Connection  tracking


Connection tracking system is a very powerful tool that determines the many unique features of the Linux router.
However, nowadays such events like P2P traffic and a growing number of requests generated by web traffic, may impair
the operation of the router, if appropriate precautions do not protect the connection tracking system .
Precautions: increasing the capacity of the connection tracking system, detecting and limiting or blocking P2P traffic,
limiting count of connections, packages etc. imply an increased CPU usage.

Alternative is to bypass the connection tracking system, which is possible when one of the following conditions for IPv4 traffic is met:
- the LAN have public addresses - rarer case,
- the ISP router/modem implements a simple static NAT and routing with  Ips-Qos machine.
IPv6 traffic can bypass the connection tracking system without additional conditions.

Bypassing of the connection tracking system allows Ips-Qos on "letting go" computer traffic without restrictions except for limiting bandwidth,
at the expense of reduced security of the computer.  

Bypassing of the connection tracking system implies the renunciation of the following functionality:


connlimit

no limiting of concurrent TCP connections

classes

some functionality limitations of plugin classes

security

lack of stateful packet inspection

Below it is described a real example of connecting Ips-Qos (1st WAN IP address 192.168.1.2) with ISP router.

ISP router 

LAN

...
 

Routing

...

DMZ

...

Ips-Qos 

Global settings :. NOTRACK - this setting disables connection tracking globally. It is actually not recommended, because some special
classes have to be reconfigured respectively in order to work properly as connection tracking disabled.
Global settings :. NOSNAT - this setting disables NAT globally and is required in order to bypass the connection tracking system. 

...


Settings :. CTR - this setting disables connection tracking for a given computer / class. It is recommended scenario,
allowing configuration of only selected special classes as connection tracking disabled.

...


Global settings :. WAN

...


Global settings :. LAN

...