summaryrefslogtreecommitdiff
path: root/docs/configuration
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration')
-rw-r--r--docs/configuration/firewall/index.rst9
-rw-r--r--docs/configuration/service/conntrack-sync.rst4
-rw-r--r--docs/configuration/service/dhcp-relay.rst1
-rw-r--r--docs/configuration/service/dhcp-server.rst37
-rw-r--r--docs/configuration/service/https.rst2
-rw-r--r--docs/configuration/system/conntrack.disable2
-rw-r--r--docs/configuration/system/conntrack.rst186
-rw-r--r--docs/configuration/system/index.rst1
-rw-r--r--docs/configuration/vpn/dmvpn.rst1
9 files changed, 223 insertions, 20 deletions
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index 92f2da8d..a9fb3c93 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -417,6 +417,15 @@ There are a lot of matching criteria against which the package can be tested.
Match against the state of a packet.
+.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
+.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second |
+ minute | hour>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second |
+ minute | hour>
+
+ Match when 'count' amount of connections are seen within 'time'. These
+ matching criteria can be used to block brute-force attempts.
***********************************
Applying a Rule-Set to an Interface
diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst
index e2ca8599..c95cadc9 100644
--- a/docs/configuration/service/conntrack-sync.rst
+++ b/docs/configuration/service/conntrack-sync.rst
@@ -127,11 +127,11 @@ Operation
conntrack is not enabled. To enable conntrack, just create a NAT or a firewall
rule. :cfgcmd:`set firewall state-policy established action accept`
-.. opcmd:: show conntrack-sync external-cache
+.. opcmd:: show conntrack-sync cache external
Show connection syncing external cache entries
-.. opcmd:: show conntrack-sync internal-cache
+.. opcmd:: show conntrack-sync cache internal
Show connection syncing internal cache entries
diff --git a/docs/configuration/service/dhcp-relay.rst b/docs/configuration/service/dhcp-relay.rst
index 5adb83bb..b9aefbfb 100644
--- a/docs/configuration/service/dhcp-relay.rst
+++ b/docs/configuration/service/dhcp-relay.rst
@@ -78,6 +78,7 @@ The generated configuration will look like:
show service dhcp-relay
interface eth1
+ interface eth2
server 10.0.1.4
relay-options {
relay-agents-packets discard
diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst
index 38f4d7fc..f55c7a45 100644
--- a/docs/configuration/service/dhcp-server.rst
+++ b/docs/configuration/service/dhcp-server.rst
@@ -59,10 +59,17 @@ Configuration
respond to the client. The lease will remain abandoned for a minimum of
abandon-lease-time seconds (defaults to 24 hours).
- If a there are no free addressses but there are abandoned IP addresses, the
+ If there are no free addresses but there are abandoned IP addresses, the
DHCP server will attempt to reclaim an abandoned IP address regardless of the
value of abandon-lease-time.
+.. cfgcmd:: set service dhcp-server listen-address <address>
+
+ This configuration parameter lets the DHCP server to listen for DHCP
+ requests sent to the specified address, it is only realistically useful for
+ a server whose only clients are reached via unicasts, such as via DHCP relay
+ agents.
+
Individual Client Subnet
-------------------------
@@ -141,7 +148,7 @@ Individual Client Subnet
respond to the client. The lease will remain abandoned for a minimum of
abandon-lease-time seconds (defaults to 24 hours).
- If a there are no free addressses but there are abandoned IP addresses, the
+ If a there are no free addresses but there are abandoned IP addresses, the
DHCP server will attempt to reclaim an abandoned IP address regardless of the
value of abandon-lease-time.
@@ -476,18 +483,6 @@ Operation Mode
Show logs from specific `interface` DHCP client process.
-.. opcmd:: show log dhcpv6 server
-
- Show DHCPv6 server daemon log file
-
-.. opcmd:: show log dhcpv6 client
-
- Show logs from all DHCPv6 client processes.
-
-.. opcmd:: show log dhcpv6 client interface <interface>
-
- Show logs from specific `interface` DHCPv6 client process.
-
.. opcmd:: restart dhcp server
Restart the DHCP server
@@ -697,6 +692,18 @@ The configuration will look as follows:
Operation Mode
==============
+.. opcmd:: show log dhcpv6 server
+
+ Show DHCPv6 server daemon log file
+
+.. opcmd:: show log dhcpv6 client
+
+ Show logs from all DHCPv6 client processes.
