summaryrefslogtreecommitdiff
path: root/templates-cfg/system/conntrack
diff options
context:
space:
mode:
Diffstat (limited to 'templates-cfg/system/conntrack')
-rw-r--r--templates-cfg/system/conntrack/expect-table-size/node.def32
-rw-r--r--templates-cfg/system/conntrack/hash-size/node.def18
-rw-r--r--templates-cfg/system/conntrack/modules/ftp/disable/node.def7
-rw-r--r--templates-cfg/system/conntrack/modules/ftp/node.def1
-rw-r--r--templates-cfg/system/conntrack/modules/gre/disable/node.def21
-rw-r--r--templates-cfg/system/conntrack/modules/gre/node.def1
-rw-r--r--templates-cfg/system/conntrack/modules/h323/disable/node.def7
-rw-r--r--templates-cfg/system/conntrack/modules/h323/node.def1
-rw-r--r--templates-cfg/system/conntrack/modules/node.def1
-rw-r--r--templates-cfg/system/conntrack/modules/pptp/disable/node.def20
-rw-r--r--templates-cfg/system/conntrack/modules/pptp/node.def1
-rw-r--r--templates-cfg/system/conntrack/modules/sip/disable/node.def7
-rw-r--r--templates-cfg/system/conntrack/modules/sip/enable-indirect-media/node.def1
-rw-r--r--templates-cfg/system/conntrack/modules/sip/enable-indirect-signalling/node.def1
-rw-r--r--templates-cfg/system/conntrack/modules/sip/node.def61
-rw-r--r--templates-cfg/system/conntrack/modules/sip/port/node.def8
-rw-r--r--templates-cfg/system/conntrack/modules/tftp/disable/node.def7
-rw-r--r--templates-cfg/system/conntrack/modules/tftp/node.def1
-rw-r--r--templates-cfg/system/conntrack/node.def24
-rw-r--r--templates-cfg/system/conntrack/table-size/node.def39
-rw-r--r--templates-cfg/system/conntrack/tcp/half-open-connections/node.def13
-rw-r--r--templates-cfg/system/conntrack/tcp/loose/node.def50
-rw-r--r--templates-cfg/system/conntrack/tcp/max-retrans/node.def13
-rw-r--r--templates-cfg/system/conntrack/tcp/node.def1
-rw-r--r--templates-cfg/system/conntrack/timeout/icmp/node.def13
-rw-r--r--templates-cfg/system/conntrack/timeout/node.def1
-rw-r--r--templates-cfg/system/conntrack/timeout/other/node.def13
-rw-r--r--templates-cfg/system/conntrack/timeout/tcp/close-wait/node.def13
-rw-r--r--templates-cfg/system/conntrack/timeout/tcp/close/node.def13
-rw-r--r--templates-cfg/system/conntrack/timeout/tcp/established/node.def13
-rw-r--r--templates-cfg/system/conntrack/timeout/tcp/fin-wait/node.def13
-rw-r--r--templates-cfg/system/conntrack/timeout/tcp/last-ack/node.def13
-rw-r--r--templates-cfg/system/conntrack/timeout/tcp/node.def1
-rw-r--r--templates-cfg/system/conntrack/timeout/tcp/syn-recv/node.def13
-rw-r--r--templates-cfg/system/conntrack/timeout/tcp/syn-sent/node.def13
-rw-r--r--templates-cfg/system/conntrack/timeout/tcp/time-wait/node.def13
-rw-r--r--templates-cfg/system/conntrack/timeout/udp/node.def1
-rw-r--r--templates-cfg/system/conntrack/timeout/udp/other/node.def13
-rw-r--r--templates-cfg/system/conntrack/timeout/udp/stream/node.def13
39 files changed, 495 insertions, 0 deletions
diff --git a/templates-cfg/system/conntrack/expect-table-size/node.def b/templates-cfg/system/conntrack/expect-table-size/node.def
new file mode 100644
index 0000000..f9f1ae5
--- /dev/null
+++ b/templates-cfg/system/conntrack/expect-table-size/node.def
@@ -0,0 +1,32 @@
+#
+# Config template for: system conntrack expect-table-size
+#
+# This is the table of expectations. Connection tracking expectations are
+# the mechanism used to "expect" RELATED connections to existing ones.
