diff options
Diffstat (limited to 'docs/configuration')
-rw-r--r-- | docs/configuration/firewall/index.rst | 9 | ||||
-rw-r--r-- | docs/configuration/service/conntrack-sync.rst | 4 | ||||
-rw-r--r-- | docs/configuration/service/dhcp-relay.rst | 1 | ||||
-rw-r--r-- | docs/configuration/service/dhcp-server.rst | 37 | ||||
-rw-r--r-- | docs/configuration/service/https.rst | 2 | ||||
-rw-r--r-- | docs/configuration/system/conntrack.disable | 2 | ||||
-rw-r--r-- | docs/configuration/system/conntrack.rst | 186 | ||||
-rw-r--r-- | docs/configuration/system/index.rst | 1 | ||||
-rw-r--r-- | docs/configuration/vpn/dmvpn.rst | 1 |
9 files changed, 223 insertions, 20 deletions
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 92f2da8d..a9fb3c93 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -417,6 +417,15 @@ There are a lot of matching criteria against which the package can be tested. Match against the state of a packet. +.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255> +.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second | + minute | hour> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second | + minute | hour> + + Match when 'count' amount of connections are seen within 'time'. These + matching criteria can be used to block brute-force attempts. *********************************** Applying a Rule-Set to an Interface diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst index e2ca8599..c95cadc9 100644 --- a/docs/configuration/service/conntrack-sync.rst +++ b/docs/configuration/service/conntrack-sync.rst @@ -127,11 +127,11 @@ Operation conntrack is not enabled. To enable conntrack, just create a NAT or a firewall rule. :cfgcmd:`set firewall state-policy established action accept` -.. opcmd:: show conntrack-sync external-cache +.. opcmd:: show conntrack-sync cache external Show connection syncing external cache entries -.. opcmd:: show conntrack-sync internal-cache +.. opcmd:: show conntrack-sync cache internal Show connection syncing internal cache entries diff --git a/docs/configuration/service/dhcp-relay.rst b/docs/configuration/service/dhcp-relay.rst index 5adb83bb..b9aefbfb 100644 --- a/docs/configuration/service/dhcp-relay.rst +++ b/docs/configuration/service/dhcp-relay.rst @@ -78,6 +78,7 @@ The generated configuration will look like: show service dhcp-relay interface eth1 + interface eth2 server 10.0.1.4 relay-options { relay-agents-packets discard diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index 38f4d7fc..f55c7a45 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -59,10 +59,17 @@ Configuration respond to the client. The lease will remain abandoned for a minimum of abandon-lease-time seconds (defaults to 24 hours). - If a there are no free addressses but there are abandoned IP addresses, the + If there are no free addresses but there are abandoned IP addresses, the DHCP server will attempt to reclaim an abandoned IP address regardless of the value of abandon-lease-time. +.. cfgcmd:: set service dhcp-server listen-address <address> + + This configuration parameter lets the DHCP server to listen for DHCP + requests sent to the specified address, it is only realistically useful for + a server whose only clients are reached via unicasts, such as via DHCP relay + agents. + Individual Client Subnet ------------------------- @@ -141,7 +148,7 @@ Individual Client Subnet respond to the client. The lease will remain abandoned for a minimum of abandon-lease-time seconds (defaults to 24 hours). - If a there are no free addressses but there are abandoned IP addresses, the + If a there are no free addresses but there are abandoned IP addresses, the DHCP server will attempt to reclaim an abandoned IP address regardless of the value of abandon-lease-time. @@ -476,18 +483,6 @@ Operation Mode Show logs from specific `interface` DHCP client process. -.. opcmd:: show log dhcpv6 server - - Show DHCPv6 server daemon log file - -.. opcmd:: show log dhcpv6 client - - Show logs from all DHCPv6 client processes. - -.. opcmd:: show log dhcpv6 client interface <interface> - - Show logs from specific `interface` DHCPv6 client process. - .. opcmd:: restart dhcp server Restart the DHCP server @@ -697,6 +692,18 @@ The configuration will look as follows: Operation Mode ============== +.. opcmd:: show log dhcpv6 server + + Show DHCPv6 server daemon log file + +.. opcmd:: show log dhcpv6 client + + Show logs from all DHCPv6 client processes. + +.. opcmd:: show log dhcpv6 client interface <interface> + + Show logs from specific `interface` DHCPv6 client process. + .. opcmd:: restart dhcpv6 server To restart