Add note about conntrack to networksettings

DN42 Wiki (BURBLE-MNT) commited 2020-05-17 21:18:05 +0000 commit 53aa78eada0ff51cdff536156444c4ad846cba56

howto/networksettings.md

@@ -32,4 +32,13 @@ Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4.

 $ sysctl -a | grep forwarding

 ```

+### Note on firewalls, conntrack and asymmetric routing

+

+Do not configure iptables/nftables to drop packets with invalid conntrack state in forward chain.

+

+In some cases your router will not see traffic from both sides e.g. requests are sent via different path not including your networks

+but responses are fowarded via your network. This will prevent conntrack from assigning any meaningful state information to these packets

+and your firewall will drop it if it is configured to drop packets with invalid state.

+

+

 Happy Routing!

\ No newline at end of file

...	...	@@ -32,4 +32,13 @@ Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4.
32	32	$ sysctl -a \| grep forwarding
33	33	```
34	34
	35	+### Note on firewalls, conntrack and asymmetric routing
	36	+
	37	+Do not configure iptables/nftables to drop packets with invalid conntrack state in forward chain.
	38	+
	39	+In some cases your router will not see traffic from both sides e.g. requests are sent via different path not including your networks
	40	+but responses are fowarded via your network. This will prevent conntrack from assigning any meaningful state information to these packets
	41	+and your firewall will drop it if it is configured to drop packets with invalid state.
	42	+
	43	+
35	44	Happy Routing!
...	...	\ No newline at end of file