Cool! 👍 I didn't expect that ;) I'm not confident that I would trust it to be reliable though. There are so many things that I can imagine could go wrong, with connections tracked that are not necessarily active and active connections that are not necessarily tracked... I don’t like the sound of that :-D Cheers!
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad Sent: Thursday, 23 August 2018 8:01 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] conntrack timing for tcp session
Hi
Yes it does work in ros and linux . you can test with a single router, have a long lived tcp session, go to /ip firewall connection tracking and then remove it or all of the sessions, they will be rebuilt as traffic flows
A
A
On Mon, 20 Aug 2018 at 10:42, Mike Everest <mike@duxtel.com> wrote:
I think that only allows the packets to flow - I don't think it will allow router to create the tracked connection.
Try it and find out for us! :-)
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad Sent: Sunday, 19 August 2018 11:29 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] conntrack timing for tcp session
No, thats not true.
you can do that on a linux box as well.
let me qualify if you have
forward related,established forward allow flags syn,ack forward allow flags !syn forward allow dport 22
so frist allows for related,est connections 2nd,3rd lines allow for asym tcp 4th allow tcp session with ddport 22 . note i never use the connection = new and I also can't use connection = invalid
which means first time a packet in a stream is seen it is either allowed or blocked, but afterwards it is caught in the 1st line
A
On 18 August 2018 at 16:09, Mike Everest <mike@duxtel.com> wrote:
Yes, but a router needs first packet of stream to start 'connection' and therefore understand what is 'established' or other packets related to a connection. So you can't use any of those connection state functionality when route paths are not symmetric within your network :-}
udp might work (not sure) because they are not a real connection anyway...
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad Sent: Saturday, 18 August 2018 3:57 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] conntrack timing for tcp session
I allow state from non syn packets so I don't check for invalid's and then just the standard allows
On 18 August 2018 at 14:13, Mike Everest <mike@duxtel.com> wrote:
Hi Alex,
If you don't have certainty of symmetric routing, then connection tracking has limited use because packets can be easily interpreted as 'invalid' if router received reply packet to a connection that was stablished via another router outbound.
For asymmetric routing, you need to set up your firewall filter rules without any reference to connections: so no connection-mark, nat-state, tcp-established/new/related, and so on.
Cheers!
> -----Original Message----- > From: Public [mailto:public-bounces@talk.mikrotik.com.au] On > Behalf Of Alex > Samad > Sent: Saturday, 18 August 2018 2:04 PM > To: MikroTik Australia Public List > <public@talk.mikrotik.com.au> > Subject: [MT-AU Public] conntrack timing for tcp session > > Hi > > ROS has a default of > tcp-established-timeout: 1d > > But I have asym routing and not all the routers will see syn > nor fin. I am thinking > of bringing this down to 2 hours to match up with linux timeout . > > currently i have keep alive set to 30 min on my linux boxes. > > I don't think there is any reason why this should cause an issue. ??? > > > Alex > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mik > roti > k.co > m.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikroti k.co m.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.co m.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au