...
| Property | Description |
|---|---|
| assured (yes | no) | Indicates that this connection is assured and that it will not be erased if the maximum possible tracked connection count is reached. |
| confirmed (yes | no) | Connection is confirmed and a packet is sent out from the device. |
| connection-mark (string) | Connection mark that was set by the mangle rule. |
| connection-type (pptp | ftp) | Type of connection, the property is empty if connection tracking is unable to determine a predefined connection type. |
| dst-address (ip[:port]) | Destination address and port (if a protocol is port-based). |
| dstnat (yes | no) | A connection has gone through DST-NAT (for example, port forwarding). |
| dying (yes | no) | The connection is dying due to a connection timeout. |
| expected (yes | no) | Connection is set up using connection helpers (pre-defined service rules). |
| fasttrack (yes | no) | Whether the connection is FastTracked. |
| gre-key (integer) | Contents of the GRE Key field. |
| gre-protocol (string) | Protocol of the encapsulated payload. |
| gre-version (string) | A version of the GRE protocol was used in the connection. |
| icmp-code (string) | ICMP Code Field |
| icmp-id (integer) | Contains the ICMP ID |
| icmp-type (integer) | ICMP Type Number |
| orig-bytes (integer) | Amount of bytes sent out from the source address using the specific connection. |
| orig-fasttrack-bytes (integer) | Amount of FastTracked bytes sent out from the source address using the specific connection. |
| orig-fasttrack-packets (integer) | Amount of FastTracked packets sent out from the source address using the specific connection. |
| orig-packets (integer) | Amount of packets sent out from the source address using the specific connection. |
| orig-rate (integer) | The data rate at which packets are sent out from the source address using the specific connection. |
| protocol (string) | IP protocol type |
| repl-bytes (integer) | Amount of bytes received from the destination address using the specific connection. |
| repl-fasttrack-bytes (string) | Amount of FastTracked bytes received from the destination address using the specific connection. |
| repl-fasttrack-packets (integer) | Amount of FastTracked packets received from the destination address using the specific connection. |
| repl-packets (integer) | Amount of packets received from the destination address using the specific connection. |
| repl-rate (string) | The data rate at which packets are received from the destination address using the specific connection. |
| reply-dst-address (ip[:port]) | Destination address (and port) expected of return packets. Usually the same as "src-address: port" |
| reply-src-address (ip[:port]) | Source address (and port) expected of return packets. Usually the same as "dst-address: port" |
| seen-reply (yes | no) | The destination address has replied to the source address. |
| src-address (ip[:port]) | The source address and port (if a protocol is port-based). |
| srcnat (yes | no) | Connection is going through SRC-NAT, including packets that were masqueraded through NAT. |
| tcp-state (string) | The current state of TCP connection :
|
| timeout (time) | Time after connection will be removed from the connection list. |
...
| Property | Description |
|---|---|
| enabled (yes | no | auto; Default: auto) | Allows to disable or enable connection tracking. Disabling connection tracking will cause several firewall features to stop working. See the list of affected features. Starting from v6. 0rc2 default value is auto. This means that connection tracing is disabled until at least one firewall rule is added. |
| loose-tcp-tracking (yes; Default: yes) | Disable picking up already established connections |
| tcp-syn-sent-timeout (time; Default: 5s) | TCP SYN timeout. |
| tcp-syn-received-timeout (time; Default: 5s) | TCP SYN timeout. |
| tcp-established-timeout (time; Default: 1d) | Time when after which established TCP connection times out. |
| tcp-fin-wait-timeout (time; Default: 10s) | |
| tcp-close-wait-timeout (time; Default: 10s) | |
| tcp-last-ack-timeout (time; Default: 10s) | |
| tcp-time-wait-timeout (time; Default: 10s) | |
| tcp-close-timeout (time; Default: 10s) | |
| udp-timeout (time; Default: 10s) | Specifies the timeout for UDP connections that have seen packets in one direction |
| udp-stream-timeout (time; Default: 3m) | Specifies the timeout of UDP connections that has have seen packets in both directions |
| icmp-timeout (time; Default: 10s) | ICMP connection timeout |
| generic-timeout (time; Default: 10m) | Timeout for all other connection entries |
...
| Property | Description | ||
|---|---|---|---|
| max-entries (integer) | Max amount of entries that the connection tracking table can hold. This value depends on the installed amount of RAM. Note that the system does not create a maximum-size connection tracking table when it starts, the maximum entry amount canit may increase if the situation demands it and the routersystem still has free ram left.RAM, but the size will not exceed 1048576 | ||
| total-entries (integer) | Amount of connections that the | currentconnection table holds | .currently |
Features affected by connection tracking
- NAT
- firewall:
- connection-bytes
- connection-mark
- connection-type
- connection-state
- connection-limit
- connection-rate
- layer7-protocol
- new-connection-mark
- tarpit