path: root/docs
diff options
Diffstat (limited to 'docs')
-rw-r--r--docs/_static/images/aws.pngbin0 -> 150759 bytes
6 files changed, 1223 insertions, 5 deletions
diff --git a/docs/_static/images/aws.png b/docs/_static/images/aws.png
new file mode 100644
index 00000000..c1c111bb
--- /dev/null
+++ b/docs/_static/images/aws.png
Binary files differ
diff --git a/docs/automation/index.rst b/docs/automation/index.rst
index ee8282ac..ecabff7a 100644
--- a/docs/automation/index.rst
+++ b/docs/automation/index.rst
@@ -12,6 +12,7 @@ VyOS Automation
+ vyos-terraform
diff --git a/docs/automation/vyos-terraform.rst b/docs/automation/vyos-terraform.rst
new file mode 100644
index 00000000..75967202
--- /dev/null
+++ b/docs/automation/vyos-terraform.rst
@@ -0,0 +1,1036 @@
+:lastproofread: 2024-01-11
+.. _vyos-terraform:
+VyOS supports develop infrastructia via Terraform and provisioning via ansible.
+Need to install ``Terraform``
+Structure of files
+.. code-block:: none
+ .
+ ├──
+ ├──
+ ├──
+ └── terraform.tfvars
+Run Terraform
+.. code-block:: none
+ #cd /your folder
+ #terraform init
+ #terraform plan
+ #terraform apply
+ #yes
+Deploying vyos in the AWS cloud
+With the help of terraforms, you can quickly deploy Vyos-based infrastructure in the AWS cloud. If necessary, the infrastructure can be removed using terraform.
+Also we will make provisioning using Ansible.
+Structure of files Terrafom
+.. code-block:: none
+ .
+ ├──
+ └──
+File contents
+.. code-block:: none
+ terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.0"
+ }
+ }
+ }
+ provider "aws" {
+ access_key = var.access
+ secret_key = var.secret
+ region = var.region
+ }
+ variable "region" {
+ default = "us-east-1"
+ description = "AWS Region"
+ }
+ variable "ami" {
+ default = "ami-**************" # ami image please enter your details
+ description = "Amazon Machine Image ID for VyOS"
+ }
+ variable "type" {
+ default = "t2.micro"
+ description = "Size of VM"
+ }
+ # my resource for VyOS
+ resource "aws_instance" "myVyOSec2" {
+ ami = var.ami
+ key_name = "mykeyname" # Please enter your details
+ security_groups = ["my_sg"] # Please enter your details
+ instance_type = var.type
+ tags = {
+ name = "VyOS System"
+ }
+ }
+ output "my_IP"{
+ value = aws_instance.myVyOSec2.public_ip
+ }
+ #IP of aws instance copied to a file ip.txt in local system Terraform
+ resource "local_file" "ip" {
+ content = aws_instance.myVyOSec2.public_ip
+ filename = "ip.txt"
+ }
+ #connecting to the Ansible control node using SSH connection
+ resource "null_resource" "SSHconnection1" {
+ depends_on = [aws_instance.myVyOSec2]
+ connection {
+ type = "ssh"
+ user = "root"
+ password = var.password
+ host =
+ }
+ #copying the ip.txt file to the Ansible control node from local system
+ provisioner "file" {
+ source = "ip.txt"
+ destination = "/root/aws/ip.txt" # The folder of your Ansible project
+ }
+ }
+ resource "null_resource" "SSHconnection2" {
+ depends_on = [aws_instance.myVyOSec2]
+ connection {
+ type = "ssh"
+ user = "root"
+ password = var.password
+ host =
+ }
+ #command to run Ansible playbook on remote Linux OS
+ provisioner "remote-exec" {
+ inline = [
+ "cd /root/aws/",
+ "ansible-playbook instance.yml"
+ ]
+ }
+ }
+.. code-block:: none
+ variable "password" {
+ description = "pass for Ansible"
+ type = string
+ sensitive = true
+ }
+ variable "host"{
+ description = "The IP of my Ansible"
+ }
+ variable "access" {
+ description = "my access_key for AWS"
+ type = string
+ sensitive = true
+ }
+ variable "secret" {
+ description = "my secret_key for AWS"
+ type = string
+ sensitive = true
+ }
+Structure of files Ansible
+.. code-block:: none
+ .