+# Expectations are generally used by "connection tracking helpers" (sometimes
+# called application level gateways [ALGs]) for more complex protocols such as
+# FTP, SIP, H.323.
+#
+# default value when no conntrack options set - 2048
+# default value when no conntrack options set - 4096
+#
+
+type: u32
+
+help: Size of connection tracking expect table
+
+default: 4096
+
+val_help: u32: 1-50000000; Number of entries allowed in connection tracking expect table
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50000000"
+
+update:
+ sudo sysctl -q -w net/netfilter/nf_conntrack_expect_max=$VAR(@)
+
+
+
+
+
+
+
diff --git a/templates-cfg/system/conntrack/hash-size/node.def b/templates-cfg/system/conntrack/hash-size/node.def
new file mode 100644
index 0000000..242d0fe
--- /dev/null
+++ b/templates-cfg/system/conntrack/hash-size/node.def
@@ -0,0 +1,18 @@
+help: Hash size for connection tracking table
+type: u32
+
+default: 4096
+
+val_help: u32:1-50000000; Size of hash to use for connection tracking table
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50000000"
+
+update:
+ if ! grep -q "nf_conntrack hashsize=$VAR(@)$" /etc/modprobe.d/vyatta_nf_conntrack.conf
+ then
+ sudo sh -c "sed -i -e '/options nf_conntrack hashsize/d' \
+ /etc/modprobe.d/vyatta_nf_conntrack.conf"
+ sudo sh -c "echo options nf_conntrack hashsize=$VAR(@) >> \
+ /etc/modprobe.d/vyatta_nf_conntrack.conf"
+ echo "Updated conntrack hash size. This change will take affect when the system is rebooted."
+ fi
diff --git a/templates-cfg/system/conntrack/modules/ftp/disable/node.def b/templates-cfg/system/conntrack/modules/ftp/disable/node.def
new file mode 100644
index 0000000..40a64d5
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/ftp/disable/node.def
@@ -0,0 +1,7 @@
+help: Disable FTP connection tracking
+
+create: sudo rmmod nf_nat_ftp
+ sudo rmmod nf_conntrack_ftp
+
+delete: sudo modprobe nf_conntrack_ftp
+ sudo modprobe nf_nat_ftp \ No newline at end of file
diff --git a/templates-cfg/system/conntrack/modules/ftp/node.def b/templates-cfg/system/conntrack/modules/ftp/node.def
new file mode 100644
index 0000000..74a94b4
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/ftp/node.def
@@ -0,0 +1 @@
+help: FTP connection tracking settings \ No newline at end of file
diff --git a/templates-cfg/system/conntrack/modules/gre/disable/node.def b/templates-cfg/system/conntrack/modules/gre/disable/node.def
new file mode 100644
index 0000000..f6f9546
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/gre/disable/node.def
@@ -0,0 +1,21 @@
+help: Disable GRE connection tracking
+
+# GRE shouldn't be disabled when PPTP is enabled because PPTP depends on it
+create: cli-shell-api exists system conntrack modules pptp disable
+ if [ $? == 0 ]; then
+ # Unload PPTP modules if they are loaded
+ lsmod | grep -e "^nf_nat_pptp" 2>&1 >/dev/null
+ if [ $? == 0 ]; then
+ sudo rmmod nf_nat_pptp
+ sudo rmmod nf_conntrack_pptp
+ fi
+ # And GRE modules then
+ sudo rmmod nf_nat_proto_gre
+ sudo rmmod nf_conntrack_proto_gre
+ else
+ echo "Error: can not disable GRE connection tracking when PPTP connection tracking is enabled!"
