...
Property | Description |
---|---|
enabled (yes | no | auto; Default: auto) | Allows to disable or enable connection tracking. Disabling connection tracking will cause several firewall features to stop working. See the list of affected features. Starting from v6.0rc2 default value is auto. This means that connection tracing is disabled until at least one firewall rule is added. |
loose-tcp-tracking (yes; Default: yes) | Disable picking up already established connections |
tcp-syn-sent-timeout (time; Default: 5s) | TCP SYN timeout. |
tcp-syn-received-timeout (time; Default: 5s) | TCP SYN timeout. |
tcp-established-timeout (time; Default: 1d) | Time when established TCP connection times out. |
tcp-fin-wait-timeout (time; Default: 10s) | |
tcp-close-wait-timeout (time; Default: 10s) | |
tcp-last-ack-timeout (time; Default: 10s) | |
tcp-time-wait-timeout (time; Default: 10s) | |
tcp-close-timeout (time; Default: 10s) | |
udp-timeout (time; Default: 10s) | Specifies the timeout for UDP connections that have seen packets in one direction |
udp-stream-timeout (time; Default: 3m) | Specifies the timeout of UDP connections that has seen packets in both directions |
icmp-timeout (time; Default: 10s) | ICMP connection timeout |
generic-timeout (time; Default: 10m) | Timeout for all other connection entries |
...
Property | Description |
---|---|
max-entries (integer) | Max amount of entries that the connection tracking table can hold. This value depends on the installed amount of RAM. Note that the system does not create a maximum-size connection tracking table when it starts, it may increase if the situation demands it and the system still has free ram, but size will not exceed 1048576 |
total-entries (integer) | Amount of connections that currently connection table holds. |
Features affected by connection tracking
- NAT
- firewall:
- connection-bytes
- connection-mark
- connection-type
- connection-state
- connection-limit
- connection-rate
- layer7-protocol
- new-connection-mark
- tarpit