+ ├── group_vars
+ └── all
+ ├── ansible.cfg
+ ├── mykey.pem
+ └── instance.yml
+File contents
+.. code-block:: none
+ [defaults]
+ inventory = /root/aws/ip.txt
+ host_key_checking= False
+ private_key_file = /root/aws/mykey.pem
+ remote_user=vyos
+.. code-block:: none
+ Copy your key.pem from AWS
+.. code-block:: none
+ - name: integration of terraform and ansible
+ hosts: all
+ gather_facts: 'no'
+ tasks:
+ - name: "Wait 300 seconds, but only start checking after 60 seconds"
+ wait_for_connection:
+ delay: 60
+ timeout: 300
+ - name: "Configure general settings for the vyos hosts group"
+ vyos_config:
+ lines:
+ - set system name-server
+ save:
+ true
+.. code-block:: none
+ ansible_connection: ansible.netcommon.network_cli
+ ansible_network_os: vyos.vyos.vyos
+ ansible_user: vyos
+How to create a single instance and install your configuration using Terraform+Ansible+AWS
+Step by step:
+1.1 Create an account with AWS and get your "access_key", "secret key"
+1.2 Create a key pair and download your .pem key
+1.3 Create a security group for the new VyOS instance
+2.1 Create a UNIX or Windows instance
+2.2 Download and install Terraform
+2.3 Create the folder for example ../awsvyos/
+2.4 Copy all files into your Terraform project (,
+2.4.1 Please type the information into the strings 22, 35, 36 of file ""
+2.5 Type the commands :
+ #cd /your folder
+ #terraform init
+3.1 Create a UNIX instance
+3.2 Download and install Ansible
+3.3 Create the folder for example /root/aws/
+3.4 Copy all files from my folder /Ansible into your Ansible project (ansible.cfg, instance.yml, mykey.pem)
+mykey.pem you have to get using step 1.2
+4.1 Type the commands on your Terrafom instance:
+ #cd /your folder
+ #terraform plan
+ #terraform apply
+ #yes
+.. image:: /_static/images/aws.png
+ :width: 80%
+ :align: center
+ :alt: Network Topology Diagram
+Deploying vyos in the Azure cloud
+With the help of terraforms, you can quickly deploy Vyos-based infrastructure in the Azure cloud. If necessary, the infrastructure can be removed using terraform.
+Structure of files Terrafom
+.. code-block:: none
+ .
+ ├──
+ └──
+File contents
+.. code-block:: none
+ ##############################################################################
+ # HashiCorp Guide to Using Terraform on Azure
+ # This Terraform configuration will create the following:
+ # Resource group with a virtual network and subnet
+ # An VyOS server without ssh key (only login+password)
+ ##############################################################################
+ # Chouse a provider
+ provider "azurerm" {
+ features {}
+ }
+ # Create a resource group. In Azure every resource belongs to a
+ # resource group.
+ resource "azurerm_resource_group" "azure_vyos" {
+ name = "${var.resource_group}"
+ location = "${var.location}"
+ }
+ # The next resource is a Virtual Network.
+ resource "azurerm_virtual_network" "vnet" {
+ name = "${var.virtual_network_name}"
+ location = "${var.location}"
+ address_space = ["${var.address_space}"]
+ resource_group_name = "${var.resource_group}"
+ }
+ # Build a subnet to run our VMs in.
+ resource "azurerm_subnet" "subnet" {
+ name = "${var.prefix}subnet"
+ virtual_network_name = "${}"
+ resource_group_name = "${var.resource_group}"
+ address_prefixes = ["${var.subnet_prefix}"]
+ }
+ ##############################################################################
+ # Build an VyOS VM from the Marketplace
+ # To finde nessesery image use the command:
+ #
+ # az vm image list --offer vyos --all
+ #
+ # Now that we have a network, we'll deploy an VyOS server.
+ # An Azure Virtual Machine has several components. In this example we'll build
+ # a security group, a network interface, a public ip address, a storage
+ # account and finally the VM itself. Terraform handles all the dependencies
+ # automatically, and each resource is named with user-defined variables.
+ ##############################################################################
+ # Security group to allow inbound access on port 22 (ssh)
+ resource "azurerm_network_security_group" "vyos-sg" {
+ name = "${var.prefix}-sg"
+ location = "${var.location}"
+ resource_group_name = "${var.resource_group}"
+ security_rule {
+ name = "SSH"
+ priority = 100
+ direction = "Inbound"
+ access = "Allow"
+ protocol = "Tcp"
+ source_port_range = "*"
+ destination_port_range = "22"
+ source_address_prefix = "${var.source_network}"
+ destination_address_prefix = "*"
+ }
+ }
+ # A network interface.
