Conntrack

VyOS can be configured to track connections using the connection tracking subsystem. Connection tracking becomes operational once either stateful firewall or NAT is configured.

Configure

set system conntrack table-size <1-50000000>

default: 262144

The connection tracking table contains one entry for each connection being tracked by the system.

set system conntrack expect-table-size <1-50000000>

default: 2048

The connection tracking expect table contains one entry for each expected connection related to an existing connection. These are generally used by “connection tracking helper” modules such as FTP. The default size of the expect table is 2048 entries.

set system conntrack hash-size <1-50000000>

default: 32768

Set the size of the hash table. The connection tracking hash table makes searching the connection tracking table faster. The hash table uses “buckets” to record entries in the connection tracking table.

set system conntrack modules ftp

set system conntrack modules h323

set system conntrack modules nfs

set system conntrack modules pptp

set system conntrack modules sip

set system conntrack modules sqlnet

set system conntrack modules tftp

Configure the connection tracking protocol helper modules. All modules are enable by default.

Use delete system conntrack modules to deactive all modules.

Or, for example ftp, delete system conntrack modules ftp.

Define Conection Timeouts

VyOS supports setting timeouts for connections according to the connection type. You can set timeout values for generic connections, for ICMP connections, UDP connections, or for TCP connections in a number of different states.

set system conntrack timeout icmp <1-21474836>

default: 30

set system conntrack timeout other <1-21474836>

default: 600

set system conntrack timeout tcp close <1-21474836>

default: 10

set system conntrack timeout tcp close-wait <1-21474836>

default: 60

set system conntrack timeout tcp established <1-21474836>

default: 432000

set system conntrack timeout tcp fin-wait <1-21474836>

default: 120

set system conntrack timeout tcp last-ack <1-21474836>

default: 30

set system conntrack timeout tcp syn-recv <1-21474836>

default: 60

set system conntrack timeout tcp syn-sent <1-21474836>

default: 120

set system conntrack timeout tcp time-wait <1-21474836>

default: 120

set system conntrack timeout udp other <1-21474836>

default: 30

set system conntrack timeout udp stream <1-21474836>

default: 180

Set the timeout in secounds for a protocol or state.

You can also define custom timeout values to apply to a specific subset of connections, based on a packet and flow selector. To do this, you need to create a rule defining the packet and flow selector.

set system conntrack timeout custom rule <1-9999> description <test>

Set a rule description.

set system conntrack timeout custom rule <1-9999> destination address <ip-address>

set system conntrack timeout custom rule <1-9999> source address <ip-address>

set a destination and/or source address. Accepted input:

<x.x.x.x>    IP address to match
<x.x.x.x/x>  Subnet to match
<x.x.x.x>-<x.x.x.x>
                IP range to match
!<x.x.x.x>   Match everything except the specified address
!<x.x.x.x/x> Match everything except the specified subnet
!<x.x.x.x>-<x.x.x.x>
                Match everything except the specified range

set system conntrack timeout custom rule <1-9999> destination port <value>

set system conntrack timeout custom rule <1-9999> source port <value>

Set a destination and/or source port. Accepted input:

<port name>    Named port (any name in /etc/services, e.g., http)
<1-65535>      Numbered port
<start>-<end>  Numbered port range (e.g., 1001-1005)

Multiple destination ports can be specified as a comma-separated list. The whole list can also be “negated” using ‘!’. For example: !22,telnet,http,123,1001-1005`

set system conntrack timeout custom rule <1-9999> protocol icmp <1-21474836>

set system conntrack timeout custom rule <1-9999> protocol other <1-21474836>

set system conntrack timeout custom rule <1-9999> protocol tcp close <1-21474836>

set system conntrack timeout custom rule <1-9999> protocol tcp close-wait <1-21474836>

set system conntrack timeout custom rule <1-9999> protocol tcp established <1-21474836>

set system conntrack timeout custom rule <1-9999> protocol tcp fin-wait <1-21474836>

set system conntrack timeout custom rule <1-9999> protocol tcp last-ack <1-21474836>

set system conntrack timeout custom rule <1-9999> protocol tcp syn-recv <1-21474836>

set system conntrack timeout custom rule <1-9999> protocol tcp syn-sent <1-21474836>

set system conntrack timeout custom rule <1-9999> protocol tcp time-wait <1-21474836>

set system conntrack timeout custom rule <1-9999> protocol udp other <1-21474836>

set system conntrack timeout custom rule <1-9999> protocol udp stream <1-21474836>

Set the timeout in secounds for a protocol or state in a custom rule.

set system conntrack tcp half-open-connections <1-21474836>

default: 512

Set the maximum number of TCP half-open connections.

set system conntrack tcp loose <enable | disable>

default: enable

Policy to track previously established connections.

set system conntrack tcp max-retrans <1-2147483647>

default: 3

Set the number of TCP maximum retransmit attempts.

set system conntrack ignore rule <1-9999> description <text>

set system conntrack ignore rule <1-9999> destination address <ip-address>

set system conntrack ignore rule <1-9999> destination port <port>

set system conntrack ignore rule <1-9999> inbound-interface <interface>

set system conntrack ignore rule <1-9999> protocol <protocol>

set system conntrack ignore rule <1-9999> source address <ip-address>

set system conntrack ignore rule <1-9999> source port <port>

Customized ignore rules, based on a packet and flow selector.

set system conntrack log icmp destroy

set system conntrack log icmp new

set system conntrack log icmp update

set system conntrack log other destroy

set system conntrack log other new

set system conntrack log other update

set system conntrack log tcp destroy

set system conntrack log tcp new

set system conntrack log tcp update close-wait

set system conntrack log tcp update established

set system conntrack log tcp update fin-wait

set system conntrack log tcp update last-ack

set system conntrack log tcp update syn-received

set system conntrack log tcp update time-wait

set system conntrack log udp destroy

set system conntrack log udp new

set system conntrack log udp update

Log the connection tracking events per protocol.