diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix
index 7ea4e593cd12..8ddeacf1a0f3 100644
--- a/modules/services/networking/firewall.nix
+++ b/modules/services/networking/firewall.nix
@@ -44,6 +44,10 @@ let
                    && kernelPackages.kernel.features ? netfilterRPFilter
                    && kernelPackages.kernel.features.netfilterRPFilter;
 
+  kernelCanDisableHelpers = kernelPackages.kernel ? features
+                   && kernelPackages.kernel.features ? canDisableNetfilterConntrackHelpers
+                   && kernelPackages.kernel.features.canDisableNetfilterConntrackHelpers;
+
 in
 
 {
@@ -161,6 +165,37 @@ in
         '';
     };
 
+    networking.firewall.connectionTrackingModules = mkOption {
+      default = [ "ftp" ];
+      example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ];
+      type = types.list types.string;
+      description =
+        ''
+          List of connection-tracking helpers that are auto-loaded.
+          The complete list of possible values is given in the example.
+
+          As helpers can pose as a security risk, it is adviced to
+          set this to an empty list and disable the setting
+          networking.firewall.autoLoadConntrackHelpers
+
+          Loading of helpers is recommended to be done through the new
+          CT target. More info:
+          https://home.regit.org/netfilter-en/secure-use-of-helpers/
+        '';
+    };
+
+    networking.firewall.autoLoadConntrackHelpers = mkOption {
+      default = true;
+      type = types.bool;
+      description =
+        ''
+          Whether to auto-load connection-tracking helpers.
+          See the description at networking.firewall.connectionTrackingModules
+
+          (needs kernel 3.5+)
+        '';
+    };
+
     networking.firewall.extraCommands = mkOption {
       default = "";
       example = "iptables -A INPUT -p icmp -j ACCEPT";
@@ -189,10 +224,16 @@ in
 
     environment.systemPackages = [ pkgs.iptables ];
 
-    boot.kernelModules = [ "nf_conntrack_ftp" ];
+    boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
+    boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) ''
+      options nf_conntrack nf_conntrack_helper=0
+    '';
 
     assertions = [ { assertion = ! cfg.checkReversePath || kernelHasRPFilter;
-                     message = "This kernel does not support rpfilter"; } ];
+                     message = "This kernel does not support rpfilter"; }
+                   { assertion = cfg.autoLoadConntrackHelpers || kernelCanDisableHelpers;
+                     message = "This kernel does not support disabling conntrack helpers"; }
+                 ];
 
     jobs.firewall =
       { startOn = "started network-interfaces";