the DHCPv6 server @@ -707,7 +714,7 @@ Operation Mode .. opcmd:: show dhcpv6 server leases - Show statuses of all assigned leases: + Shows status of all assigned leases: .. code-block:: none diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst index 18227027..de5e759a 100644 --- a/docs/configuration/service/https.rst +++ b/docs/configuration/service/https.rst @@ -93,4 +93,4 @@ To use this full configuration we asume a globally resolvable hostname. set service https virtual-host rtr01 listen-address 198.51.100.2 set service https virtual-host rtr01 listen-port 11443 set service https virtual-host rtr01 server-name rtr01.example.com - set service https api-restrict virtual-host rtr01.example.com + set service https api-restrict virtual-host rtr01 diff --git a/docs/configuration/system/conntrack.disable b/docs/configuration/system/conntrack.disable deleted file mode 100644 index 7d5d4308..00000000 --- a/docs/configuration/system/conntrack.disable +++ /dev/null @@ -1,2 +0,0 @@ -conntrack -#########
\ No newline at end of file diff --git a/docs/configuration/system/conntrack.rst b/docs/configuration/system/conntrack.rst new file mode 100644 index 00000000..6329fcf2 --- /dev/null +++ b/docs/configuration/system/conntrack.rst @@ -0,0 +1,186 @@ + +######### +Conntrack +######### + +VyOS can be configured to track connections using the connection +tracking subsystem. Connection tracking becomes operational once either +stateful firewall or NAT is configured. + +********* +Configure +********* + +.. cfgcmd:: set system conntrack table-size <1-50000000> + :defaultvalue: + + The connection tracking table contains one entry for each connection being + tracked by the system. + +.. cfgcmd:: set system conntrack expect-table-size <1-50000000> + :defaultvalue: + + The connection tracking expect table contains one entry for each expected + connection related to an existing connection. These are generally used by + “connection tracking helper” modules such as FTP. + The default size of the expect table is 2048 entries. + +.. cfgcmd:: set system conntrack hash-size <1-50000000> + :defaultvalue: + + Set the size of the hash table. The connection tracking hash table makes + searching the connection tracking table faster. The hash table uses “buckets” to + record entries in the connection tracking table. + +.. cfgcmd:: system conntrack modules ftp +.. cfgcmd:: system conntrack modules h323 +.. cfgcmd:: system conntrack modules nfs +.. cfgcmd:: system conntrack modules pptp +.. cfgcmd:: system conntrack modules sip +.. cfgcmd:: system conntrack modules sqlnet +.. cfgcmd:: system conntrack modules tftp + + Configure the connection tracking protocol helper modules. + All modules are enable by default. + + | Use `delete system conntrack modules` to deactive all modules. + | Or, for example ftp, `delete system conntrack modules ftp`. + + +Define Conection Timeouts +========================= + +VyOS supports setting timeouts for connections according to the +connection type. You can set timeout values for generic connections, for ICMP +connections, UDP connections, or for TCP connections in a number of different states. + +.. cfgcmd:: system conntrack timeout icmp <1-21474836> + :defaultvalue: +.. cfgcmd:: system conntrack timeout other <1-21474836> + :defaultvalue: +.. cfgcmd:: system conntrack timeout tcp close <1-21474836> + :defaultvalue: +.. cfgcmd:: system conntrack timeout tcp close-wait <1-21474836> + :defaultvalue: +.. cfgcmd:: system conntrack timeout tcp established <1-21474836> + :defaultvalue: +.. cfgcmd:: system conntrack timeout tcp fin-wait <1-21474836> + :defaultvalue: +.. cfgcmd:: system conntrack timeout tcp last-ack <1-21474836> + :defaultvalue: +.. cfgcmd:: system conntrack timeout tcp syn-recv <1-21474836> + :defaultvalue: +.. cfgcmd:: system conntrack timeout tcp syn-sent <1-21474836> + :defaultvalue: +.. cfgcmd:: system conntrack timeout tcp time-wait <1-21474836> + :defaultvalue: +.. cfgcmd:: system conntrack timeout udp other <1-21474836> + :defaultvalue: +.. cfgcmd:: system conntrack timeout udp stream <1-21474836> + :defaultvalue: + + Set the timeout in secounds for a protocol or state. + + +You can also define custom timeout values to apply to a specific subset of +connections, based on a packet and flow selector. To do this, you create a rule +defining the packet and flow selector. + +.. cfgcmd:: system conntrack timeout custom rule <1-9999> description <test> + + Set a rule description. + + +.. cfgcmd:: system conntrack timeout custom rule <1-9999> destination address <ip-address> +.. cfgcmd:: system conntrack timeout custom rule <1-9999> source address <ip-address> + + set a destination and/or source address. Accepted input: + + .. code-block:: none + + <x.x.x.x> IP address to match + <x.x.x.x/x> Subnet to match + <x.x.x.x>-<x.x.x.x> + IP range to match + !