+ exit 1
+ fi
+
+delete: sudo modprobe nf_conntrack_proto_gre
+ sudo modprobe nf_nat_proto_gre
diff --git a/templates-cfg/system/conntrack/modules/gre/node.def b/templates-cfg/system/conntrack/modules/gre/node.def
new file mode 100644
index 0000000..d192f7d
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/gre/node.def
@@ -0,0 +1 @@
+help: GRE connection tracking settings \ No newline at end of file
diff --git a/templates-cfg/system/conntrack/modules/h323/disable/node.def b/templates-cfg/system/conntrack/modules/h323/disable/node.def
new file mode 100644
index 0000000..1fb0117
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/h323/disable/node.def
@@ -0,0 +1,7 @@
+help: Disable H.323 connection tracking
+
+create: sudo rmmod nf_nat_h323
+ sudo rmmod nf_conntrack_h323
+
+delete: sudo modprobe nf_conntrack_h323
+ sudo modprobe nf_nat_h323 \ No newline at end of file
diff --git a/templates-cfg/system/conntrack/modules/h323/node.def b/templates-cfg/system/conntrack/modules/h323/node.def
new file mode 100644
index 0000000..ae4b787
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/h323/node.def
@@ -0,0 +1 @@
+help: H.323 connection tracking settings \ No newline at end of file
diff --git a/templates-cfg/system/conntrack/modules/node.def b/templates-cfg/system/conntrack/modules/node.def
new file mode 100644
index 0000000..9666287
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/node.def
@@ -0,0 +1 @@
+help: Connection tracking modules settings \ No newline at end of file
diff --git a/templates-cfg/system/conntrack/modules/pptp/disable/node.def b/templates-cfg/system/conntrack/modules/pptp/disable/node.def
new file mode 100644
index 0000000..4ffd980
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/pptp/disable/node.def
@@ -0,0 +1,20 @@
+help: Disable PPTP connection tracking
+
+create: cli-shell-api exists system conntrack modules gre disable
+ if [ $? == 0 ]; then
+ # Do nothing, this case is handled in GRE module templates
+ :;
+ else
+ sudo rmmod nf_nat_pptp
+ sudo rmmod nf_conntrack_pptp
+ fi
+
+# PPTP shouldn't be enabled when GRE is disabled because PPTP depends on it
+delete: cli-shell-api exists system conntrack modules gre disable
+ if [ $? == 0 ]; then
+ echo "Error: can not enable PPTP connection tracking when GRE connection tracking is disabled!"
+ exit 1
+ else
+ sudo modprobe nf_conntrack_pptp
+ sudo modprobe nf_nat_pptp
+ fi
diff --git a/templates-cfg/system/conntrack/modules/pptp/node.def b/templates-cfg/system/conntrack/modules/pptp/node.def
new file mode 100644
index 0000000..a6ae0c4
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/pptp/node.def
@@ -0,0 +1 @@
+help: PPTP connection tracking settings \ No newline at end of file
diff --git a/templates-cfg/system/conntrack/modules/sip/disable/node.def b/templates-cfg/system/conntrack/modules/sip/disable/node.def
new file mode 100644
index 0000000..d0eaf81
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/sip/disable/node.def
@@ -0,0 +1,7 @@
+help: Disable SIP connection tracking
+
+create: sudo rmmod nf_nat_sip
+ sudo rmmod nf_conntrack_sip
+
+delete: sudo modprobe nf_conntrack_sip
+ sudo modprobe nf_nat_sip \ No newline at end of file
diff --git a/templates-cfg/system/conntrack/modules/sip/enable-indirect-media/node.def b/templates-cfg/system/conntrack/modules/sip/enable-indirect-media/node.def
new file mode 100644
index 0000000..c29389e
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/sip/enable-indirect-media/node.def
@@ -0,0 +1 @@
+help: Option to support for indirect media streams
diff --git a/templates-cfg/system/conntrack/modules/sip/enable-indirect-signalling/node.def b/templates-cfg/system/conntrack/modules/sip/enable-indirect-signalling/node.def
new file mode 100644
index 0000000..82782ff
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/sip/enable-indirect-signalling/node.def
@@ -0,0 +1 @@
+help: Option to support for indirect signalling streams
diff --git a/templates-cfg/system/conntrack/modules/sip/node.def b/templates-cfg/system/conntrack/modules/sip/node.def
new file mode 100644
index 0000000..b5a3225
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/sip/node.def
@@ -0,0 +1,61 @@
