1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
|
#########
Conntrack
#########
VyOS can be configured to track connections using the connection
tracking subsystem. Connection tracking becomes operational once either
stateful firewall or NAT is configured.
*********
Configure
*********
.. cfgcmd:: set system conntrack table-size <1-50000000>
:defaultvalue:
The connection tracking table contains one entry for each connection being
tracked by the system.
.. cfgcmd:: set system conntrack expect-table-size <1-50000000>
:defaultvalue:
The connection tracking expect table contains one entry for each expected
connection related to an existing connection. These are generally used by
“connection tracking helper” modules such as FTP.
The default size of the expect table is 2048 entries.
.. cfgcmd:: set system conntrack hash-size <1-50000000>
:defaultvalue:
Set the size of the hash table. The connection tracking hash table makes
searching the connection tracking table faster. The hash table uses “buckets” to
record entries in the connection tracking table.
.. cfgcmd:: system conntrack modules ftp
.. cfgcmd:: system conntrack modules h323
.. cfgcmd:: system conntrack modules nfs
.. cfgcmd:: system conntrack modules pptp
.. cfgcmd:: system conntrack modules sip
.. cfgcmd:: system conntrack modules sqlnet
.. cfgcmd:: system conntrack modules tftp
Configure the connection tracking protocol helper modules.
All modules are enable by default.
| Use `delete system conntrack modules` to deactive all modules.
| Or, for example ftp, `delete system conntrack modules ftp`.
Define Conection Timeouts
=========================
VyOS supports setting timeouts for connections according to the
connection type. You can set timeout values for generic connections, for ICMP
connections, UDP connections, or for TCP connections in a number of different states.
.. cfgcmd:: system conntrack timeout icmp <1-21474836>
:defaultvalue:
.. cfgcmd:: system conntrack timeout other <1-21474836>
:defaultvalue:
.. cfgcmd:: system conntrack timeout tcp close <1-21474836>
:defaultvalue:
.. cfgcmd:: system conntrack timeout tcp close-wait <1-21474836>
:defaultvalue:
.. cfgcmd:: system conntrack timeout tcp established <1-21474836>
:defaultvalue:
.. cfgcmd:: system conntrack timeout tcp fin-wait <1-21474836>
:defaultvalue:
.. cfgcmd:: system conntrack timeout tcp last-ack <1-21474836>
:defaultvalue:
.. cfgcmd:: system conntrack timeout tcp syn-recv <1-21474836>
:defaultvalue:
.. cfgcmd:: system conntrack timeout tcp syn-sent <1-21474836>
:defaultvalue:
.. cfgcmd:: system conntrack timeout tcp time-wait <1-21474836>
:defaultvalue:
.. cfgcmd:: system conntrack timeout udp other <1-21474836>
:defaultvalue:
.. cfgcmd:: system conntrack timeout udp stream <1-21474836>
:defaultvalue:
Set the timeout in secounds for a protocol or state.
You can also define custom timeout values to apply to a specific subset of
connections, based on a packet and flow selector. To do this, you create a rule
defining the packet and flow selector.
.. cfgcmd:: system conntrack timeout custom rule <1-9999> description <test>
Set a rule description.
.. cfgcmd:: system conntrack timeout custom rule <1-9999> destination address <ip-address>
.. cfgcmd:: system conntrack timeout custom rule <1-9999> source address <ip-address>
set a destination and/or source address. Accepted input:
.. code-block:: none
<x.x.x.x> IP address to match
<x.x.x.x/x> Subnet to match
<x.x.x.x>-<x.x.x.x>
IP range to match
!<x.x.x.x> Match everything except the specified address
!<x.x.x.x/x> Match everything except the specified subnet
!<x.x.x.x>-<x.x.x.x>
Match everything except the specified range
.. cfgcmd:: system conntrack timeout custom rule <1-9999> destination port <value>
.. cfgcmd:: system conntrack timeout custom rule <1-9999> source port <value>
Set a destination and/or source port. Accepted input:
.. code-block:: none
<port name> Named port (any name in /etc/services, e.g., http)
<1-65535> Numbered port
<start>-<end> Numbered port range (e.g., 1001-1005)
Multiple destination ports can be specified as a comma-separated list.
The whole list can also be "negated" using '!'. For example:
`!22,telnet,http,123,1001-1005``
.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol icmp <1-21474836>
.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol other <1-21474836>
.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp close <1-21474836>
.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp close-wait <1-21474836>
.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp established <1-21474836>
.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp fin-wait <1-21474836>
.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp last-ack <1-21474836>
.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp syn-recv <1-21474836>
.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp syn-sent <1-21474836>
.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp time-wait <1-21474836>
.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol udp other <1-21474836>
.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol udp stream <1-21474836>
Set the timeout in secounds for a protocol or state in a custom rule.
.. cfgcmd:: system conntrack tcp half-open-connections <1-21474836>
:defaultvalue:
Set the maximum number of TCP half-open connections.
.. cfgcmd:: system conntrack tcp loose <enable | disable>
:defaultvalue:
Policy to track previously established connections.
.. cfgcmd:: system conntrack tcp max-retrans <1-2147483647>
:defaultvalue:
Set the number of TCP maximum retransmit attempts.
.. cfgcmd:: system conntrack ignore rule <1-9999> description <text>
.. cfgcmd:: system conntrack ignore rule <1-9999> destination address <ip-address>
.. cfgcmd:: system conntrack ignore rule <1-9999> destination port <port>
.. cfgcmd:: system conntrack ignore rule <1-9999> inbound-interface <interface>
.. cfgcmd:: system conntrack ignore rule <1-9999> protocol <protocol>
.. cfgcmd:: system conntrack ignore rule <1-9999> source address <ip-address>
.. cfgcmd:: system conntrack ignore rule <1-9999> source port <port>
Configure customized ignore rules for selective connection tracking
.. cfgcmd:: system conntrack log icmp destroy
.. cfgcmd:: system conntrack log icmp new
.. cfgcmd:: system conntrack log icmp update
.. cfgcmd:: system conntrack log other destroy
.. cfgcmd:: system conntrack log other new
.. cfgcmd:: system conntrack log other update
.. cfgcmd:: system conntrack log tcp destroy
.. cfgcmd:: system conntrack log tcp new
.. cfgcmd:: system conntrack log tcp update close-wait
.. cfgcmd:: system conntrack log tcp update established
.. cfgcmd:: system conntrack log tcp update fin-wait
.. cfgcmd:: system conntrack log tcp update last-ack
.. cfgcmd:: system conntrack log tcp update syn-received
.. cfgcmd:: system conntrack log tcp update time-wait
.. cfgcmd:: system conntrack log udp destroy
.. cfgcmd:: system conntrack log udp new
.. cfgcmd:: system conntrack log udp update
Log the connection tracking events per protocol.
|