<x.x.x.x> Match everything except the specified address + !<x.x.x.x/x> Match everything except the specified subnet + !<x.x.x.x>-<x.x.x.x> + Match everything except the specified range + +.. cfgcmd:: system conntrack timeout custom rule <1-9999> destination port <value> +.. cfgcmd:: system conntrack timeout custom rule <1-9999> source port <value> + + Set a destination and/or source port. Accepted input: + + .. code-block:: none + + <port name> Named port (any name in /etc/services, e.g., http) + <1-65535> Numbered port + <start>-<end> Numbered port range (e.g., 1001-1005) + + Multiple destination ports can be specified as a comma-separated list. + The whole list can also be "negated" using '!'. For example: + `!22,telnet,http,123,1001-1005`` + + + +.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol icmp <1-21474836> +.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol other <1-21474836> +.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp close <1-21474836> +.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp close-wait <1-21474836> +.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp established <1-21474836> +.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp fin-wait <1-21474836> +.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp last-ack <1-21474836> +.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp syn-recv <1-21474836> +.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp syn-sent <1-21474836> +.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp time-wait <1-21474836> +.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol udp other <1-21474836> +.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol udp stream <1-21474836> + + Set the timeout in secounds for a protocol or state in a custom rule. + + +.. cfgcmd:: system conntrack tcp half-open-connections <1-21474836> + :defaultvalue: + + Set the maximum number of TCP half-open connections. + +.. cfgcmd:: system conntrack tcp loose <enable | disable> + :defaultvalue: + + Policy to track previously established connections. + +.. cfgcmd:: system conntrack tcp max-retrans <1-2147483647> + :defaultvalue: + + Set the number of TCP maximum retransmit attempts. + +.. cfgcmd:: system conntrack ignore rule <1-9999> description <text> +.. cfgcmd:: system conntrack ignore rule <1-9999> destination address <ip-address> +.. cfgcmd:: system conntrack ignore rule <1-9999> destination port <port> +.. cfgcmd:: system conntrack ignore rule <1-9999> inbound-interface <interface> +.. cfgcmd:: system conntrack ignore rule <1-9999> protocol <protocol> +.. cfgcmd:: system conntrack ignore rule <1-9999> source address <ip-address> +.. cfgcmd:: system conntrack ignore rule <1-9999> source port <port> + + Configure customized ignore rules for selective connection tracking + +.. cfgcmd:: system conntrack log icmp destroy +.. cfgcmd:: system conntrack log icmp new +.. cfgcmd:: system conntrack log icmp update +.. cfgcmd:: system conntrack log other destroy +.. cfgcmd:: system conntrack log other new +.. cfgcmd:: system conntrack log other update +.. cfgcmd:: system conntrack log tcp destroy +.. cfgcmd:: system conntrack log tcp new +.. cfgcmd:: system conntrack log tcp update close-wait +.. cfgcmd:: system conntrack log tcp update established +.. cfgcmd:: system conntrack log tcp update fin-wait +.. cfgcmd:: system conntrack log tcp update last-ack +.. cfgcmd:: system conntrack log tcp update syn-received +.. cfgcmd:: system conntrack log tcp update time-wait +.. cfgcmd:: system conntrack log udp destroy +.. cfgcmd:: system conntrack log udp new +.. cfgcmd:: system conntrack log udp update + + Log the connection tracking events per protocol.
\ No newline at end of file diff --git a/docs/configuration/system/index.rst b/docs/configuration/system/index.rst index ac84da49..9791ddb1 100644 --- a/docs/configuration/system/index.rst +++ b/docs/configuration/system/index.rst @@ -8,6 +8,7 @@ System :includehidden: acceleration + conntrack console flow-accounting host-name diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index f11f4a20..e5e2fad5 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -276,6 +276,7 @@ spoke01-spoke04 ip nhrp registration timeout 75 tunnel source FastEthernet0/0 tunnel mode gre multipoint + tunnel protection ipsec profile DMVPN tunnel key 1 ! interface FastEthernet0/0 |