openSUSE to disable this. You can work around this problem either by changing the sysctl value explicitly back to 1 (which would be less secure, but compatible). Or by adding the firewall rule you mentioned to a custom script configured via FW_CUSTOMRULES in /etc/sysconfig/SuSEfirewall2. I'm not sure how we will solve this in future SuSEfirewall2 versions, because we're thinking about migrating to a new solution using firewalld. Either we will restore the previous value of net.netfilter.nf_conntrack_helper, or we have to add a simple configuration method to explicitly enabled helpers. I will have to think about your suggestion of implicitly enabling helpers based on allowed services. Thank you for the report and the suggestion. I will update this bug when I've implemented a viable solution.