+help: SIP connection tracking settings
+
+end: /bin/cli-shell-api existsEffective system conntrack modules sip disable && exit 0
+ reload=0
+ sdm=2
+ if [ -f /sys/module/nf_conntrack_sip/parameters/sip_direct_media ]; then
+ sdm=$(sudo cat /sys/module/nf_conntrack_sip/parameters/sip_direct_media)
+ fi
+ if [ -n "$VAR(./enable-indirect-media)" ]; then
+ indirectmedia='sip_direct_media=0'
+ if [ $sdm -ge 1 ]; then reload=1; fi
+ else
+ if [ $sdm -eq 0 ]; then reload=1; fi
+ fi
+
+ sds=2
+ if [ -f /sys/module/nf_conntrack_sip/parameters/sip_direct_signalling ]; then
+ sds=$(sudo cat /sys/module/nf_conntrack_sip/parameters/sip_direct_signalling)
+ fi
+ if [ -n "$VAR(./enable-indirect-signalling)" ]; then
+ indirectsignalling='sip_direct_signalling=0'
+ if [ $sds -ge 1 ]; then reload=1; fi
+ else
+ if [ $sds -eq 0 ]; then reload=1; fi
+ fi
+
+ if [ -n "$VAR(./port/@@)" ]; then
+ numports=0
+ for port in $VAR(./port/@@); do
+ if [ -z "$portval" ]; then
+ portval=$port
+ else
+ portval="${portval},$port"
+ fi
+ (( numports++ ))
+ done
+ portopt="ports=$portval"
+ if [ $numports -gt 8 ]; then
+ echo "Error: Can not specify more than 8 ports."
+ exit 1
+ fi
+ reload=1
+ fi
+
+ if [ -f /etc/modprobe.d/options ]; then
+ sudo sed -i '/nf_conntrack_sip/d' /etc/modprobe.d/options
+ fi
+
+ if [ -n "$indirectmedia" ] || [ -n "$indirectsignalling" ] || \
+ [ -n "$portopt" ]; then
+ sudo sh -c "echo \# Auto-generated by `whoami` at `date` > /etc/modprobe.d/vyatta_sip_options.conf"
+ sudo sh -c "echo options nf_conntrack_sip $indirectmedia $indirectsignalling $portopt >> /etc/modprobe.d/vyatta_sip_options.conf "
+ else
+ sudo rm -f /etc/modprobe.d/vyatta_sip_options.conf
+ fi
+
+ if [ $reload -eq 1 ]; then
+ sudo modprobe -r nf_nat_sip nf_conntrack_sip
+ sudo modprobe nf_conntrack_sip
+ sudo modprobe nf_nat_sip
+ fi
diff --git a/templates-cfg/system/conntrack/modules/sip/port/node.def b/templates-cfg/system/conntrack/modules/sip/port/node.def
new file mode 100644
index 0000000..b72f1ca
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/sip/port/node.def
@@ -0,0 +1,8 @@
+multi:
+type: u32
+
+help: Port number that SIP traffic is carried on
+
+val_help: u32:1-65535; SIP port number
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <=65535) ; "Port number must be in range 1 to 65535"
diff --git a/templates-cfg/system/conntrack/modules/tftp/disable/node.def b/templates-cfg/system/conntrack/modules/tftp/disable/node.def
new file mode 100644
index 0000000..ebdecf4
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/tftp/disable/node.def
@@ -0,0 +1,7 @@
+help: Disable TFTP connection tracking
+
+create: sudo rmmod nf_nat_tftp
+ sudo rmmod nf_conntrack_tftp
+
+delete: sudo modprobe nf_conntrack_tftp
+ sudo modprobe nf_nat_tftp
diff --git a/templates-cfg/system/conntrack/modules/tftp/node.def b/templates-cfg/system/conntrack/modules/tftp/node.def
new file mode 100644
index 0000000..901f52e
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/tftp/node.def
@@ -0,0 +1 @@
+help: TFTP connection tracking settings \ No newline at end of file
diff --git a/templates-cfg/system/conntrack/node.def b/templates-cfg/system/conntrack/node.def
new file mode 100644
index 0000000..53488ae
--- /dev/null
+++ b/templates-cfg/system/conntrack/node.def
@@ -0,0 +1,24 @@
+help: Connection tracking engine options
+
+priority: 218 # before NAT and conntrack-sync are configured
+
+delete: # set conntrack table size to standard 16384 entries if conntrack settings are removed
+ sudo sysctl -q -w net/nf_conntrack_max=16384
+
+ # set conntrack expect table size to standard 2048 entries if conntrack settings are removed
+ sudo sysctl -q -w net/netfilter/nf_conntrack_expect_max=2048
+
+ # set conntrack hash size to standard 4096
+ if ! grep -q "nf_conntrack hashsize=4096$" /etc/modprobe.d/vyatta_nf_conntrack.conf
+ then
+ sudo sh -c "sed -i -e '/options nf_conntrack hashsize/d' \
+ /etc/modprobe.d/vyatta_nf_conntrack.conf"
+ sudo sh -c "echo options nf_conntrack hashsize=4096 >> \
+ /etc/modprobe.d/vyatta_nf_conntrack.conf"
+ echo "Conntrack hash size set to default 4096. This change will take effect when the system is rebooted."