+ resource "azurerm_network_interface" "vyos-nic" {
+ name = "${var.prefix}vyos-nic"
+ location = "${var.location}"
+ resource_group_name = "${var.resource_group}"
+ ip_configuration {
+ name = "${var.prefix}ipconfig"
+ subnet_id = "${}"
+ private_ip_address_allocation = "Dynamic"
+ public_ip_address_id = "${}"
+ }
+ }
+ # Add a public IP address.
+ resource "azurerm_public_ip" "vyos-pip" {
+ name = "${var.prefix}-ip"
+ location = "${var.location}"
+ resource_group_name = "${var.resource_group}"
+ allocation_method = "Dynamic"
+ }
+ # Build a virtual machine. This is a standard VyOS instance from Marketplace.
+ resource "azurerm_virtual_machine" "vyos" {
+ name = "${var.hostname}-vyos"
+ location = "${var.location}"
+ resource_group_name = "${var.resource_group}"
+ vm_size = "${var.vm_size}"
+ network_interface_ids = ["${}"]
+ delete_os_disk_on_termination = "true"
+ # To finde an information about the plan use the command:
+ # az vm image list --offer vyos --all
+ plan {
+ publisher = "sentriumsl"
+ name = "vyos-1-3"
+ product = "vyos-1-2-lts-on-azure"
+ }
+ storage_image_reference {
+ publisher = "${var.image_publisher}"
+ offer = "${var.image_offer}"
+ sku = "${var.image_sku}"
+ version = "${var.image_version}"
+ }
+ storage_os_disk {
+ name = "${var.hostname}-osdisk"
+ managed_disk_type = "Standard_LRS"
+ caching = "ReadWrite"
+ create_option = "FromImage"
+ }
+ os_profile {
+ computer_name = "${var.hostname}"
+ admin_username = "${var.admin_username}"
+ admin_password = "${var.admin_password}"
+ }
+ os_profile_linux_config {
+ disable_password_authentication = false
+ }
+ }
+ data "azurerm_public_ip" "example" {
+ depends_on = ["azurerm_virtual_machine.vyos"]
+ name = "vyos-ip"
+ resource_group_name = "${var.resource_group}"
+ }
+ output "public_ip_address" {
+ value = data.azurerm_public_ip.example.ip_address
+ }
+ # IP of AZ instance copied to a file ip.txt in local system
+ resource "local_file" "ip" {
+ content = data.azurerm_public_ip.example.ip_address
+ filename = "ip.txt"
+ }
+ #Connecting to the Ansible control node using SSH connection
+ resource "null_resource" "nullremote1" {
+ depends_on = ["azurerm_virtual_machine.vyos"]
+ connection {
+ type = "ssh"
+ user = "root"
+ password = var.password
+ host =
+ }
+ # Copying the ip.txt file to the Ansible control node from local system
+ provisioner "file" {
+ source = "ip.txt"
+ destination = "/root/az/ip.txt"
+ }
+ }
+ resource "null_resource" "nullremote2" {
+ depends_on = ["azurerm_virtual_machine.vyos"]
+ connection {
+ type = "ssh"
+ user = "root"
+ password = var.password
+ host =
+ }
+ # Command to run ansible playbook on remote Linux OS
+ provisioner "remote-exec" {
+ inline = [
+ "cd /root/az/",
+ "ansible-playbook instance.yml"
+ ]
+ }
+ }
+.. code-block:: none
+ ##############################################################################
+ # Variables File
+ #
+ # Here is where we store the default values for all the variables used in our
+ # Terraform code.
+ ##############################################################################
+ variable "resource_group" {
+ description = "The name of your Azure Resource Group."
+ default = "my_resource_group"
+ }
+ variable "prefix" {
+ description = "This prefix will be included in the name of some resources."
+ default = "vyos"
+ }
+ variable "hostname" {
+ description = "Virtual machine hostname. Used for local hostname, DNS, and storage-related names."
+ default = "vyos_terraform"
+ }
+ variable "location" {
+ description = "The region where the virtual network is created."
+ default = "centralus"
+ }
+ variable "virtual_network_name" {
+ description = "The name for your virtual network."
