diff options
Diffstat (limited to 'docs/configuration/service')
| -rw-r--r-- | docs/configuration/service/conntrack-sync.rst | 31 | ||||
| -rw-r--r-- | docs/configuration/service/console-server.rst | 18 | ||||
| -rw-r--r-- | docs/configuration/service/dhcp-relay.rst | 37 | ||||
| -rw-r--r-- | docs/configuration/service/dhcp-server.rst | 6 | ||||
| -rw-r--r-- | docs/configuration/service/dns.rst | 22 | ||||
| -rw-r--r-- | docs/configuration/service/index.rst | 1 | ||||
| -rw-r--r-- | docs/configuration/service/ipoe-server.rst | 53 | ||||
| -rw-r--r-- | docs/configuration/service/ntp.rst | 84 | ||||
| -rw-r--r-- | docs/configuration/service/router-advert.rst | 5 | ||||
| -rw-r--r-- | docs/configuration/service/ssh.rst | 6 | ||||
| -rw-r--r-- | docs/configuration/service/tftp-server.rst | 14 |
11 files changed, 231 insertions, 46 deletions
diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst index 1b72f8eb..468b39d9 100644 --- a/docs/configuration/service/conntrack-sync.rst +++ b/docs/configuration/service/conntrack-sync.rst @@ -37,14 +37,14 @@ Most examples below show Multicast, but unicast can be specified by using the Configuration ************* - .. cfgcmd:: set service conntrack-sync accept-protocol +.. cfgcmd:: set service conntrack-sync accept-protocol Accept only certain protocols: You may want to replicate the state of flows depending on their layer 4 protocol. Protocols are: tcp, sctp, dccp, udp, icmp and ipv6-icmp. - .. cfgcmd:: set service conntrack-sync event-listen-queue-size <size> +.. cfgcmd:: set service conntrack-sync event-listen-queue-size <size> The daemon doubles the size of the netlink event socket buffer size if it detects netlink event message dropping. This clause sets the maximum buffer @@ -52,39 +52,52 @@ Configuration Queue size for listening to local conntrack events in MB. - .. cfgcmd:: set service conntrack-sync expect-sync <all|ftp|h323|nfs|sip|sqlnet> +.. cfgcmd:: set service conntrack-sync expect-sync <all|ftp|h323|nfs|sip|sqlnet> Protocol for which expect entries need to be synchronized. - .. cfgcmd:: set service conntrack-sync failover-mechanism vrrp sync-group <group> +.. cfgcmd:: set service conntrack-sync failover-mechanism vrrp sync-group <group> Failover mechanism to use for conntrack-sync. Only VRRP is supported. Required option. - .. cfgcmd:: set service conntrack-sync ignore-address <x.x.x.x> +.. cfgcmd:: set service conntrack-sync ignore-address <x.x.x.x> IP addresses or networks for which local conntrack entries will not be synced - .. cfgcmd:: set service conntrack-sync interface <name> +.. cfgcmd:: set service conntrack-sync interface <name> Interface to use for syncing conntrack entries. - .. cfgcmd:: set service conntrack-sync mcast-group <x.x.x.x> +.. cfgcmd:: set service conntrack-sync interface <name> port <port> + + Port number used by connection. + +.. cfgcmd:: set service conntrack-sync listen-address <ipv4address> + + Local IPv4 addresses for service to listen on. + +.. cfgcmd:: set service conntrack-sync mcast-group <x.x.x.x> Multicast group to use for syncing conntrack entries. Defaults to 225.0.0.50. - .. cfgcmd:: set service conntrack-sync interface <name> peer <address> +.. cfgcmd:: set service conntrack-sync interface <name> peer <address> Peer to send unicast UDP conntrack sync entires to, if not using Multicast configuration from above above. - .. cfgcmd:: set service conntrack-sync sync-queue-size <size> +.. cfgcmd:: set service conntrack-sync sync-queue-size <size> Queue size for syncing conntrack entries in MB. +.. cfgcmd:: set service conntrack-sync disable-external-cache + + This diable the external cache and directly injects the flow-states into the + in-kernel Connection Tracking System of the backup firewall. + ********* Operation ********* diff --git a/docs/configuration/service/console-server.rst b/docs/configuration/service/console-server.rst index 435c972c..c9ea7f77 100644 --- a/docs/configuration/service/console-server.rst +++ b/docs/configuration/service/console-server.rst @@ -26,30 +26,30 @@ times are used to send a single character, and so dividing the signalling bit-rate by ten results in the overall transmission speed in characters per second. This is also the default setting if none of those options are defined. -.. cfgcmd:: set service console-server <device> data-bits [7 | 8] +.. cfgcmd:: set service console-server device <device> data-bits [7 | 8] Configure either seven or eight data bits. This defaults to eight data bits if left unconfigured. -.. cfgcmd:: set service console-server <device> description <string> +.. cfgcmd:: set service console-server device <device> description <string> A user friendly description identifying the connected peripheral. -.. cfgcmd:: set service console-server <device> alias <string> +.. cfgcmd:: set service console-server device <device> alias <string> A user friendly alias for this connection. Can be used instead of the device name when connecting. -.. cfgcmd:: set service console-server <device> parity [even | odd | none] +.. cfgcmd:: set service console-server device <device> parity [even | odd | none] Set the parity option for the console. If unset this will default to none. -.. cfgcmd:: set service console-server <device> stop-bits [1 | 2] +.. cfgcmd:: set service console-server device <device> stop-bits [1 | 2] Configure either one or two stop bits. This defaults to one stop bits if left unconfigured. -.. cfgcmd:: set service console-server <device> speed +.. cfgcmd:: set service console-server device <device> speed [ 300 | 1200 | 2400 | 4800 | 9600 | 19200 | 38400 | 57600 | 115200 ] .. note:: USB to serial converters will handle most of their work in software @@ -63,7 +63,7 @@ Each individual configured console-server device can be directly exposed to the outside world. A user can directly connect via SSH to the configured port. -.. cfgcmd:: set service console-server <device> ssh port <port> +.. cfgcmd:: set service console-server device <device> ssh port <port> Accept SSH connections for the given `<device>` on TCP port `<port>`. After successfull authentication the user will be directly dropped to @@ -114,3 +114,7 @@ Operation .. hint:: If ``alias`` is set, it can be used instead of the device when connecting. + +.. opcmd:: show log console-server + + Show the console server log.
\ No newline at end of file diff --git a/docs/configuration/service/dhcp-relay.rst b/docs/configuration/service/dhcp-relay.rst index 5ce22edb..43abf254 100644 --- a/docs/configuration/service/dhcp-relay.rst +++ b/docs/configuration/service/dhcp-relay.rst @@ -20,8 +20,20 @@ Configuration .. cfgcmd:: set service dhcp-relay interface <interface> - Interfaces that participate in the DHCP relay process, including the uplink - to the DHCP server. + Interfaces that participate in the DHCP relay process. If this command is + used, at least two entries of it are required: one for the interface that + captures the dhcp-requests, and one for the interface to forward such + requests. A warning message will be shown if this command is used, since + new implementations should use ``listen-interface`` and + ``upstream-interface``. + +.. cfgcmd:: set service dhcp-relay listen-interface <interface> + + Interface for DHCP Relay Agent to listen for requests. + +.. cfgcmd:: set service dhcp-relay upstream-interface <interface> + + Interface for DHCP Relay Agent to forward requests out. .. cfgcmd:: set service dhcp-relay server <server> @@ -47,7 +59,7 @@ Options DHCP packet size surpasses this value it will be forwarded without appending relay agent information. Range 64...1400, default 576. -.. cfgcmd:: set service dhcp-relay relay-options relay-agents-packet +.. cfgcmd:: set service dhcp-relay relay-options relay-agents-packets <append | discard | forward | replace> Four policies for reforwarding DHCP packets exist: @@ -70,8 +82,8 @@ Example * Listen for DHCP requests on interface ``eth1``. * DHCP server is located at IPv4 address 10.0.1.4 on ``eth2``. -* Router receives DHCP client requests on ``eth1`` and relays them to the server - at 10.0.1.4 on ``eth2``. +* Router receives DHCP client requests on ``eth1`` and relays them to the + server at 10.0.1.4 on ``eth2``. .. figure:: /_static/images/service_dhcp-relay01.png :scale: 80 % @@ -84,6 +96,19 @@ The generated configuration will look like: .. code-block:: none show service dhcp-relay + listen-interface eth1 + upstrem-interface eth2 + server 10.0.1.4 + relay-options { + relay-agents-packets discard + } + +Also, for backwards compatibility this configuration, which uses generic +interface definition, is still valid: + +.. code-block:: none + + show service dhcp-relay interface eth1 interface eth2 server 10.0.1.4 @@ -124,7 +149,7 @@ Configuration Options ------- -.. cfgcmd:: set service dhcpv6-relay max-hop-count 'count' +.. cfgcmd:: set service dhcpv6-relay max-hop-count <count> Set maximum hop count before packets are discarded, default: 10 diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index 3f4b7b89..b5b12a5b 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -234,7 +234,7 @@ inside the subnet definition but can be outside of the range