+ fi
+
+ # need to restart conntrackd with updated conntrack table size
+ if cli-shell-api existsActive service conntrack-sync; then
+ sudo /opt/vyatta/sbin/vyatta-conntrack-sync.pl --action=enable
+ fi
diff --git a/templates-cfg/system/conntrack/table-size/node.def b/templates-cfg/system/conntrack/table-size/node.def
new file mode 100644
index 0000000..f91b101
--- /dev/null
+++ b/templates-cfg/system/conntrack/table-size/node.def
@@ -0,0 +1,39 @@
+#
+# Config template for: system conntrack table-size
+#
+# Sets the size of the TCP connection tracking table in the netfilter
+# nf_conntrack module, which is used by firewall and NAT. The size of
+# this table determines how many TCP connections can be simultaneously
+# tracked. If new connections arrive and the table is full, older
+# connections will be dropped out of the table. System administrators
+# must set the connection tracking table size based on the number of
+# connections they expect their system to track. The connection
+# tracking table consumes kernel memory, so the size selected should
+# be no larger than necessary.
+#
+# default value when contrack is not set - 16384
+# default value when conntrack is set - 32768
+#
+
+type: u32
+
+help: Size of connection tracking table
+
+default: 32768
+
+val_help: u32:1-50000000; Number of entries allowed in connection tracking table
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50000000"
+
+update:
+ sudo sysctl -q -w net/nf_conntrack_max=$VAR(@)
+ # need to restart conntrackd with updated conntrack table size
+ if cli-shell-api existsActive service conntrack-sync; then
+ sudo /opt/vyatta/sbin/vyatta-conntrack-sync.pl --action=enable
+ fi
+
+
+
+
+
+
diff --git a/templates-cfg/system/conntrack/tcp/half-open-connections/node.def b/templates-cfg/system/conntrack/tcp/half-open-connections/node.def
new file mode 100644
index 0000000..9474463
--- /dev/null
+++ b/templates-cfg/system/conntrack/tcp/half-open-connections/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: Maximum number of TCP half-open connections
+
+default: 512
+
+val_help: u32:1-2147483647; Generic connection timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 2147483647) ; "Value must be between 1 and 2147483647"
+
+update: sudo sysctl -q -w net/ipv4/tcp_max_syn_backlog=$VAR(@)
+
+delete: sudo sysctl -q -w net/ipv4/tcp_max_syn_backlog=512
diff --git a/templates-cfg/system/conntrack/tcp/loose/node.def b/templates-cfg/system/conntrack/tcp/loose/node.def
new file mode 100644
index 0000000..06706a2
--- /dev/null
+++ b/templates-cfg/system/conntrack/tcp/loose/node.def
@@ -0,0 +1,50 @@
+#
+# This parameter directs the netfilter TCP connection tracking modules
+# (nf_conntrack, and others) to either allow or disallow the tracking
+# of TCP connections which are "previously established". This
+# includes all cases where the three-way connection opening handshake
+# was not seen by this machine. That includes the case the connection
+# was opened before this machine booted. It also includes cases where
+# the packets comprising the three-way handshake were routed via some
+# other router.
