Disable connection tracking

Question

I'm on Ubuntu 22.04 and I would like to disable connection tracking for UDP port 123, so I tried:

firewall-cmd --direct --add-rule ipv4 raw PREROUTING 1 -p udp --dport 123 -j NOTRACK
firewall-cmd --direct --add-rule ipv4 raw OUTPUT 1 -p udp --sport 123 -j NOTRACK

but this causes all traffic on that port to be blocked somehow. Can it be that it does not work because my Firewalld uses NFTables instead of IPTables as a backend?

I also tried:

firewall-cmd --direct --add-rule ipv4 raw OUTPUT 0 -p udp --dport 123 -j CT --notrack
firewall-cmd --direct --add-rule ipv4 raw OUTPUT 0 -p udp --sport 123 -j CT --notrack
firewall-cmd --direct --add-rule ipv4 raw PREROUTING 0 -p udp --dport 123 -j CT --notrack
firewall-cmd --direct --add-rule ipv4 raw PREROUTING 0 -p udp --sport 123 -j CT --notrack
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 123 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --sport 123 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p udp --dport 123 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p udp --sport 123 -j ACCEPT

But it had the same result.. What will be the right rules to use?

As firewalld adds rules that check for initial packets in new *or* in untracked state this should not disrupt traffic. You could use [trace](https://wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing) on packets to see what happens to them that shouldn't happen. — A.B, Aug 09 '22 at 22:27

Disable connection tracking

0 Answers0