+ default = "vnet"
+ }
+ variable "address_space" {
+ description = "The address space that is used by the virtual network. You can supply more than one address space. Changing this forces a new resource to be created."
+ default = ""
+ }
+ variable "subnet_prefix" {
+ description = "The address prefix to use for the subnet."
+ default = ""
+ }
+ variable "storage_account_tier" {
+ description = "Defines the storage tier. Valid options are Standard and Premium."
+ default = "Standard"
+ }
+ variable "storage_replication_type" {
+ description = "Defines the replication type to use for this storage account. Valid options include LRS, GRS etc."
+ default = "LRS"
+ }
+ # The most chippers size
+ variable "vm_size" {
+ description = "Specifies the size of the virtual machine."
+ default = "Standard_B1s"
+ }
+ variable "image_publisher" {
+ description = "Name of the publisher of the image (az vm image list)"
+ default = "sentriumsl"
+ }
+ variable "image_offer" {
+ description = "Name of the offer (az vm image list)"
+ default = "vyos-1-2-lts-on-azure"
+ }
+ variable "image_sku" {
+ description = "Image SKU to apply (az vm image list)"
+ default = "vyos-1-3"
+ }
+ variable "image_version" {
+ description = "Version of the image to apply (az vm image list)"
+ default = "1.3.3"
+ }
+ variable "admin_username" {
+ description = "Administrator user name"
+ default = "vyos"
+ }
+ variable "admin_password" {
+ description = "Administrator password"
+ default = "Vyos0!"
+ }
+ variable "source_network" {
+ description = "Allow access from this network prefix. Defaults to '*'."
+ default = "*"
+ }
+ variable "password" {
+ description = "pass for Ansible"
+ type = string
+ sensitive = true
+ }
+ variable "host"{
+ description = "IP of my Ansible"
+ }
+Structure of files Ansible
+.. code-block:: none
+ .
+ ├── group_vars
+ └── all
+ ├── ansible.cfg
+ └── instance.yml
+File contents
+.. code-block:: none
+ [defaults]
+ inventory = /root/az/ip.txt
+ host_key_checking= False
+ remote_user=vyos
+.. code-block:: none
+ - name: integration of terraform and ansible
+ hosts: all
+ gather_facts: 'no'
+ tasks:
+ - name: "Wait 300 seconds, but only start checking after 60 seconds"
+ wait_for_connection:
+ delay: 60
+ timeout: 300
+ - name: "Configure general settings for the vyos hosts group"
+ vyos_config:
+ lines:
+ - set system name-server
+ save:
+ true
+.. code-block:: none
+ ansible_connection: ansible.netcommon.network_cli
+ ansible_network_os: vyos.vyos.vyos
+ # user and password gets from terraform variables "admin_username" and "admin_password"
+ ansible_user: vyos
+ ansible_ssh_pass: Vyos0!
+How to create a single instance and install your configuration using Terraform+Ansible+Azure
+Step by step:
+1.1 Create an account with Azure
+2.1 Create a UNIX or Windows instance
+2.2 Download and install Terraform
+2.3 Create the folder for example ../azvyos/
+2.4 Copy all files from my folder /Terraform into your Terraform project (,
+2.5 Login with Azure using the command
+ #az login
+2.6 Type the commands :
+ #cd /your folder
+ #terraform init
+3.1 Create a UNIX instance
+3.2 Download and install Ansible
+3.3 Create the folder for example /root/az/
+3.4 Copy all files from my folder /Ansible into your Ansible project (ansible.cfg, instance.yml and /group_vars)
+4.1 Type the commands on your Terrafom instance:
+ #cd /your folder
+ #terraform plan
+ #terraform apply
+ #yes
+Deploying vyos in the Vsphere infrastructia
+With the help of terraforms, you can quickly deploy Vyos-based infrastructure in the vSphere.
+Structure of files Terrafom
+.. code-block:: none
+ .
