1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disabling netfilter/connection tracking

Discussion in 'Tomato Firmware' started by Inssomniak, Jul 11, 2008.

  1. Inssomniak

    Inssomniak Addicted to LI Member

    I need to know if there is a way to disable netfilter/connection tracking in Tomato firmware?

    Some of you are probably going to say " you need it for X and X feature, you need it for NAT, you need it for your firewall!"

    Well, I dont need any of these features, and I have it in router mode.

    I have it in front of another router that does all that and I have an overflowing amount of connections that netfilter/ip_conntrack is tracking for no good reason.

    Thanks for any help!
  2. Inssomniak

    Inssomniak Addicted to LI Member

    Bump, No ideas? can it be done even if I had to compile my own version?
  3. HennieM

    HennieM Network Guru Member

    Tomato has the iptables modules compiled into the kernel, so it cannot be turned off AFAIK.

    You could do
    iptables -P FORWARD ACCEPT
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -F FORWARD
    iptables -F INPUT
    iptables -F OUTPUT

    if you already have all other iptables stuff turned off in the GUI.

    This does not stop /proc/net/ip_conntrack, but effectively disables any iptables chains. Maybe that'll help.

    If you compile your own version, you could pretty much do whatever you can figure out, among which may be the iptables driver as a module, which will give you the option of using/not using it.

    Edit: As an alternative, you could make the TCP and UDP timeouts very small, which should make less conntrack entries.
  4. azeari

    azeari LI Guru Member

    hmm double-router?

    why don'cha just operate the tomato as a switch? everything in 1 VLAN, no WAN ports, no conntrack, etc. that way the 1st router will handle everything.
  5. LLigetfa

    LLigetfa LI Guru Member

    Judging by some of the OP's threads elsewhere, I would guess he is using Tomato for MLPPPoE.
  6. TexasFlood

    TexasFlood Network Guru Member

    I hadn't thought about it till you said that, but that's exactly what I'm doing, put all the ethernet ports in my "extension" router in the LAN since I need the extra LAN port and not the WAN.
  7. azeari

    azeari LI Guru Member

    hmm tts strange, cuz i don't remember tomato tracking my internal lan connections.

    well anyway regarding ur qn, its not possible to turn off netfilter in the firmware itself unless u do compile ur own version (=
  8. TexasFlood

    TexasFlood Network Guru Member

    Looks like when all ports on my "extension" router are configured to be on the LAN, Tomato only tracks connections to that router and not those passing through to the primary WAN router.

Share This Page