docs/configuration/system/conntrack.rst


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

###################
Connection tracking
###################

VyOS can be configured to track connections using the connection
tracking subsystem. Connection tracking becomes operational once either
stateful firewall or NAT is configured.

Conntrack Table
---------------

.. cfgcmd:: set system conntrack table-size <1-50000000>
    :defaultvalue:

    The connection tracking table contains one entry for each connection being
    tracked by the system.

.. cfgcmd:: set system conntrack expect-table-size <1-50000000>
    :defaultvalue:

    The connection tracking expect table contains one entry for each expected
    connection related to an existing connection. These are generally used by
    “connection tracking helper” modules such as FTP.
    The default size of the expect table is 2048 entries.

.. cfgcmd:: set system conntrack hash-size <1-50000000>
    :defaultvalue:

    Set the size of the hash table. The connection tracking hash table makes
    searching the connection tracking table faster. The hash table uses
    “buckets” to record entries in the connection tracking table.


Modules
-------

Enables ``conntrack`` modules. All modules are enable by default.

.. cfgcmd:: set system conntrack modules ftp
.. cfgcmd:: set system conntrack modules h323
.. cfgcmd:: set system conntrack modules nfs
.. cfgcmd:: set system conntrack modules pptp
.. cfgcmd:: set system conntrack modules sip
.. cfgcmd:: set system conntrack modules sqlnet
.. cfgcmd:: set system conntrack modules tftp

Use ``delete system conntrack modules`` to deactive all modules.
Or, for example ftp, ``delete system conntrack modules ftp``.


Define Connection Timeouts
--------------------------

VyOS supports setting timeouts for connections according to the
connection type. You can set timeout values for generic connections, for ICMP
connections, UDP connections, or for TCP connections in a number of different
states.

.. cfgcmd:: set system conntrack timeout icmp <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout other <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp close <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp close-wait <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp established <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp fin-wait <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp last-ack <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp syn-recv <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp syn-sent <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp time-wait <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout udp other <1-21474836>
    :defaultvalue:
.. cfgcmd:: set system conntrack timeout udp stream <1-21474836>
    :defaultvalue:

    Set the timeout in secounds for a protocol or state.


You can also define custom timeout values to apply to a specific subset of
connections, based on a packet and flow selector. To do this, you need to
create a rule defining the packet and flow selector.

.. cfgcmd:: set system conntrack timeout custom rule <1-999999>
   description <test>
.. cfgcmd:: set system conntrack timeout custom rule <1-999999>
   destination address <ip-address>
.. cfgcmd:: set system conntrack timeout custom rule <1-999999>
   destination port <value>
.. cfgcmd:: set system conntrack timeout custom rule <1-999999>
   inbound-interface <interface>
.. cfgcmd:: set system conntrack timeout custom rule <1-999999>
   source address <ip-address>
.. cfgcmd:: set system conntrack timeout custom rule <1-999999>
   source port <value>
.. cfgcmd:: set system conntrack timeout custom rule <1-999999>
   protocol <protocol>

    Configure customized timeout rules for selective connection tracking.

Conntrack Ignore
----------------

Customized ignore rules, based on a packet and flow selector, can be
configured in VyOS. To do this, you can configure as much rules as
needed using next commands:

.. cfgcmd:: set system conntrack ignore rule <1-999999>
   description <text>
.. cfgcmd:: set system conntrack ignore rule <1-999999>
   destination address <ip-address>
.. cfgcmd:: set system conntrack ignore rule <1-999999>
   destination port <port>
.. cfgcmd:: set system conntrack ignore rule <1-999999>
   inbound-interface <interface>
.. cfgcmd:: set system conntrack ignore rule <1-999999>
   protocol <protocol>
.. cfgcmd:: set system conntrack ignore rule <1-999999>
   source address <ip-address>
.. cfgcmd:: set system conntrack ignore rule <1-999999>
   source port <port>

    Configure customized ignore rules for selective connection tracking.