+ ├──
+ ├──
+ ├──
+ └── terraform.tfvars
+File contents
+.. code-block:: none
+ provider "vsphere" {
+ user = var.vsphere_user
+ password = var.vsphere_password
+ vsphere_server = var.vsphere_server
+ allow_unverified_ssl = true
+ }
+ data "vsphere_datacenter" "datacenter" {
+ name = var.datacenter
+ }
+ data "vsphere_datastore" "datastore" {
+ name = var.datastore
+ datacenter_id =
+ }
+ data "vsphere_compute_cluster" "cluster" {
+ name = var.cluster
+ datacenter_id =
+ }
+ data "vsphere_resource_pool" "default" {
+ name = format("%s%s",, "/Resources/terraform") # set as you need
+ datacenter_id =
+ }
+ data "vsphere_host" "host" {
+ name =
+ datacenter_id =
+ }
+ data "vsphere_network" "network" {
+ name = var.network_name
+ datacenter_id =
+ }
+ ## Deployment of VM from Remote OVF
+ resource "vsphere_virtual_machine" "vmFromRemoteOvf" {
+ name = var.remotename
+ datacenter_id =
+ datastore_id =
+ host_system_id =
+ resource_pool_id =
+ network_interface {
+ network_id =
+ }
+ wait_for_guest_net_timeout = 2
+ wait_for_guest_ip_timeout = 2
+ ovf_deploy {
+ allow_unverified_ssl_cert = true
+ remote_ovf_url = var.url_ova
+ disk_provisioning = "thin"
+ ip_protocol = "IPv4"
+ ip_allocation_policy = "dhcpPolicy"
+ ovf_network_map = {
+ "Network 1" =
+ "Network 2" =
+ }
+ }
+ vapp {
+ properties = {
+ "password" = "12345678",
+ "local-hostname" = "terraform_vyos"
+ }
+ }
+ }
+ output "ip" {
+ description = "default ip address of the deployed VM"
+ value = vsphere_virtual_machine.vmFromRemoteOvf.default_ip_address
+ }
+ # IP of AZ instance copied to a file ip.txt in local system
+ resource "local_file" "ip" {
+ content = vsphere_virtual_machine.vmFromRemoteOvf.default_ip_address
+ filename = "ip.txt"
+ }
+ #Connecting to the Ansible control node using SSH connection
+ resource "null_resource" "nullremote1" {
+ depends_on = ["vsphere_virtual_machine.vmFromRemoteOvf"]
+ connection {
+ type = "ssh"
+ user = "root"
+ password = var.ansiblepassword
+ host = var.ansiblehost
+ }
+ # Copying the ip.txt file to the Ansible control node from local system
+ provisioner "file" {
+ source = "ip.txt"
+ destination = "/root/vsphere/ip.txt"
+ }
+ }
+ resource "null_resource" "nullremote2" {
+ depends_on = ["vsphere_virtual_machine.vmFromRemoteOvf"]
+ connection {
+ type = "ssh"
+ user = "root"
+ password = var.ansiblepassword
+ host = var.ansiblehost
+ }
+ # Command to run ansible playbook on remote Linux OS
+ provisioner "remote-exec" {
+ inline = [
+ "cd /root/vsphere/",
+ "ansible-playbook instance.yml"
+ ]
+ }
+ }
+.. code-block:: none
+ # Copyright (c) HashiCorp, Inc.
+ # SPDX-License-Identifier: MPL-2.0
+ terraform {
+ required_providers {
+ vsphere = {
+ source = "hashicorp/vsphere"
+ version = "2.4.0"
+ }
+ }
+ }
+.. code-block:: none
+ # Copyright (c) HashiCorp, Inc.
+ # SPDX-License-Identifier: MPL-2.0
+ variable "vsphere_server" {
+ description = "vSphere server"
+ type = string
+ }
+ variable "vsphere_user" {
+ description = "vSphere username"
+ type = string
+ }
+ variable "vsphere_password" {
+ description = "vSphere password"
+ type = string
+ sensitive = true
+ }
+ variable "datacenter" {
+ description = "vSphere data center"
+ type = string
+ }
+ variable "cluster" {
+ description = "vSphere cluster"
+ type = string
+ }
+ variable "datastore" {
+ description = "vSphere datastore"
+ type = string
+ }
+ variable "network_name" {
+ description = "vSphere network name"
+ type = string
+ }
+ variable "host" {
+ description = "name if yor host"
+ type = string
+ }
+ variable "remotename" {
+ description = "the name of you VM"
+ type = string
+ }
+ variable "url_ova" {
+ description = "the URL to .OVA file or cloude store"
+ type = string
+ }
+ variable "ansiblepassword" {
+ description = "Ansible password"
+ type = string
+ }
+ variable "ansiblehost" {
+ description = "Ansible host name or IP"
+ type = string
+ }
+.. code-block:: none
+ vsphere_user = ""
+ vsphere_password = ""
+ vsphere_server = ""
+ datacenter = ""
+ datastore = ""
+ cluster = ""
+ network_name = ""
+ host = ""
+ url_ova = ""
+ ansiblepassword = ""
+ ansiblehost = ""
+ remotename = ""
