Connection Tracking and Service Ports
Document revision: | 1.0 (Fri Mar 05 08:34:03 GMT 2004) |
Applies to: | V2.8 |
General Information
Summary
Connection tracking or conntrack provides a facility for monitoring connections made through the router and respective state information.In turn, service port submenu allows to configure conntrack 'helpers' for various protocols. They are used to provide correct NAT traversal for these protocols.
Specifications
Packages required: systemLicense required: Level1
Submenu level: /ip firewall connection, /ip firewall service-port
Standards and Technologies: IP
Hardware usage: Increases with connections count
Related Documents
Notes
Connection tracking must be enabled in order to use NAT.
Connection Tracking
Submenu level: /ip firewall connectionDescription
Using Connection Tracking, you can observe connections passing through the router.
Connection TimeoutsHere comes a list of connection timeouts:
- TCP SYN sent - (first stage in establishing a connection) = 2min
- TCP SYN recvd - (second stage in establishing a connection) = 60sec
- Established TCP connections - (third stage) = 5 days
- TCP FIN wait - (connection termination) = 2min
- TCP TIME wait - (connection termination) = 2min
- TCP CLOSE - (remote party sends RTS) = 10sec
- TCP CLOSE wait - (sent RTS) = 60sec
- TCP LAST ACK - (received ACK) = 30sec
- TCP Listen - (ftp server waiting for client to establish data connection) = 2min
- UDP timeout - 30sec
- UDP with reply timeout - (remote party has responded) = 180sec
- ICMP timeout - 30sec
- All other - 10min
Property Description
dst-address (read-only: IP address:port) - the destination address and port the connection is established to src-address (read-only: IP address:port) - the source address and port the connection is established from protocol (read-only: text) - IP protocol name or number tcp-state (read-only: text) - the state of TCP connection timeout (read-only: time) - the amount of time until the connection will be timed out reply-src-address (read-only: IP address:port) - the source address and port the reply connection is established from reply-dst-address (read-only: IP address:port) - the destination address and port the reply connection is established to assured (read-only: true | false) - shows whether the connection is assured icmp-id (read-only: integer) - contains the ICMP ID. Each ICMP packet gets an ID set to it when it is sent, and when the receiver gets the ICMP message, it sets the same ID within the new ICMP message so that the sender will recognize the reply and will be able to connect it with the appropriate ICMP request icmp-option (read-only: integer) - the ICMP type and code fields reply-icmp-id (read-only: integer) - contains the ICMP ID of received packet reply-icmp-option (read-only: integer) - the ICMP type and code fields of received packet unreplied (read-only: true | false) - shows whether the request was unrepliedExample
[admin@test_1] ip firewall connection> print Flags: U - unreplied, A - assured # SRC-ADDRESS DST-ADDRESS PR.. TCP-STATE TIMEOUT 0 U 0.0.0.0:5678 255.255.255.255:5678 udp 1s 1 U 1.1.1.1:49679 255.255.255.255:69 udp 11s 2 U 1.1.1.1:56635 255.255.255.255:69 udp 27s 3 A 10.1.0.128:2413 10.10.1.1:23 tcp established 4d22h24m14s 4 U 10.1.0.157:5678 255.255.255.255:5678 udp 0s 5 U 10.1.0.172:5678 255.255.255.255:5678 udp 24s 6 U 10.1.0.175:5678 255.255.255.255:5678 udp 25s 7 U 10.1.0.209:5678 255.255.255.255:5678 udp 25s 8 U 10.1.0.212:5678 255.255.255.255:5678 udp 22s 9 A 10.5.7.242:32846 10.10.1.1:23 tcp established 4d23h59m59s 10 A 10.5.7.242:32933 10.10.1.1:23 tcp established 4d23h59m59s 11 U 10.10.1.11:5678 255.255.255.255:5678 udp 12s 12 U 10.10.10.1:5678 255.255.255.255:5678 udp 24s [admin@test_1] ip firewall connection>
Service Ports
Submenu level: /ip firewall service-portDescription
Some network protocols require direct two-sided connection between endpoints. This is not always possible, as network address translation is widely used to connect clients to the network. This submenu allows to configure Connection Tracking 'helpers' for above mentioned protocols. These 'helpers' are used to provide correct NAT traversal.
Property Description
name - protocol name ports (read-only: integer) - port range that is used by the protocolExample
Suppose we want to disable h323service port:
[admin@test_1] ip firewall service-port> set h323 disabled=yes [admin@test_1] ip firewall service-port> print Flags: X - disabled # NAME PORTS 0 ftp 21 1 pptp 2 gre 3 X h323 4 mms 5 irc 6667 6 quake3 [admin@test_1] ip firewall service-port>