3.7. Advanced Settings

You can find the Advanced Settings at System → Settings → Advanced.

You can configure Firewall timeouts for

  • ICMP
  • ICMPv6
  • TCP
  • UDP
  • GRE

as well as the conntrack states table size.

3.7.1. Whitelisting

You can add multiple IPv4 or IPv6 addresses or networks which will not be blocked at the VT AIR login, when the username or password are incorrect. Otherwise the login is secured with a blocking function after 3 unsuccessful logins.

3.7.2. Firewall Helper

There are 4 firewall helper that help with protocols that need to open up additional random ports

  • SIP
  • FTP
  • TFTP
  • SNMP

You can enable each helper individually and the firewall will try to track any additional port that a connection of one of those protocols opens without you adding a new firewall rule for it.

3.7.3. Network Interfaces

You can disable hardware and software offload features here.

  • GRO (Generic Receive Offload)
  • GSO (Generic Segmentation Offload)
  • TSO (TCP Segmentation Offload)
  • UFO (UDP Fragmentation Offload)
  • TX/RX Checksum Offload

A restart is not required to disable or enable any of the settings.

3.7.4. Firewall Flowtable

Flowtable is a fast forwarding path for TCP/UDP packages that pass the firewall. Packages first traverse the firewall on the normal way. After a state is established the connection is added to the flowtable. Any incoming package will now be sent from the incoming to the outgoing interface directly, bypassing the firewall infrastructure and therefore saving a lot of processing time.

This feature allows for 2-3 times faster package processing and it is compatible with QoS. It is enabled by default. If you enable IDS/IPS or logging for the firewall rule, this feature will not be enabled. If you encounter any issues, please disable this feature.

                                     userspace process
                                        ^              |
                                        |              |
                                   _____|____     ____\/___
                                  /          \   /         \
                                  |   input   |  |  output  |
                                  \__________/   \_________/
                                       ^               |
                                       |               |
    _________      __________      ---------     _____\/_____
   /         \    /          \     |Routing |   /            \
-->  ingress  ---> prerouting ---> |decision|   | postrouting |--> neigh_xmit
   \_________/    \__________/     ----------   \____________/          ^
     |      ^                          |               ^                |
 flowtable  |                     ____\/___            |                |
     |      |                    /         \           |                |
  __\/___   |                    | forward |------------                |
  |-----|   |                    \_________/                            |
  |-----|   |                 'flow offload' rule                       |
  |-----|   |                   adds entry to                           |
  |_____|   |                     flowtable                             |
     |      |                                                           |
    / \     |                                                           |
   /hit\_no_|                                                           |
   \ ? /                                                                |
    \ /                                                                 |
     |__yes_________________fastpath bypass ____________________________|

             Fig.1 Netfilter hooks and flowtable interactions