+#
+# If this parameter is set to "enable", tracking such connections is
+# allowed. If disabled, such tracking is disabled.
+# default value - 1
+
+type: txt
+
+help: Policy to track previously established connections
+
+val_help: enable; Allow tracking of previously established connections
+val_help: disable; Do not allow tracking of previously established connections
+
+default: "enable"
+
+syntax:expression: $VAR(@) in "enable", "disable"; "must be either enable or disable"
+
+update:
+ if [ ! -e /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose ]; then
+ sudo modprobe nf_conntrack_ipv4
+ fi
+ if [ "$VAR(@)" = "enable" ]; then
+ sudo sysctl -q -w net/ipv4/netfilter/ip_conntrack_tcp_loose=1
+ elif [ "$VAR(@)" = "disable" ]; then
+ sudo sysctl -q -w net/ipv4/netfilter/ip_conntrack_tcp_loose=0
+ else
+ echo "Invalid parameter: $VAR(@)"
+ exit 1
+ fi
+
+delete:
+ if [ ! -e /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose ]; then
+ sudo modprobe nf_conntrack_ipv4
+ fi
+ sudo sysctl -q -w net/ipv4/netfilter/ip_conntrack_tcp_loose=1
+
+
+
+
+
+
+
diff --git a/templates-cfg/system/conntrack/tcp/max-retrans/node.def b/templates-cfg/system/conntrack/tcp/max-retrans/node.def
new file mode 100644
index 0000000..bf56f1f
--- /dev/null
+++ b/templates-cfg/system/conntrack/tcp/max-retrans/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP maximum retransmit attempts
+
+default: 3
+
+val_help: u32:1-2147483647; Generic connection timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 2147483647) ; "Value must be between 1 and 2147483647"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_max_retrans=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_max_retrans=3
diff --git a/templates-cfg/system/conntrack/tcp/node.def b/templates-cfg/system/conntrack/tcp/node.def
new file mode 100644
index 0000000..67543ca
--- /dev/null
+++ b/templates-cfg/system/conntrack/tcp/node.def
@@ -0,0 +1 @@
+help: TCP options \ No newline at end of file
diff --git a/templates-cfg/system/conntrack/timeout/icmp/node.def b/templates-cfg/system/conntrack/timeout/icmp/node.def
new file mode 100644
index 0000000..952178e
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/icmp/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: ICMP timeout in seconds
+
+default: 30
+
+val_help: u32:1-21474836; ICMP timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_icmp_timeout=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_icmp_timeout=30
diff --git a/templates-cfg/system/conntrack/timeout/node.def b/templates-cfg/system/conntrack/timeout/node.def
new file mode 100644
index 0000000..f0193c6
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/node.def
@@ -0,0 +1 @@
+help: Connection timeout options \ No newline at end of file
diff --git a/templates-cfg/system/conntrack/timeout/other/node.def b/templates-cfg/system/conntrack/timeout/other/node.def
new file mode 100644
index 0000000..a794bb7
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/other/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: Generic connection timeout in seconds
+
+default: 600
+
+val_help: u32:1-21474836; Generic connection timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_generic_timeout=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_generic_timeout=600
diff --git a/templates-cfg/system/conntrack/timeout/tcp/close-wait/node.def b/templates-cfg/system/conntrack/timeout/tcp/close-wait/node.def
new file mode 100644
index 0000000..0491b68
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/tcp/close-wait/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP CLOSE-WAIT timeout in seconds
+
+default: 60
+
+val_help: u32:1-21474836; TCP CLOSE-WAIT timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close_wait=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close_wait=60
diff --git a/templates-cfg/system/conntrack/timeout/tcp/close/node.def b/templates-cfg/system/conntrack/timeout/tcp/close/node.def
new file mode 100644
index 0000000..38317d5
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/tcp/close/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP CLOSE timeout in seconds
+
+default: 10
+
+val_help: u32:1-21474836; TCP CLOSE timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_close=10
diff --git a/templates-cfg/system/conntrack/timeout/tcp/established/node.def b/templates-cfg/system/conntrack/timeout/tcp/established/node.def
new file mode 100644
index 0000000..9e47f1e
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/tcp/established/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP ESTABLISHED timeout in seconds