+
+.. opcmd:: show log dhcpv6 client interface <interface>
+
+ Show logs from specific `interface` DHCPv6 client process.
+
.. opcmd:: restart dhcpv6 server
To restart the DHCPv6 server
@@ -707,7 +714,7 @@ Operation Mode
.. opcmd:: show dhcpv6 server leases
- Show statuses of all assigned leases:
+ Shows status of all assigned leases:
.. code-block:: none
diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst
index 18227027..de5e759a 100644
--- a/docs/configuration/service/https.rst
+++ b/docs/configuration/service/https.rst
@@ -93,4 +93,4 @@ To use this full configuration we asume a globally resolvable hostname.
set service https virtual-host rtr01 listen-address 198.51.100.2
set service https virtual-host rtr01 listen-port 11443
set service https virtual-host rtr01 server-name rtr01.example.com
- set service https api-restrict virtual-host rtr01.example.com
+ set service https api-restrict virtual-host rtr01
diff --git a/docs/configuration/system/conntrack.disable b/docs/configuration/system/conntrack.disable
deleted file mode 100644
index 7d5d4308..00000000
--- a/docs/configuration/system/conntrack.disable
+++ /dev/null
@@ -1,2 +0,0 @@
-conntrack
-######### \ No newline at end of file
diff --git a/docs/configuration/system/conntrack.rst b/docs/configuration/system/conntrack.rst
new file mode 100644
index 00000000..6329fcf2
--- /dev/null
+++ b/docs/configuration/system/conntrack.rst
@@ -0,0 +1,186 @@
+
+#########
+Conntrack
+#########
+
+VyOS can be configured to track connections using the connection
+tracking subsystem. Connection tracking becomes operational once either
+stateful firewall or NAT is configured.
+
+*********
+Configure
+*********
+
+.. cfgcmd:: set system conntrack table-size <1-50000000>
+ :defaultvalue:
+
+ The connection tracking table contains one entry for each connection being
+ tracked by the system.
+
+.. cfgcmd:: set system conntrack expect-table-size <1-50000000>
+ :defaultvalue:
+
+ The connection tracking expect table contains one entry for each expected
+ connection related to an existing connection. These are generally used by
+ “connection tracking helper” modules such as FTP.
+ The default size of the expect table is 2048 entries.
+
+.. cfgcmd:: set system conntrack hash-size <1-50000000>
+ :defaultvalue:
+
+ Set the size of the hash table. The connection tracking hash table makes
+ searching the connection tracking table faster. The hash table uses “buckets” to
+ record entries in the connection tracking table.
+
+.. cfgcmd:: system conntrack modules ftp
+.. cfgcmd:: system conntrack modules h323
+.. cfgcmd:: system conntrack modules nfs
+.. cfgcmd:: system conntrack modules pptp
+.. cfgcmd:: system conntrack modules sip
+.. cfgcmd:: system conntrack modules sqlnet
+.. cfgcmd:: system conntrack modules tftp
+
+ Configure the connection tracking protocol helper modules.
+ All modules are enable by default.
+
+ | Use `delete system conntrack modules` to deactive all modules.
+ | Or, for example ftp, `delete system conntrack modules ftp`.
+
+
+Define Conection Timeouts
+=========================
+
+VyOS supports setting timeouts for connections according to the
+connection type. You can set timeout values for generic connections, for ICMP
+connections, UDP connections, or for TCP connections in a number of different states.
+
+.. cfgcmd:: system conntrack timeout icmp <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: system conntrack timeout other <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: system conntrack timeout tcp close <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: system conntrack timeout tcp close-wait <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: system conntrack timeout tcp established <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: system conntrack timeout tcp fin-wait <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: system conntrack timeout tcp last-ack <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: system conntrack timeout tcp syn-recv <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: system conntrack timeout tcp syn-sent <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: system conntrack timeout tcp time-wait <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: system conntrack timeout udp other <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: system conntrack timeout udp stream <1-21474836>
+ :defaultvalue:
+
+ Set the timeout in secounds for a protocol or state.
+
+
+You can also define custom timeout values to apply to a specific subset of
+connections, based on a packet and flow selector. To do this, you create a rule
+defining the packet and flow selector.
+
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> description <test>
+
+ Set a rule description.