statement. **Example:** -* IP address ``192.168.1.100`` shall be statically mapped to client named ``client100`` +* IP address ``192.168.1.100`` shall be statically mapped to client named ``client1`` .. code-block:: none @@ -747,10 +747,6 @@ Operation Mode To restart the DHCPv6 server -.. opcmd:: show dhcpv6 server status - - To show the current status of the DHCPv6 server. - .. opcmd:: show dhcpv6 server leases Shows status of all assigned leases: diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst index aee207a6..5fe408f1 100644 --- a/docs/configuration/service/dns.rst +++ b/docs/configuration/service/dns.rst @@ -21,10 +21,15 @@ avoid being tracked by the provider of your upstream DNS server. Forward incoming DNS queries to the DNS servers configured under the ``system name-server`` nodes. -.. cfgcmd:: set service dns forwarding name-server <address> +.. cfgcmd:: set service dns forwarding dhcp <interface> - Send all DNS queries to the IPv4/IPv6 DNS server specified under `<address>`. - You can configure multiple nameservers here. + Interfaces whose DHCP client nameservers to forward requests to. + +.. cfgcmd:: set service dns forwarding name-server <address> port <port> + + Send all DNS queries to the IPv4/IPv6 DNS server specified under `<address>` + on optional port specified under `<port>`. The port defaults to 53. You can + configure multiple nameservers here. .. cfgcmd:: set service dns forwarding domain <domain-name> server <address> @@ -35,6 +40,15 @@ avoid being tracked by the provider of your upstream DNS server. .. note:: This also works for reverse-lookup zones (``18.172.in-addr.arpa``). +.. cfgcmd:: set service dns forwarding domain <domain-name> addnta + + Add NTA (negative trust anchor) for this domain. This must be set if the + domain does not support DNSSEC. + +.. cfgcmd:: set service dns forwarding domain <domain-name> recursion-desired + + Set the "recursion desired" bit in requests to the upstream nameserver. + .. cfgcmd:: set service dns forwarding allow-from <network> Given the fact that open DNS recursors could be used on DDoS amplification @@ -154,8 +168,10 @@ In this scenario: set service dns forwarding domain example.com server 2001:db8:cafe::1 set service dns forwarding name-server 192.0.2.1 set service dns forwarding name-server 192.0.2.2 + set service dns forwarding name-server 192.0.2.3 port 853 set service dns forwarding name-server 2001:db8::1:ffff set service dns forwarding name-server 2001:db8::2:ffff + set service dns forwarding name-server 2001:db8::3:ffff port 8053 set service dns forwarding listen-address 192.168.1.254 set service dns forwarding listen-address 2001:db8::ffff set service dns forwarding allow-from 192.168.1.0/24 diff --git a/docs/configuration/service/index.rst b/docs/configuration/service/index.rst index 8607490d..1195348f 100644 --- a/docs/configuration/service/index.rst +++ b/docs/configuration/service/index.rst @@ -18,6 +18,7 @@ Service lldp mdns monitoring + ntp pppoe-server router-advert salt-minion diff --git a/docs/configuration/service/ipoe-server.rst b/docs/configuration/service/ipoe-server.rst index d8b9e6b7..c219a063 100644 --- a/docs/configuration/service/ipoe-server.rst +++ b/docs/configuration/service/ipoe-server.rst @@ -39,7 +39,7 @@ the configuration. .. code-block:: none - set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06 + set service ipoe-server authentication interface eth2 mac 08:00:27:2f:d8:06 set service ipoe-server authentication mode 'local' set service ipoe-server name-server '10.10.1.1' set service ipoe-server name-server '10.10.1.2' @@ -70,7 +70,7 @@ IPv6 DNS addresses are optional. .. code-block:: none - set service ipoe-server authentication interface eth3 mac-address 08:00:27:2F:D8:06 + set service ipoe-server authentication interface eth3 mac 08:00:27:2F:D8:06 set service ipoe-server authentication mode 'local' set service ipoe-server client-ipv6-pool delegate '2001:db8:1::/48' delegation-prefix '56' set service ipoe-server client-ipv6-pool prefix '2001:db8::/48' mask '64' @@ -131,8 +131,8 @@ The rate-limit is set in kbit/sec. .. code-block:: none - set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06 rate-limit download '500' - set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06 rate-limit upload '500' + set service ipoe-server authentication interface eth2 mac 08:00:27:2f:d8:06 rate-limit download '500' + set service ipoe-server authentication interface eth2 mac 08:00:27:2f:d8:06 rate-limit upload '500' set service ipoe-server authentication mode 'local' set service ipoe-server name-server '10.10.1.1' set service ipoe-server name-server '10.10.1.2' @@ -146,4 +146,49 @@ The rate-limit is set in kbit/sec. -------+------------+-------------------+-------------+-----+--------+------------+--------+----------+------------------ ipoe0 | eth2 | 08:00:27:2f:d8:06 | 192.168.0.2 | | | 500/500 | active | 00:00:05 | dccc870fd31349fb +Example +======= + +* IPoE server will listen on interfaces eth1.50 and eth1.51 +* There are rate-limited and non rate-limited users (MACs) + +Server configuration +-------------------- + +.. code-block:: none + + set interfaces dummy dum1000 address 100.64.0.1/32 + set interfaces dummy dum1000 address 2001:db8::1/128 + + set interfaces ethernet eth1 description 'IPoE' + set interfaces ethernet eth1 vif 50 + set interfaces ethernet eth1 vif 51 + + set service ipoe-server authentication interface eth1.50 mac 00:0c:29:b7:49:a7 + set service ipoe-server authentication interface eth1.50 mac 00:0c:29:f0:be:4c rate-limit download '5000' + set service ipoe-server authentication interface eth1.50 mac 00:0c:29:f0:be:4c rate-limit upload '5000' + set service ipoe-server authentication interface eth1.51 mac 00:0c:29:b7:49:a7 rate-limit download '50000' + set service ipoe-server authentication interface eth1.51 mac 00:0c:29:b7:49:a7 rate-limit upload '50000' + set service ipoe-server authentication mode 'local' + + set service ipoe-server client-ipv6-pool delegate 2001:db8:ffff::/48 delegation-prefix '56' + set service ipoe-server client-ipv6-pool prefix 2001:db8:fffe::/48 mask '64' + set service ipoe-server interface eth1.50 client-subnet '100.64.50.0/24' + set service ipoe-server interface eth1.50 mode 'l2' + set service ipoe-server interface eth1.51 client-subnet '100.64.51.0/24' + set service ipoe-server interface eth1.51 mode 'l2' + set service ipoe-server name-server '100.64.0.1' + set service ipoe-server name-server '2001:db8::1' + +Client configuration +-------------------- + +.. code-block:: none + + set interfaces ethernet eth0 mac '00:0c:29:b7:49:a7' + + set interfaces ethernet eth0 vif 50 address 'dhcp' + set interfaces ethernet eth0 vif 50 address 'dhcpv6' + set interfaces ethernet eth0 vif 50 dhcpv6-options pd 0 interface eth1 sla-id '1' + .. include:: /_include/common-references.txt diff --git a/docs/configuration/service/ntp.rst b/docs/configuration/service/ntp.rst new file mode 100644 index 00000000..08be047c --- /dev/null +++ b/docs/configuration/service/ntp.rst @@ -0,0 +1,84 @@ +.. _ntp: + +### +NTP +### + +:abbr:`NTP (Network Time Protocol`) is a networking protocol for clock +synchronization between computer systems over packet-switched, variable-latency +data networks. In operation since before 1985, NTP is one of the oldest Internet +protocols in current use. + +NTP is intended to synchronize all participating computers to within a few +milliseconds of :abbr:`UTC (Coordinated Universal Time)`. It uses the +intersection algorithm, a modified version of Marzullo's algorithm, to select +accurate time servers and is designed to mitigate the effects of variable +network latency. NTP can usually maintain time to within tens of milliseconds +over the public Internet, and can achieve better than one millisecond accuracy +in local area networks under ideal conditions. Asymmetric routes and network +congestion can cause errors of 100 ms or more. + +The protocol is usually described in terms of a client-server model, but can as +easily be used in peer-to-peer relationships where both peers consider the other +to be a potential time source. Implementations send and receive timestamps using +:abbr:`UDP (User Datagram Protocol)` on port number 123. + +NTP supplies a warning of any impending leap second adjustment, but no +information about local time zones or daylight saving time is transmitted. + +The current protocol is version 4 (NTPv4), which is a proposed standard as +documented in :rfc:`5905`. It is backward compatible with version 3, specified +in :rfc:`1305`. + +.. note:: VyOS 1.4 uses chrony instead of ntpd (see :vytask:`T3008`) which will + no longer accept anonymous NTP requests as in VyOS 1.3. All configurations + will be migrated to keep the anonymous functionality. For new setups if you + have clients using your VyOS installation as NTP server, you must specify + the `allow-client` directive. + +Configuration +============= + +.. cfgcmd:: set service ntp server <address> + + Configure one or more servers for synchronisation. Server name can be either + an IP address or :abbr:`FQDN (Fully Qualified Domain Name)`. + + There are 3 default NTP server