+
+default: 432000
+
+val_help: u32:1-21474836; TCP ESTABLISHED timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_established=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_established=432000
diff --git a/templates-cfg/system/conntrack/timeout/tcp/fin-wait/node.def b/templates-cfg/system/conntrack/timeout/tcp/fin-wait/node.def
new file mode 100644
index 0000000..985a6a4
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/tcp/fin-wait/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP FIN-WAIT timeout in seconds
+
+default: 120
+
+val_help: u32:1-21474836; TCP FIN-WAIT timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_fin_wait=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_fin_wait=120
diff --git a/templates-cfg/system/conntrack/timeout/tcp/last-ack/node.def b/templates-cfg/system/conntrack/timeout/tcp/last-ack/node.def
new file mode 100644
index 0000000..3e07fe4
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/tcp/last-ack/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP LAST-ACK timeout in seconds
+
+default: 30
+
+val_help: u32:1-21474836; TCP LAST-ACK timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_last_ack=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_last_ack=30
diff --git a/templates-cfg/system/conntrack/timeout/tcp/node.def b/templates-cfg/system/conntrack/timeout/tcp/node.def
new file mode 100644
index 0000000..2b67c51
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/tcp/node.def
@@ -0,0 +1 @@
+help: TCP connection timeout options \ No newline at end of file
diff --git a/templates-cfg/system/conntrack/timeout/tcp/syn-recv/node.def b/templates-cfg/system/conntrack/timeout/tcp/syn-recv/node.def
new file mode 100644
index 0000000..50c5512
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/tcp/syn-recv/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP SYN-RECEIVED timeout in seconds
+
+default: 60
+
+val_help: u32:1-21474836; TCP SYN-RECEIVED timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_recv=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_recv=60
diff --git a/templates-cfg/system/conntrack/timeout/tcp/syn-sent/node.def b/templates-cfg/system/conntrack/timeout/tcp/syn-sent/node.def
new file mode 100644
index 0000000..5856ba7
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/tcp/syn-sent/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP SYN-SENT timeout in seconds
+
+default: 120
+
+val_help: u32:1-21474836; TCP SYN-SENT timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_sent=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_syn_sent=120
diff --git a/templates-cfg/system/conntrack/timeout/tcp/time-wait/node.def b/templates-cfg/system/conntrack/timeout/tcp/time-wait/node.def
new file mode 100644
index 0000000..f6bd1c8
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/tcp/time-wait/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: TCP TIME-WAIT timeout in seconds
+
+default: 120
+
+val_help: u32:1-21474836; TCP TIME-WAIT timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_time_wait=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_tcp_timeout_time_wait=120
diff --git a/templates-cfg/system/conntrack/timeout/udp/node.def b/templates-cfg/system/conntrack/timeout/udp/node.def
new file mode 100644
index 0000000..7ee8fd3
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/udp/node.def
@@ -0,0 +1 @@
+help: UDP timeout \ No newline at end of file
diff --git a/templates-cfg/system/conntrack/timeout/udp/other/node.def b/templates-cfg/system/conntrack/timeout/udp/other/node.def
new file mode 100644
index 0000000..0018f1c
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/udp/other/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: UDP generic timeout in seconds
+
+default: 30
+
+val_help: u32:1-21474836; UDP generic timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout=30
diff --git a/templates-cfg/system/conntrack/timeout/udp/stream/node.def b/templates-cfg/system/conntrack/timeout/udp/stream/node.def
new file mode 100644
index 0000000..d86e683
--- /dev/null
+++ b/templates-cfg/system/conntrack/timeout/udp/stream/node.def
@@ -0,0 +1,13 @@
+type: u32
+
+help: UDP stream timeout in seconds
+
+default: 180
+
+val_help: u32:1-21474836; UDP stream timeout in seconds
+
+syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836"
+
+update: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout_stream=$VAR(@)
+
+delete: sudo sysctl -q -w net/netfilter/nf_conntrack_udp_timeout_stream=180