Differences

This shows you the differences between two versions of the page.

doc:uci:firewall [2014/08/22 17:21]
zorun Fix SSH redirection example
doc:uci:firewall [2014/09/08 16:30] (current)
hamy
Line 662: Line 662:
-===== Note on connection tracking (NOTRACK) =====+===== Notes on connection tracking ===== 
 + 
 +==== NOTRACK ====
By default, the firewall will disable connection tracking for a zone if no masquerading is enabled. This is achieved by generating //NOTRACK// firewall rules matching all traffic passing via interfaces referenced by the firewall zone. The purpose of //NOTRACK// is to speed up routing and save memory by circumventing resource intensive connection tracking in cases where it is not needed. You can check if connection tracking is disabled by issuing ''iptables -t raw -vnL'', it will list all rules, check for //NOTRACK// target. By default, the firewall will disable connection tracking for a zone if no masquerading is enabled. This is achieved by generating //NOTRACK// firewall rules matching all traffic passing via interfaces referenced by the firewall zone. The purpose of //NOTRACK// is to speed up routing and save memory by circumventing resource intensive connection tracking in cases where it is not needed. You can check if connection tracking is disabled by issuing ''iptables -t raw -vnL'', it will list all rules, check for //NOTRACK// target.
Line 670: Line 672:
If connection tracking is required, for example by custom rules in ''/etc/firewall.user'', the ''conntrack'' option must be enabled in the corresponding zone to disable //NOTRACK//. It should appear as ''option 'conntrack' '1' '' in the right zone in ''/etc/config/firewall''. If connection tracking is required, for example by custom rules in ''/etc/firewall.user'', the ''conntrack'' option must be enabled in the corresponding zone to disable //NOTRACK//. It should appear as ''option 'conntrack' '1' '' in the right zone in ''/etc/config/firewall''.
For further information see http://security.maruhn.com/iptables-tutorial/x4772.html . For further information see http://security.maruhn.com/iptables-tutorial/x4772.html .
 +
 +==== nf_conntrack_skip_filter ====
 +
 +Since [[https://dev.openwrt.org/changeset/42048/trunk/package|r42048]], there is a new setting activated by default which causes the packets with the established state, completely bypass iptables filter table. This is to [[https://dev.openwrt.org/ticket/17690#comment:6|help with network performance]] and unless you need all packets to be counted by iptables filter or have some specific rules which would apply to already established connections, you should leave it active.
 +
 +This behavior can be disabled by editing /etc/sysctl.conf :
 +  net.netfilter.nf_conntrack_skip_filter=0
 +and then activating the new setting:
 +  sysctl -p
 +
 +or be temporarily turned off untill the next reboot by issuing :
 +  sysctl -w net.netfilter.nf_conntrack_skip_filter=0
===== How to delete a rule ===== ===== How to delete a rule =====

Back to top

doc/uci/firewall.1408720899.txt.bz2 · Last modified: 2014/08/22 17:21 by zorun