diff options
author | Markus Bukowski <me@mrbuk.de> | 2022-01-15 12:35:55 +0100 |
---|---|---|
committer | Markus Bukowski <me@mrbuk.de> | 2022-01-15 12:51:30 +0100 |
commit | da72f4c39f015644515e0b598aea6f7e5a2a03a7 (patch) | |
tree | 0a01d60a435b1cad7a6105228a94744e31a3e9be /docs/configuration | |
parent | d2a6dae8ca26417a53943e196a7eca2ca175e4b1 (diff) | |
download | vyos-documentation-da72f4c39f015644515e0b598aea6f7e5a2a03a7.tar.gz vyos-documentation-da72f4c39f015644515e0b598aea6f7e5a2a03a7.zip |
Removed MSS from interface, added IP to pppoe
Diffstat (limited to 'docs/configuration')
-rw-r--r-- | docs/configuration/interfaces/pppoe.rst | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst index 41f22ed6..ae6a8cba 100644 --- a/docs/configuration/interfaces/pppoe.rst +++ b/docs/configuration/interfaces/pppoe.rst @@ -177,6 +177,41 @@ PPPoE options PPPoE connection must be established over a physical interface. Interfaces can be regular Ethernet interfaces, VIFs or bonding interfaces/VIFs. +.. cfgcmd:: set interfaces pppoe <interface> ip adjust-mss <mss> + + As Internet wide PMTU discovery rarely works, we sometimes need to clamp our + TCP MSS value to a specific value. This is a field in the TCP options part of + a SYN packet. By setting the MSS value, you are telling the remote side + unequivocally 'do not try to send me packets bigger than this value'. + + .. note:: This command was introduced in VyOS 1.4 - it was previously called: + ``set firewall options interface <name> adjust-mss <value>`` + + .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in + 1452 bytes on a 1492 byte MTU. + +.. cfgcmd:: set interfaces pppoe <interface> ip disable-forwarding + + Configure interface-specific Host/Router behaviour. If set, the interface will + switch to host mode and IPv6 forwarding will be disabled on this interface. + +.. cfgcmd:: set interfaces pppoe <interface> ip source-validation <strict | loose | disable> + + Enable policy for source validation by reversed path, as specified in + :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict + mode to prevent IP spoofing from DDos attacks. If using asymmetric routing + or other complicated routing, then loose mode is recommended. + + - strict: Each incoming packet is tested against the FIB and if the interface + is not the best reverse path the packet check will fail. By default failed + packets are discarded. + + - loose: Each incoming packet's source address is also tested against the FIB + and if the source address is not reachable via any interface the packet + check will fail. + + - disable: No source validation + IPv6 ---- @@ -189,6 +224,41 @@ IPv6 :var0: pppoe :var1: pppoe0 +.. cfgcmd:: set interfaces pppoe <interface> ipv6 adjust-mss <mss> + + As Internet wide PMTU discovery rarely works, we sometimes need to clamp our + TCP MSS value to a specific value. This is a field in the TCP options part of + a SYN packet. By setting the MSS value, you are telling the remote side + unequivocally 'do not try to send me packets bigger than this value'. + + .. note:: This command was introduced in VyOS 1.4 - it was previously called: + ``set firewall options interface <name> adjust-mss <value>`` + + .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in + 1452 bytes on a 1492 byte MTU. + +.. cfgcmd:: set interfaces pppoe <interface> ipv6 disable-forwarding + + Configure interface-specific Host/Router behaviour. If set, the interface will + switch to host mode and IPv6 forwarding will be disabled on this interface. + +.. cfgcmd:: set interfaces pppoe <interface> ipv6 source-validation <strict | loose | disable> + + Enable policy for source validation by reversed path, as specified in + :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict + mode to prevent IP spoofing from DDos attacks. If using asymmetric routing + or other complicated routing, then loose mode is recommended. + + - strict: Each incoming packet is tested against the FIB and if the interface + is not the best reverse path the packet check will fail. By default failed + packets are discarded. + + - loose: Each incoming packet's source address is also tested against the FIB + and if the source address is not reachable via any interface the packet + check will fail. + + - disable: No source validation + ********* Operation ********* |