3.7. Advanced Settings¶
You can find the Advanced Settings at System → Settings → Advanced.
You can configure Firewall timeouts for
as well as the conntrack states table size.
You can add multiple IPv4 or IPv6 addresses or networks which will not be blocked at the VT AIR login, when the username or password are incorrect. Otherwise the login is secured with a blocking function after 3 unsuccessful logins.
3.7.2. Firewall Helper¶
There are 4 firewall helper that help with protocols that need to open up additional random ports
You can enable each helper individually and the firewall will try to track any additional port that a connection of one of those protocols opens without you adding a new firewall rule for it.
3.7.3. Network Interfaces¶
You can disable hardware and software offload features here.
- GRO (Generic Receive Offload)
- GSO (Generic Segmentation Offload)
- TSO (TCP Segmentation Offload)
- UFO (UDP Fragmentation Offload)
- TX/RX Checksum Offload
A restart is not required to disable or enable any of the settings.
3.7.4. Firewall Flowtable¶
Flowtable is a fast forwarding path for TCP/UDP packages that pass the firewall. Packages first traverse the firewall on the normal way. After a state is established the connection is added to the flowtable. Any incoming package will now be sent from the incoming to the outgoing interface directly, bypassing the firewall infrastructure and therefore saving a lot of processing time.
This feature allows for 2-3 times faster package processing and it is compatible with QoS. It is enabled by default. If you enable IDS/IPS or logging for the firewall rule, this feature will not be enabled. If you encounter any issues, please disable this feature.
userspace process ^ | | | _____|____ ____\/___ / \ / \ | input | | output | \__________/ \_________/ ^ | | | _________ __________ --------- _____\/_____ / \ / \ |Routing | / \ --> ingress ---> prerouting ---> |decision| | postrouting |--> neigh_xmit \_________/ \__________/ ---------- \____________/ ^ | ^ | ^ | flowtable | ____\/___ | | | | / \ | | __\/___ | | forward |------------ | |-----| | \_________/ | |-----| | 'flow offload' rule | |-----| | adds entry to | |_____| | flowtable | | | | / \ | | /hit\_no_| | \ ? / | \ / | |__yes_________________fastpath bypass ____________________________| Fig.1 Netfilter hooks and flowtable interactions