summaryrefslogtreecommitdiff
path: root/docs/configuration/system/conntrack.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/system/conntrack.rst')
-rw-r--r--docs/configuration/system/conntrack.rst204
1 files changed, 179 insertions, 25 deletions
diff --git a/docs/configuration/system/conntrack.rst b/docs/configuration/system/conntrack.rst
index 7f7e4b77..68a4f2b8 100644
--- a/docs/configuration/system/conntrack.rst
+++ b/docs/configuration/system/conntrack.rst
@@ -1,33 +1,187 @@
-###################
-Connection tracking
-###################
-Modules
--------
+#########
+Conntrack
+#########
-.. code-block:: none
+VyOS can be configured to track connections using the connection
+tracking subsystem. Connection tracking becomes operational once either
+stateful firewall or NAT is configured.
- conntrack {
- modules {
- ftp
- h323
- nfs
- pptp
- sip
- sqlnet
- tftp
- }
- }
+*********
+Configure
+*********
-Enables ``conntrack`` modules. All modules are now disabled by default, while they
-used to be enabled in previous versions. Enabling the modules ensures backwards
-compatibility — keeping the previous behavior.
+.. cfgcmd:: set system conntrack table-size <1-50000000>
+ :defaultvalue:
-In most cases they can be disabled by removing the block of configuration.
+ The connection tracking table contains one entry for each connection being
+ tracked by the system.
-.. code-block:: none
+.. cfgcmd:: set system conntrack expect-table-size <1-50000000>
+ :defaultvalue:
- delete system conntrack modules
+ The connection tracking expect table contains one entry for each expected
+ connection related to an existing connection. These are generally used by
+ “connection tracking helper” modules such as FTP.
+ The default size of the expect table is 2048 entries.
-For some scenarios it is in fact recommended, like in this example:
-:ref:`example-high-availability`.
+.. cfgcmd:: set system conntrack hash-size <1-50000000>
+ :defaultvalue:
+
+ Set the size of the hash table. The connection tracking hash table makes
+ searching the connection tracking table faster. The hash table uses
+ “buckets” to record entries in the connection tracking table.
+
+.. cfgcmd:: set system conntrack modules ftp
+.. cfgcmd:: set system conntrack modules h323
+.. cfgcmd:: set system conntrack modules nfs
+.. cfgcmd:: set system conntrack modules pptp
+.. cfgcmd:: set system conntrack modules sip
+.. cfgcmd:: set system conntrack modules sqlnet
+.. cfgcmd:: set system conntrack modules tftp
+
+ Configure the connection tracking protocol helper modules.
+ All modules are enable by default.
+
+ | Use `delete system conntrack modules` to deactive all modules.
+ | Or, for example ftp, `delete system conntrack modules ftp`.
+
+
+Define Conection Timeouts
+=========================
+
+VyOS supports setting timeouts for connections according to the
+connection type. You can set timeout values for generic connections, for ICMP
+connections, UDP connections, or for TCP connections in a number of different
+states.
+
+.. cfgcmd:: set system conntrack timeout icmp <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout other <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp close <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp close-wait <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp established <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp fin-wait <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp last-ack <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp syn-recv <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp syn-sent <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp time-wait <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout udp other <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout udp stream <1-21474836>
+ :defaultvalue:
+
+ Set the timeout in secounds for a protocol or state.
+
+
+You can also define custom timeout values to apply to a specific subset of
+connections, based on a packet and flow selector. To do this, you need to
+create a rule defining the packet and flow selector.
+
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> description <test>
+
+ Set a rule description.
+
+
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination address <ip-address>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source address <ip-address>
+
+ set a destination and/or source address. Accepted input:
+
+ .. code-block:: none
+
+ <x.x.x.x> IP address to match
+ <x.x.x.x/x> Subnet to match
+ <x.x.x.x>-<x.x.x.x>
+ IP range to match
+ !<x.x.x.x> Match everything except the specified address
+ !<x.x.x.x/x> Match everything except the specified subnet
+ !<x.x.x.x>-<x.x.x.x>
+ Match everything except the specified range
+
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination port <value>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source port <value>
+
+ Set a destination and/or source port. Accepted input:
+
+ .. code-block:: none
+
+ <port name> Named port (any name in /etc/services, e.g., http)
+ <1-65535> Numbered port
+ <start>-<end> Numbered port range (e.g., 1001-1005)
+
+ Multiple destination ports can be specified as a comma-separated list.
+ The whole list can also be "negated" using '!'. For example:
+ `!22,telnet,http,123,1001-1005``
+
+
+
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol icmp <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol other <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close-wait <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp established <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp fin-wait <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp last-ack <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-recv <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-sent <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp time-wait <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp other <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp stream <1-21474836>
+
+ Set the timeout in secounds for a protocol or state in a custom rule.
+
+
+.. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836>
+ :defaultvalue:
+
+ Set the maximum number of TCP half-open connections.
+
+.. cfgcmd:: set system conntrack tcp loose <enable | disable>
+ :defaultvalue:
+
+ Policy to track previously established connections.
+
+.. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647>
+ :defaultvalue:
+
+ Set the number of TCP maximum retransmit attempts.
+
+.. cfgcmd:: set system conntrack ignore rule <1-9999> description <text>
+.. cfgcmd:: set system conntrack ignore rule <1-9999> destination address <ip-address>
+.. cfgcmd:: set system conntrack ignore rule <1-9999> destination port <port>
+.. cfgcmd:: set system conntrack ignore rule <1-9999> inbound-interface <interface>
+.. cfgcmd:: set system conntrack ignore rule <1-9999> protocol <protocol>
+.. cfgcmd:: set system conntrack ignore rule <1-9999> source address <ip-address>
+.. cfgcmd:: set system conntrack ignore rule <1-9999> source port <port>
+
+ Customized ignore rules, based on a packet and flow selector.
+
+.. cfgcmd:: set system conntrack log icmp destroy
+.. cfgcmd:: set system conntrack log icmp new
+.. cfgcmd:: set system conntrack log icmp update
+.. cfgcmd:: set system conntrack log other destroy
+.. cfgcmd:: set system conntrack log other new
+.. cfgcmd:: set system conntrack log other update
+.. cfgcmd:: set system conntrack log tcp destroy
+.. cfgcmd:: set system conntrack log tcp new
+.. cfgcmd:: set system conntrack log tcp update close-wait
+.. cfgcmd:: set system conntrack log tcp update established
+.. cfgcmd:: set system conntrack log tcp update fin-wait
+.. cfgcmd:: set system conntrack log tcp update last-ack
+.. cfgcmd:: set system conntrack log tcp update syn-received
+.. cfgcmd:: set system conntrack log tcp update time-wait
+.. cfgcmd:: set system conntrack log udp destroy
+.. cfgcmd:: set system conntrack log udp new
+.. cfgcmd:: set system conntrack log udp update
+
+ Log the connection tracking events per protocol. \ No newline at end of file