Manual:IP/Firewall/Connection tracking: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
Line 13: | Line 13: | ||
You can also Turn on and off the connection tracking altogether, in the Tracking menu, accessible with a button of the same name in this window. Note that turning off the connection tracking will make NAT and most of the Firewall not work, because they rely on this feature. | You can also Turn on and off the connection tracking altogether, in the Tracking menu, accessible with a button of the same name in this window. Note that turning off the connection tracking will make NAT and most of the Firewall not work, because they rely on this feature. | ||
==Connection tracking settings== | |||
<p id="shbox"><b>Sub-menu:</b> <code>/ip firewall connection tracking</code></p> | |||
===Properties=== | |||
{{Mr-arg-table-h | |||
|prop=Property | |||
|desc=Description | |||
}} | |||
{{Mr-arg-table | |||
|arg=enabled | |||
|type=yes {{!}} no | |||
|default=yes | |||
|desc=Allows to disable or enable connection tracking. | |||
}} | |||
{{Mr-arg-table | |||
|arg=tcp-syn-sent-timeout | |||
|type=time | |||
|default=5s | |||
|desc=TCP SYN timeout. | |||
}} | |||
{{Mr-arg-table | |||
|arg=tcp-syn-received-timeout | |||
|type=time | |||
|default=5s | |||
|desc=TCP SYN timeout. | |||
}} | |||
{{Mr-arg-table | |||
|arg=tcp-established-timeout | |||
|type=time | |||
|default=1d | |||
|desc=Time when established TCP connection times out. | |||
}} | |||
{{Mr-arg-table | |||
|arg=tcp-fin-wait-timeout | |||
|type=time | |||
|default=10s | |||
|desc= | |||
}} | |||
{{Mr-arg-table | |||
|arg=tcp-close-wait-timeout | |||
|type=time | |||
|default=10s | |||
|desc= | |||
}} | |||
{{Mr-arg-table | |||
|arg=tcp-last-ack-timeout | |||
|type=time | |||
|default=10s | |||
|desc= | |||
}} | |||
{{Mr-arg-table | |||
|arg=tcp-time-wait-timeout | |||
|type=time | |||
|default=10s | |||
|desc= | |||
}} | |||
{{Mr-arg-table | |||
|arg=tcp-close-timeout | |||
|type=time | |||
|default=10s | |||
|desc= | |||
}} | |||
{{Mr-arg-table | |||
|arg=udp-timeout | |||
|type=time | |||
|default=10s | |||
|desc= | |||
}} | |||
{{Mr-arg-table | |||
|arg=udp-stream-timeout | |||
|type=time | |||
|default=3m | |||
|desc= | |||
}} | |||
{{Mr-arg-table | |||
|arg=icmp-timeout | |||
|type=time | |||
|default=10s | |||
|desc= | |||
}} | |||
{{Mr-arg-table | |||
|arg=generic-timeout | |||
|type=time | |||
|default=10m | |||
|desc=Timeout for all other connection entries | |||
}} | |||
{{Mr-arg-table-end | |||
|arg=tcp-syncookie | |||
|type=yes {{!}} no | |||
|default=no | |||
|desc= | |||
}} | |||
'''Read-only properties''' | |||
{{Mr-arg-table-h | |||
|prop=Property | |||
|desc=Description | |||
}} | |||
{{Mr-arg-ro-table | |||
|arg=max-entries | |||
|type=integer | |||
|desc=Max amount of entries that connection tracking table can hold. This value depends on installed amount of RAM. | |||
}} | |||
{{Mr-arg-ro-table-end | |||
|arg=total-entries | |||
|type=integer | |||
|desc=Amount of connections that currently connection table holds. | |||
}} | |||
==List of features affected by connection tracking== | ==List of features affected by connection tracking== |
Revision as of 12:18, 19 May 2011
Connection tracking entries
Sub-menu: /ip firewall connection
There are several ways to see what connections are making their way though the router.
In the Winbox Firewall window, you can switch to the Connections tab, to see current connections to/from/through your router. It looks like this:
You can also Turn on and off the connection tracking altogether, in the Tracking menu, accessible with a button of the same name in this window. Note that turning off the connection tracking will make NAT and most of the Firewall not work, because they rely on this feature.
Connection tracking settings
Sub-menu: /ip firewall connection tracking
Properties
Property | Description |
---|---|
enabled (yes | no; Default: yes) | Allows to disable or enable connection tracking. |
tcp-syn-sent-timeout (time; Default: 5s) | TCP SYN timeout. |
tcp-syn-received-timeout (time; Default: 5s) | TCP SYN timeout. |
tcp-established-timeout (time; Default: 1d) | Time when established TCP connection times out. |
tcp-fin-wait-timeout (time; Default: 10s) | |
tcp-close-wait-timeout (time; Default: 10s) | |
tcp-last-ack-timeout (time; Default: 10s) | |
tcp-time-wait-timeout (time; Default: 10s) | |
tcp-close-timeout (time; Default: 10s) | |
udp-timeout (time; Default: 10s) | |
udp-stream-timeout (time; Default: 3m) | |
icmp-timeout (time; Default: 10s) | |
generic-timeout (time; Default: 10m) | Timeout for all other connection entries |
tcp-syncookie (yes | no; Default: no) |
Read-only properties
Property | Description |
---|---|
max-entries (integer) | Max amount of entries that connection tracking table can hold. This value depends on installed amount of RAM. |
total-entries (integer) | Amount of connections that currently connection table holds. |
List of features affected by connection tracking
- NAT
- firewall:
- connection-bytes
- connection-mark
- connection-type
- connection-state
- connection-limit
- connection-rate
- layer7-protocol
- p2p
- new-connection-mark
- p2p matching in simple queues