set. You are able to change them. + + * ``0.pool.ntp.org`` + * ``1.pool.ntp.org`` + * ``2.pool.ntp.org`` + +.. cfgcmd:: set service ntp server <address> <noselect | nts | pool | prefer> + + Configure one or more attributes to the given NTP server. + + * ``noselect`` marks the server as unused, except for display purposes. The + server is discarded by the selection algorithm. + + * ``nts`` enables Network Time Security (NTS) for the server as specified + in :rfc:`8915` + + * ``pool`` mobilizes persistent client mode association with a number of + remote servers. + + * ``prefer`` marks the server as preferred. All other things being equal, + this host will be chosen for synchronization among a set of correctly + operating hosts. + +.. cfgcmd:: set service ntp listen-address <address> + + NTP process will only listen on the specified IP address. You must specify + the `<address>` and optionally the permitted clients. Multiple listen + addresses can be configured. + +.. cfgcmd:: set service ntp allow-client address <address> + + List of networks or client addresses permitted to contact this NTP server. + + Multiple networks/client IP addresses can be configured. + +.. cfgcmd:: set service ntp vrf <name> + + Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. diff --git a/docs/configuration/service/router-advert.rst b/docs/configuration/service/router-advert.rst index 0de72941..eb1a6844 100644 --- a/docs/configuration/service/router-advert.rst +++ b/docs/configuration/service/router-advert.rst @@ -8,7 +8,6 @@ Router Advertisements They are part of what is known as :abbr:`SLAAC (Stateless Address Autoconfiguration)`. - Supported interface types: * bonding @@ -21,7 +20,7 @@ Supported interface types: * vxlan * wireguard * wireless - * wirelessmodem + * wwan Enabling Advertisments @@ -31,7 +30,7 @@ Enabling Advertisments .. stop_vyoslinter -.. csv-table:: +.. csv-table:: :header: "Field", "VyOS Option", "Description" :widths: 10, 10, 20 diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst index ab77c138..15c2390c 100644 --- a/docs/configuration/service/ssh.rst +++ b/docs/configuration/service/ssh.rst @@ -139,6 +139,8 @@ offending IP is blocked. Offenders are unblocked after a set interval. Block source IP when their cumulative attack score exceeds threshold. The default is 30. +.. _ssh_operation: + Operation ========= @@ -193,13 +195,13 @@ Operation :ref:`ssh_key_based_authentication`. ``<location>`` can be a local path or a URL pointing at a remote file. - Supported remote protocols are FTP, HTTP, HTTPS, SCP/SFTP and TFTP. + Supported remote protocols are FTP, FTPS, HTTP, HTTPS, SCP/SFTP and TFTP. Example: .. code-block:: none - alyssa@vyos:~$ generate public-key-command name alyssa path sftp://example.net/home/alyssa/.ssh/id_rsa.pub + alyssa@vyos:~$ generate public-key-command user alyssa path sftp://example.net/home/alyssa/.ssh/id_rsa.pub # To add this key as an embedded key, run the following commands: configure set system login user alyssa authentication public-keys alyssa@example.net key AAA... diff --git a/docs/configuration/service/tftp-server.rst b/docs/configuration/service/tftp-server.rst index 0ca75efe..84acf3d4 100644 --- a/docs/configuration/service/tftp-server.rst +++ b/docs/configuration/service/tftp-server.rst @@ -15,8 +15,8 @@ Configuration .. cfgcmd:: set service tftp-server directory <directory> -Enable TFTP service by specifying the `<directory>` which will be used to serve -files. + Enable TFTP service by specifying the `<directory>` which will be used to serve + files. .. hint:: Choose your ``directory`` location carefully or you will loose the content on image upgrades. Any directory under ``/config`` is save at this @@ -24,9 +24,9 @@ files. .. cfgcmd:: set service tftp-server listen-address <address> -Configure the IPv4 or IPv6 listen address of the TFTP server. Multiple IPv4 and -IPv6 addresses can be given. There will be one TFTP server instances listening -on each IP address. + Configure the IPv4 or IPv6 listen address of the TFTP server. Multiple IPv4 and + IPv6 addresses can be given. There will be one TFTP server instances listening + on each IP address. .. cfgcmd:: set service tftp-server listen-address <address> vrf <name> @@ -40,8 +40,8 @@ Additional option to run TFTP server in the :abbr:`VRF (Virtual Routing and Forw .. cfgcmd:: set service tftp-server allow-upload -Optional, if you want to enable uploads, else TFTP server will act as a -read-only server. + Optional, if you want to enable uploads, else TFTP server will act as a + read-only server. Example ------- |