Firewall connection tracker

[Ripper346]

Hi, I am trying to understand the meanings behind the firewall.conntrack options. In the documentation it is reported

Settings for the Connection Tracker.

conntrack:
  tcp_timeout: 12m
  udp_timeout: 3m
  default_timeout: 10m

What are the timeouts referred to? Like tcp_timeout refers to drop all the TCP connections after 12 minutes, or is it in some cases? In case the default is less than the specific (like for TCP) does it overwrite the rule? I am not very into firewall rules, so sorry if these may be dumb questions. Thank you

[nbrownus]

The timeouts determine when a conntrack item can be evicted for having no matching traffic. If a 5 tuple was communicating and then stops for longer than the timeout then the next packet in the flow would be re-evaluated against the firewall. If the firewall lacked a discrete definition allowing that flow then the packet would be dropped.

The typical scenario is client to server. The client likely doesn't have an explicit inbound firewall allowing the server to respond to client traffic, so any response traffic from the server relies on a conntrack entry in the client to make it all the way back.

The defaults should work well for most people. If you have services that take longer than the timeouts to respond (and lack protocol level keep alives) then you will have dropped traffic and should increase the timeouts appropriately.