Conntrack
VyOS can be configured to track connections using the connection tracking subsystem. Connection tracking becomes operational once either stateful firewall or NAT is configured.
Configure
default: 262144
The connection tracking table contains one entry for each connection being tracked by the system.
default: 2048
The connection tracking expect table contains one entry for each expected connection related to an existing connection. These are generally used by “connection tracking helper” modules such as FTP. The default size of the expect table is 2048 entries.
default: 32768
Set the size of the hash table. The connection tracking hash table makes searching the connection tracking table faster. The hash table uses “buckets” to record entries in the connection tracking table.
Configure the connection tracking protocol helper modules. All modules are enable by default.
default: 512
Set the maximum number of TCP half-open connections.
default: enable
Policy to track previously established connections.
default: 3
Set the number of TCP maximum retransmit attempts.
Contrack Timeouts
VyOS supports setting timeouts for connections according to the connection type. You can set timeout values for generic connections, for ICMP connections, UDP connections, or for TCP connections in a number of different states.
default: 180
Set the timeout in secounds for a protocol or state.
You can also define custom timeout values to apply to a specific subset of connections, based on a packet and flow selector. To do this, you need to create a rule defining the packet and flow selector.
Set a rule description.
Set a destination and/or source address. Accepted input for ipv4:
set system conntrack timeout custom ipv4 rule <1-999999> [source | destination] address Possible completions: <x.x.x.x> IPv4 address to match <x.x.x.x/x> IPv4 prefix to match <x.x.x.x>-<x.x.x.x> IPv4 address range to match !<x.x.x.x> Match everything except the specified address !<x.x.x.x/x> Match everything except the specified prefix !<x.x.x.x>-<x.x.x.x> Match everything except the specified range set system conntrack timeout custom ipv6 rule <1-999999> [source | destination] address Possible completions: <h:h:h:h:h:h:h:h> IP address to match <h:h:h:h:h:h:h:h/x> Subnet to match <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h> IP range to match !<h:h:h:h:h:h:h:h> Match everything except the specified address !<h:h:h:h:h:h:h:h/x> Match everything except the specified prefix !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h> Match everything except the specified range
Set a destination and/or source port. Accepted input:
<port name> Named port (any name in /etc/services, e.g., http) <1-65535> Numbered port <start>-<end> Numbered port range (e.g., 1001-1005)Multiple destination ports can be specified as a comma-separated list. The whole list can also be “negated” using ‘!’. For example: !22,telnet,http,123,1001-1005`
Conntrack ignore rules
Customized ignore rules, based on a packet and flow selector.