+How to create a single instance and install your configuration using Terraform+Ansible+Vsphere
+Step by step:
+1.1 Collect all data in to file "terraform.tfvars" and create resources fo example "terraform"
+2.1 Create a UNIX or Windows instance
+2.2 Download and install Terraform
+2.3 Create the folder for example ../vsphere/
+2.4 Copy all files from my folder /Terraform into your Terraform project
+2.5 Type the commands :
+ #cd /your folder
+ #terraform init
+3.1 Create a UNIX instance
+3.2 Download and install Ansible
+3.3 Create the folder for example /root/vsphere/
+3.4 Copy all files from my folder /Ansible into your Ansible project (ansible.cfg, instance.yml and /group_vars)
+4.1 Type the commands on your Terrafom instance:
+ #cd /your folder
+ #terraform plan
+ #terraform apply
+ #yes
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index 74d5bc20..5d9190d6 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -66,10 +66,10 @@ packetis processed at the **IP Layer**:
can be filtered and controlled. Bear in mind that this traffic can be a
new connection originated by a internal process running on VyOS router,
such as NTP, or a response to traffic received externaly through
- **inputt** (for example response to an ssh login attempt to the router).
+ **input** (for example response to an ssh login attempt to the router).
This includes ipv4 and ipv6 filtering rules, defined in:
- * ``set firewall ipv4 input filter ...``.
+ * ``set firewall ipv4 output filter ...``.
* ``set firewall ipv6 output filter ...``.
@@ -81,7 +81,7 @@ packetis processed at the **IP Layer**:
If the interface where the packet was received is part of a bridge, then
-packetis processed at the **Bridge Layer**, which contains a basic setup for
+the packet is processed at the **Bridge Layer**, which contains a basic setup for
bridge filtering:
* **Forward (Bridge)**: stage where traffic that is trespasing through the
@@ -89,7 +89,7 @@ bridge filtering:
* ``set firewall bridge forward filter ...``.
-The main structure VyOS firewall cli is shown next:
+The main structure of the VyOS firewall CLI is shown next:
.. code-block:: none
diff --git a/docs/configuration/service/ids.rst b/docs/configuration/service/ids.rst
new file mode 100644
index 00000000..3e508d50
--- /dev/null
+++ b/docs/configuration/service/ids.rst
@@ -0,0 +1,179 @@
+.. _ids:
+DDoS Protection
+FastNetMon is a high-performance DDoS detector/sensor built on top of multiple
+packet capture engines: NetFlow, IPFIX, sFlow, AF_PACKET (port mirror). It can
+detect hosts in the deployed network sending or receiving large volumes of
+traffic, packets/bytes/flows per second and perform a configurable action to
+handle that event, such as calling a custom script.
+VyOS includes the FastNetMon Community Edition.
+.. cfgcmd:: set service ids ddos-protection alert-script <text>
+ Configure alert script that will be executed when an attack is detected.
+.. cfgcmd:: set service ids ddos-protection ban-time <1-4294967294>
+ Configure how long an IP (attacker) should be kept in blocked state.
+ Default value is 1900.
+.. cfgcmd:: set service ids ddos-protection direction [in | out]
+ Configure direction for processing traffic.
+.. cfgcmd:: set service ids ddos-protection exclude-network <x.x.x.x/x>
+.. cfgcmd:: set service ids ddos-protection exlude-network <h:h:h:h:h:h:h:h/x>
+ Specify IPv4 and/or IPv6 networks which are going to be excluded.
+.. cfgcmd:: set service ids ddos-protection listen-interface <text>
+ Configure listen interface for mirroring traffic.
+.. cfgcmd:: set service ids ddos-protection mode [mirror | sflow]
+ Configure traffic capture mode.
+.. cfgcmd:: set service ids ddos-protection network <x.x.x.x/x>
+.. cfgcmd:: set service ids ddos-protection network <h:h:h:h:h:h:h:h/x>
+ Specify IPv4 and/or IPv6 networks that should be protected/monitored.
+.. cfgcmd:: set service ids ddos-protection sflow listen-address <x.x.x.x>
+ Configure local IPv4 address to listen for sflow.
+.. cfgcmd:: set service ids ddos-protection sflow port <1-65535>
+ Configure port number to be used for sflow conection. Default port is 6343.