+
+
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> destination address <ip-address>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> source address <ip-address>
+
+ set a destination and/or source address. Accepted input:
+
+ .. code-block:: none
+
+ <x.x.x.x> IP address to match
+ <x.x.x.x/x> Subnet to match
+ <x.x.x.x>-<x.x.x.x>
+ IP range to match
+ !<x.x.x.x> Match everything except the specified address
+ !<x.x.x.x/x> Match everything except the specified subnet
+ !<x.x.x.x>-<x.x.x.x>
+ Match everything except the specified range
+
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> destination port <value>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> source port <value>
+
+ Set a destination and/or source port. Accepted input:
+
+ .. code-block:: none
+
+ <port name> Named port (any name in /etc/services, e.g., http)
+ <1-65535> Numbered port
+ <start>-<end> Numbered port range (e.g., 1001-1005)
+
+ Multiple destination ports can be specified as a comma-separated list.
+ The whole list can also be "negated" using '!'. For example:
+ `!22,telnet,http,123,1001-1005``
+
+
+
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol icmp <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol other <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp close <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp close-wait <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp established <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp fin-wait <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp last-ack <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp syn-recv <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp syn-sent <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol tcp time-wait <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol udp other <1-21474836>
+.. cfgcmd:: system conntrack timeout custom rule <1-9999> protocol udp stream <1-21474836>
+
+ Set the timeout in secounds for a protocol or state in a custom rule.
+
+
+.. cfgcmd:: system conntrack tcp half-open-connections <1-21474836>
+ :defaultvalue:
+
+ Set the maximum number of TCP half-open connections.
+
+.. cfgcmd:: system conntrack tcp loose <enable | disable>
+ :defaultvalue:
+
+ Policy to track previously established connections.
+
+.. cfgcmd:: system conntrack tcp max-retrans <1-2147483647>
+ :defaultvalue:
+
+ Set the number of TCP maximum retransmit attempts.
+
+.. cfgcmd:: system conntrack ignore rule <1-9999> description <text>
+.. cfgcmd:: system conntrack ignore rule <1-9999> destination address <ip-address>
+.. cfgcmd:: system conntrack ignore rule <1-9999> destination port <port>
+.. cfgcmd:: system conntrack ignore rule <1-9999> inbound-interface <interface>
+.. cfgcmd:: system conntrack ignore rule <1-9999> protocol <protocol>
+.. cfgcmd:: system conntrack ignore rule <1-9999> source address <ip-address>
+.. cfgcmd:: system conntrack ignore rule <1-9999> source port <port>
+
+ Configure customized ignore rules for selective connection tracking
+
+.. cfgcmd:: system conntrack log icmp destroy
+.. cfgcmd:: system conntrack log icmp new
+.. cfgcmd:: system conntrack log icmp update
+.. cfgcmd:: system conntrack log other destroy
+.. cfgcmd:: system conntrack log other new
+.. cfgcmd:: system conntrack log other update
+.. cfgcmd:: system conntrack log tcp destroy
+.. cfgcmd:: system conntrack log tcp new
+.. cfgcmd:: system conntrack log tcp update close-wait
+.. cfgcmd:: system conntrack log tcp update established
+.. cfgcmd:: system conntrack log tcp update fin-wait
+.. cfgcmd:: system conntrack log tcp update last-ack
+.. cfgcmd:: system conntrack log tcp update syn-received
+.. cfgcmd:: system conntrack log tcp update time-wait
+.. cfgcmd:: system conntrack log udp destroy
+.. cfgcmd:: system conntrack log udp new
+.. cfgcmd:: system conntrack log udp update
+
+ Log the connection tracking events per protocol. \ No newline at end of file
diff --git a/docs/configuration/system/index.rst b/docs/configuration/system/index.rst
index ac84da49..9791ddb1 100644
--- a/docs/configuration/system/index.rst
+++ b/docs/configuration/system/index.rst
@@ -8,6 +8,7 @@ System
:includehidden:
acceleration
+ conntrack
console
flow-accounting
host-name
diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst
index f11f4a20..e5e2fad5 100644
--- a/docs/configuration/vpn/dmvpn.rst
+++ b/docs/configuration/vpn/dmvpn.rst
@@ -276,6 +276,7 @@ spoke01-spoke04
ip nhrp registration timeout 75
tunnel source FastEthernet0/0
tunnel mode gre multipoint
+ tunnel protection ipsec profile DMVPN
tunnel key 1
!
interface FastEthernet0/0