+.. cfgcmd:: set service ids ddos-protection threshold general
+ [fps | mbps | pps] <0-4294967294>
+ Configure general threshold parameters.
+.. cfgcmd:: set service ids ddos-protection threshold icmp
+ [fps | mbps | pps] <0-4294967294>
+ Configure ICMP threshold parameters.
+.. cfgcmd:: set service ids ddos-protection threshold tcp
+ [fps | mbps | pps] <0-4294967294>
+ Configure TCP threshold parameters
+.. cfgcmd:: set service ids ddos-protection threshold udp
+ [fps | mbps | pps] <0-4294967294>
+ Configure UDP threshold parameters
+A configuration example can be found in this section.
+In this simplified scenario, main things to be considered are:
+ * Network to be protected: (public IPs use by
+ customers)
+ * **ban-time** and **threshold**: these values are kept very low in order
+ to easily identify and generate and attack.
+ * Direction: **in** and **out**. Protect public network from external
+ attacks, and identify internal attacks towards internet.
+ * Interface **eth0** used to connect to upstream.
+Since we are analyzing attacks to and from our internal network, two types
+of attacks can be identified, and differents actions are needed:
+ * External attack: an attack from the internet towards an internal IP
+ is identify. In this case, all connections towards such IP will be
+ blocked
+ * Internal attack: an attack from the internal network (generated by a
+ customer) towards the internet is identify. In this case, all connections
+ from this particular IP/Customer will be blocked.
+So, firewall configuration needed for this setup:
+.. code-block:: none
+ set firewall group address-group FNMS-DST-Block
+ set firewall group address-group FNMS-SRC-Block
+ set firewall ipv4 forward filter rule 10 action 'drop'
+ set firewall ipv4 forward filter rule 10 description 'FNMS - block destination'
+ set firewall ipv4 forward filter rule 10 destination group address-group 'FNMS-DST-Block'
+ set firewall ipv4 forward filter rule 20 action 'drop'
+ set firewall ipv4 forward filter rule 20 description 'FNMS - Block source'
+ set firewall ipv4 forward filter rule 20 source group address-group 'FNMS-SRC-Block'
+Then, FastNetMon configuration:
+.. code-block:: none
+ set service ids ddos-protection alert-script '/config/scripts/'
+ set service ids ddos-protection ban-time '10'
+ set service ids ddos-protection direction 'in'
+ set service ids ddos-protection direction 'out'
+ set service ids ddos-protection listen-interface 'eth0'
+ set service ids ddos-protection mode 'mirror'
+ set service ids ddos-protection network ''
+ set service ids ddos-protection threshold general pps '100'
+And content of the script:
+.. code-block:: none
+ #!/bin/bash
+ # alert-script is called twice.
+ # When an attack occurs, the program calls a bash script twice:
+ # 1st time when threshold exceed
+ # 2nd when we collect 100 packets for detailed audit of what happened.
+ # Do nothing if “attack_details” is passed as an argument
+ if [ "${4}" == "attack_details" ]; then
+ # Do nothing
+ exit
+ fi
+ # Arguments:
+ ip=$1
+ direction=$2
+ pps_rate=$3
+ action=$4
+ logger -t FNMS "** Start - Running alert script **"
+ if [ "${direction}" == "incoming" ] ; then
+ group="FNMS-DST-Block"
+ origin="external"
+ else
+ group="FNMS-SRC-Block"
+ origin="internal"
+ fi
+ if [ "${action}" == "ban" ] ; then
+ logger -t FNMS "Attack detected for IP ${ip} and ${direction} direction from ${origin} network. Need to block IP address."
+ logger -t FNMS "Adding IP address ${ip} to firewall group ${group}."
+ sudo nft add element ip vyos_filter A_${group} { ${ip} }
+ else
+ logger -t FNMS "Timeout for IP ${ip}, removing it from group ${group}."
+ sudo nft delete element ip vyos_filter A_${group} { ${ip} }
+ fi
+ logger -t FNMS "** End - Running alert script **"
+ exit
diff --git a/docs/configuration/service/index.rst b/docs/configuration/service/index.rst
index 1195348f..56ce55eb 100644
--- a/docs/configuration/service/index.rst
+++ b/docs/configuration/service/index.rst
@@ -13,7 +13,9 @@ Service
+ eventhandler
+ ids
@@ -26,4 +28,4 @@ Service
- eventhandler