diff options
Diffstat (limited to 'docs')
-rw-r--r-- | docs/_static/images/aws.png | bin | 0 -> 150759 bytes | |||
-rw-r--r-- | docs/automation/index.rst | 1 | ||||
-rw-r--r-- | docs/automation/vyos-terraform.rst | 1036 | ||||
-rw-r--r-- | docs/configuration/container/index.rst | 5 | ||||
-rw-r--r-- | docs/configuration/firewall/index.rst | 8 | ||||
-rw-r--r-- | docs/configuration/protocols/bgp.rst | 50 | ||||
-rw-r--r-- | docs/configuration/service/dns.rst | 14 | ||||
-rw-r--r-- | docs/configuration/service/ids.rst | 179 | ||||
-rw-r--r-- | docs/configuration/service/index.rst | 4 | ||||
-rw-r--r-- | docs/configuration/system/option.rst | 8 |
10 files changed, 1286 insertions, 19 deletions
diff --git a/docs/_static/images/aws.png b/docs/_static/images/aws.png Binary files differnew file mode 100644 index 00000000..c1c111bb --- /dev/null +++ b/docs/_static/images/aws.png diff --git a/docs/automation/index.rst b/docs/automation/index.rst index ee8282ac..ecabff7a 100644 --- a/docs/automation/index.rst +++ b/docs/automation/index.rst @@ -12,6 +12,7 @@ VyOS Automation vyos-api vyos-ansible + vyos-terraform vyos-napalm vyos-netmiko vyos-salt diff --git a/docs/automation/vyos-terraform.rst b/docs/automation/vyos-terraform.rst new file mode 100644 index 00000000..75967202 --- /dev/null +++ b/docs/automation/vyos-terraform.rst @@ -0,0 +1,1036 @@ +:lastproofread: 2024-01-11 + +.. _vyos-terraform: + +Terraform +========= + +VyOS supports develop infrastructia via Terraform and provisioning via ansible. +Need to install ``Terraform`` + +Structure of files + +.. code-block:: none + + . + ├── main.tf + ├── version.tf + ├── variables.tf + └── terraform.tfvars + +Run Terraform +------------- + +.. code-block:: none + + #cd /your folder + #terraform init + #terraform plan + #terraform apply + #yes + + +Deploying vyos in the AWS cloud +------------------------------- +With the help of terraforms, you can quickly deploy Vyos-based infrastructure in the AWS cloud. If necessary, the infrastructure can be removed using terraform. +Also we will make provisioning using Ansible. + +Structure of files Terrafom + +.. code-block:: none + + . + ├── vyos.tf + └── var.tf + +File contents +------------- + +vyos.tf + +.. code-block:: none + + terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } + } + + provider "aws" { + access_key = var.access + secret_key = var.secret + region = var.region + } + + variable "region" { + default = "us-east-1" + description = "AWS Region" + } + + variable "ami" { + default = "ami-**************" # ami image please enter your details + description = "Amazon Machine Image ID for VyOS" + } + + variable "type" { + default = "t2.micro" + description = "Size of VM" + } + + # my resource for VyOS + + resource "aws_instance" "myVyOSec2" { + ami = var.ami + key_name = "mykeyname" # Please enter your details + security_groups = ["my_sg"] # Please enter your details + instance_type = var.type + tags = { + name = "VyOS System" + } + } + + output "my_IP"{ + value = aws_instance.myVyOSec2.public_ip + } + + + #IP of aws instance copied to a file ip.txt in local system Terraform + + resource "local_file" "ip" { + content = aws_instance.myVyOSec2.public_ip + filename = "ip.txt" + } + + #connecting to the Ansible control node using SSH connection + + resource "null_resource" "SSHconnection1" { + depends_on = [aws_instance.myVyOSec2] + connection { + type = "ssh" + user = "root" + password = var.password + host = var.host + } + #copying the ip.txt file to the Ansible control node from local system + provisioner "file" { + source = "ip.txt" + destination = "/root/aws/ip.txt" # The folder of your Ansible project + } + } + + resource "null_resource" "SSHconnection2" { + depends_on = [aws_instance.myVyOSec2] + connection { + type = "ssh" + user = "root" + password = var.password + host = var.host + } + #command to run Ansible playbook on remote Linux OS + provisioner "remote-exec" { + inline = [ + "cd /root/aws/", + "ansible-playbook instance.yml" + ] + } + } + + +var.tf + +.. code-block:: none + + variable "password" { + description = "pass for Ansible" + type = string + sensitive = true + } + variable "host"{ + description = "The IP of my Ansible" + } + variable "access" { + description = "my access_key for AWS" + type = string + sensitive = true + } + variable "secret" { + description = "my secret_key for AWS" + type = string + sensitive = true + } + + +Structure of files Ansible + +.. code-block:: none + + . + ├── group_vars + └── all + ├── ansible.cfg + ├── mykey.pem + └── instance.yml + + +File contents +------------- + +ansible.cfg + +.. code-block:: none + + [defaults] + inventory = /root/aws/ip.txt + host_key_checking= False + private_key_file = /root/aws/mykey.pem + remote_user=vyos + +mykey.pem + +.. code-block:: none + + -----BEGIN OPENSSH PRIVATE KEY----- + + Copy your key.pem from AWS + + -----END OPENSSH PRIVATE KEY----- + +instance.yml + +.. code-block:: none + + - name: integration of terraform and ansible + hosts: all + gather_facts: 'no' + + tasks: + + - name: "Wait 300 seconds, but only start checking after 60 seconds" + wait_for_connection: + delay: 60 + timeout: 300 + + - name: "Configure general settings for the vyos hosts group" + vyos_config: + lines: + - set system name-server 8.8.8.8 + save: + true + + +all + +.. code-block:: none + + ansible_connection: ansible.netcommon.network_cli + ansible_network_os: vyos.vyos.vyos + ansible_user: vyos + +AWS_terraform_ansible_single_vyos_instance +------------------------------------------ + +How to create a single instance and install your configuration using Terraform+Ansible+AWS +Step by step: + +AWS +--- + +1.1 Create an account with AWS and get your "access_key", "secret key" + +1.2 Create a key pair and download your .pem key + +1.3 Create a security group for the new VyOS instance + +Terraform +--------- + +2.1 Create a UNIX or Windows instance + +2.2 Download and install Terraform + +2.3 Create the folder for example ../awsvyos/ + +2.4 Copy all files into your Terraform project (vyos.tf, var.tf) +2.4.1 Please type the information into the strings 22, 35, 36 of file "vyos.tf" + +2.5 Type the commands : + + #cd /your folder + + #terraform init + +Ansible +------- + +3.1 Create a UNIX instance + +3.2 Download and install Ansible + +3.3 Create the folder for example /root/aws/ + +3.4 Copy all files from my folder /Ansible into your Ansible project (ansible.cfg, instance.yml, mykey.pem) + +mykey.pem you have to get using step 1.2 + +Start +----- + +4.1 Type the commands on your Terrafom instance: + + #cd /your folder + + #terraform plan + + #terraform apply + + #yes + +.. image:: /_static/images/aws.png + :width: 80% + :align: center + :alt: Network Topology Diagram + + + +Deploying vyos in the Azure cloud +--------------------------------- +With the help of terraforms, you can quickly deploy Vyos-based infrastructure in the Azure cloud. If necessary, the infrastructure can be removed using terraform. + +Structure of files Terrafom + +.. code-block:: none + + . + ├── main.tf + └── variables.tf + +File contents +------------- + +main.tf + +.. code-block:: none + + ############################################################################## + # HashiCorp Guide to Using Terraform on Azure + # This Terraform configuration will create the following: + # Resource group with a virtual network and subnet + # An VyOS server without ssh key (only login+password) + ############################################################################## + + # Chouse a provider + + provider "azurerm" { + features {} + } + + # Create a resource group. In Azure every resource belongs to a + # resource group. + + resource "azurerm_resource_group" "azure_vyos" { + name = "${var.resource_group}" + location = "${var.location}" + } + + # The next resource is a Virtual Network. + + resource "azurerm_virtual_network" "vnet" { + name = "${var.virtual_network_name}" + location = "${var.location}" + address_space = ["${var.address_space}"] + resource_group_name = "${var.resource_group}" + } + + # Build a subnet to run our VMs in. + + resource "azurerm_subnet" "subnet" { + name = "${var.prefix}subnet" + virtual_network_name = "${azurerm_virtual_network.vnet.name}" + resource_group_name = "${var.resource_group}" + address_prefixes = ["${var.subnet_prefix}"] + } + + ############################################################################## + # Build an VyOS VM from the Marketplace + # To finde nessesery image use the command: + # + # az vm image list --offer vyos --all + # + # Now that we have a network, we'll deploy an VyOS server. + # An Azure Virtual Machine has several components. In this example we'll build + # a security group, a network interface, a public ip address, a storage + # account and finally the VM itself. Terraform handles all the dependencies + # automatically, and each resource is named with user-defined variables. + ############################################################################## + + + # Security group to allow inbound access on port 22 (ssh) + + resource "azurerm_network_security_group" "vyos-sg" { + name = "${var.prefix}-sg" + location = "${var.location}" + resource_group_name = "${var.resource_group}" + + security_rule { + name = "SSH" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "${var.source_network}" + destination_address_prefix = "*" + } + } + + # A network interface. + + resource "azurerm_network_interface" "vyos-nic" { + name = "${var.prefix}vyos-nic" + location = "${var.location}" + resource_group_name = "${var.resource_group}" + + ip_configuration { + name = "${var.prefix}ipconfig" + subnet_id = "${azurerm_subnet.subnet.id}" + private_ip_address_allocation = "Dynamic" + public_ip_address_id = "${azurerm_public_ip.vyos-pip.id}" + } + } + + # Add a public IP address. + + resource "azurerm_public_ip" "vyos-pip" { + name = "${var.prefix}-ip" + location = "${var.location}" + resource_group_name = "${var.resource_group}" + allocation_method = "Dynamic" + } + + # Build a virtual machine. This is a standard VyOS instance from Marketplace. + + resource "azurerm_virtual_machine" "vyos" { + name = "${var.hostname}-vyos" + location = "${var.location}" + resource_group_name = "${var.resource_group}" + vm_size = "${var.vm_size}" + + network_interface_ids = ["${azurerm_network_interface.vyos-nic.id}"] + delete_os_disk_on_termination = "true" + + # To finde an information about the plan use the command: + # az vm image list --offer vyos --all + + plan { + publisher = "sentriumsl" + name = "vyos-1-3" + product = "vyos-1-2-lts-on-azure" + } + + storage_image_reference { + publisher = "${var.image_publisher}" + offer = "${var.image_offer}" + sku = "${var.image_sku}" + version = "${var.image_version}" + } + + storage_os_disk { + name = "${var.hostname}-osdisk" + managed_disk_type = "Standard_LRS" + caching = "ReadWrite" + create_option = "FromImage" + } + + os_profile { + computer_name = "${var.hostname}" + admin_username = "${var.admin_username}" + admin_password = "${var.admin_password}" + } + + os_profile_linux_config { + disable_password_authentication = false + } + } + + data "azurerm_public_ip" "example" { + depends_on = ["azurerm_virtual_machine.vyos"] + name = "vyos-ip" + resource_group_name = "${var.resource_group}" + } + output "public_ip_address" { + value = data.azurerm_public_ip.example.ip_address + } + + # IP of AZ instance copied to a file ip.txt in local system + + resource "local_file" "ip" { + content = data.azurerm_public_ip.example.ip_address + filename = "ip.txt" + } + + #Connecting to the Ansible control node using SSH connection + + resource "null_resource" "nullremote1" { + depends_on = ["azurerm_virtual_machine.vyos"] + connection { + type = "ssh" + user = "root" + password = var.password + host = var.host + } + + # Copying the ip.txt file to the Ansible control node from local system + + provisioner "file" { + source = "ip.txt" + destination = "/root/az/ip.txt" + } + } + + resource "null_resource" "nullremote2" { + depends_on = ["azurerm_virtual_machine.vyos"] + connection { + type = "ssh" + user = "root" + password = var.password + host = var.host + } + + # Command to run ansible playbook on remote Linux OS + + provisioner "remote-exec" { + + inline = [ + "cd /root/az/", + "ansible-playbook instance.yml" + ] + } + } + + + +variables.tf + +.. code-block:: none + + ############################################################################## + # Variables File + # + # Here is where we store the default values for all the variables used in our + # Terraform code. + ############################################################################## + + variable "resource_group" { + description = "The name of your Azure Resource Group." + default = "my_resource_group" + } + + variable "prefix" { + description = "This prefix will be included in the name of some resources." + default = "vyos" + } + + variable "hostname" { + description = "Virtual machine hostname. Used for local hostname, DNS, and storage-related names." + default = "vyos_terraform" + } + + variable "location" { + description = "The region where the virtual network is created." + default = "centralus" + } + + variable "virtual_network_name" { + description = "The name for your virtual network." + default = "vnet" + } + + variable "address_space" { + description = "The address space that is used by the virtual network. You can supply more than one address space. Changing this forces a new resource to be created." + default = "10.0.0.0/16" + } + + variable "subnet_prefix" { + description = "The address prefix to use for the subnet." + default = "10.0.10.0/24" + } + + variable "storage_account_tier" { + description = "Defines the storage tier. Valid options are Standard and Premium." + default = "Standard" + } + + variable "storage_replication_type" { + description = "Defines the replication type to use for this storage account. Valid options include LRS, GRS etc." + default = "LRS" + } + + # The most chippers size + + variable "vm_size" { + description = "Specifies the size of the virtual machine." + default = "Standard_B1s" + } + + variable "image_publisher" { + description = "Name of the publisher of the image (az vm image list)" + default = "sentriumsl" + } + + variable "image_offer" { + description = "Name of the offer (az vm image list)" + default = "vyos-1-2-lts-on-azure" + } + + variable "image_sku" { + description = "Image SKU to apply (az vm image list)" + default = "vyos-1-3" + } + + variable "image_version" { + description = "Version of the image to apply (az vm image list)" + default = "1.3.3" + } + + variable "admin_username" { + description = "Administrator user name" + default = "vyos" + } + + variable "admin_password" { + description = "Administrator password" + default = "Vyos0!" + } + + variable "source_network" { + description = "Allow access from this network prefix. Defaults to '*'." + default = "*" + } + + variable "password" { + description = "pass for Ansible" + type = string + sensitive = true + } + variable "host"{ + description = "IP of my Ansible" + } + + +Structure of files Ansible + +.. code-block:: none + + . + ├── group_vars + └── all + ├── ansible.cfg + └── instance.yml + + +File contents +------------- + +ansible.cfg + +.. code-block:: none + + [defaults] + inventory = /root/az/ip.txt + host_key_checking= False + remote_user=vyos + + +instance.yml + +.. code-block:: none + + - name: integration of terraform and ansible + hosts: all + gather_facts: 'no' + + tasks: + + - name: "Wait 300 seconds, but only start checking after 60 seconds" + wait_for_connection: + delay: 60 + timeout: 300 + + - name: "Configure general settings for the vyos hosts group" + vyos_config: + lines: + - set system name-server 8.8.8.8 + save: + true + + +all + +.. code-block:: none + + ansible_connection: ansible.netcommon.network_cli + ansible_network_os: vyos.vyos.vyos + + # user and password gets from terraform variables "admin_username" and "admin_password" + ansible_user: vyos + ansible_ssh_pass: Vyos0! + + +Azure_terraform_ansible_single_vyos_instance +-------------------------------------------- + +How to create a single instance and install your configuration using Terraform+Ansible+Azure +Step by step: + +Azure +----- + +1.1 Create an account with Azure + +Terraform +--------- + +2.1 Create a UNIX or Windows instance + +2.2 Download and install Terraform + +2.3 Create the folder for example ../azvyos/ + +2.4 Copy all files from my folder /Terraform into your Terraform project (main.tf, variables.tf) + +2.5 Login with Azure using the command + + #az login + +2.6 Type the commands : + + #cd /your folder + + #terraform init + +Ansible +------- + +3.1 Create a UNIX instance + +3.2 Download and install Ansible + +3.3 Create the folder for example /root/az/ + +3.4 Copy all files from my folder /Ansible into your Ansible project (ansible.cfg, instance.yml and /group_vars) + +Start +----- + +4.1 Type the commands on your Terrafom instance: + + #cd /your folder + + #terraform plan + + #terraform apply + + #yes + + + +Deploying vyos in the Vsphere infrastructia +------------------------------------------- +With the help of terraforms, you can quickly deploy Vyos-based infrastructure in the vSphere. + +Structure of files Terrafom + +.. code-block:: none + + . + ├── main.tf + ├── versions.tf + ├── variables.tf + └── terraform.tfvars + +File contents +------------- + +main.tf + +.. code-block:: none + + provider "vsphere" { + user = var.vsphere_user + password = var.vsphere_password + vsphere_server = var.vsphere_server + allow_unverified_ssl = true + } + + data "vsphere_datacenter" "datacenter" { + name = var.datacenter + } + + data "vsphere_datastore" "datastore" { + name = var.datastore + datacenter_id = data.vsphere_datacenter.datacenter.id + } + + data "vsphere_compute_cluster" "cluster" { + name = var.cluster + datacenter_id = data.vsphere_datacenter.datacenter.id + } + + data "vsphere_resource_pool" "default" { + name = format("%s%s", data.vsphere_compute_cluster.cluster.name, "/Resources/terraform") # set as you need + datacenter_id = data.vsphere_datacenter.datacenter.id + } + + data "vsphere_host" "host" { + name = var.host + datacenter_id = data.vsphere_datacenter.datacenter.id + } + + data "vsphere_network" "network" { + name = var.network_name + datacenter_id = data.vsphere_datacenter.datacenter.id + } + + ## Deployment of VM from Remote OVF + resource "vsphere_virtual_machine" "vmFromRemoteOvf" { + name = var.remotename + datacenter_id = data.vsphere_datacenter.datacenter.id + datastore_id = data.vsphere_datastore.datastore.id + host_system_id = data.vsphere_host.host.id + resource_pool_id = data.vsphere_resource_pool.default.id + network_interface { + network_id = data.vsphere_network.network.id + } + wait_for_guest_net_timeout = 2 + wait_for_guest_ip_timeout = 2 + + ovf_deploy { + allow_unverified_ssl_cert = true + remote_ovf_url = var.url_ova + disk_provisioning = "thin" + ip_protocol = "IPv4" + ip_allocation_policy = "dhcpPolicy" + ovf_network_map = { + "Network 1" = data.vsphere_network.network.id + "Network 2" = data.vsphere_network.network.id + } + } + vapp { + properties = { + "password" = "12345678", + "local-hostname" = "terraform_vyos" + } + } + } + + output "ip" { + description = "default ip address of the deployed VM" + value = vsphere_virtual_machine.vmFromRemoteOvf.default_ip_address + } + + # IP of AZ instance copied to a file ip.txt in local system + + resource "local_file" "ip" { + content = vsphere_virtual_machine.vmFromRemoteOvf.default_ip_address + filename = "ip.txt" + } + + #Connecting to the Ansible control node using SSH connection + + resource "null_resource" "nullremote1" { + depends_on = ["vsphere_virtual_machine.vmFromRemoteOvf"] + connection { + type = "ssh" + user = "root" + password = var.ansiblepassword + host = var.ansiblehost + + } + + # Copying the ip.txt file to the Ansible control node from local system + + provisioner "file" { + source = "ip.txt" + destination = "/root/vsphere/ip.txt" + } + } + + resource "null_resource" "nullremote2" { + depends_on = ["vsphere_virtual_machine.vmFromRemoteOvf"] + connection { + type = "ssh" + user = "root" + password = var.ansiblepassword + host = var.ansiblehost + } + + # Command to run ansible playbook on remote Linux OS + + provisioner "remote-exec" { + + inline = [ + "cd /root/vsphere/", + "ansible-playbook instance.yml" + ] + } + } + + +versions.tf + +.. code-block:: none + + # Copyright (c) HashiCorp, Inc. + # SPDX-License-Identifier: MPL-2.0 + + terraform { + required_providers { + vsphere = { + source = "hashicorp/vsphere" + version = "2.4.0" + } + } + } + +variables.tf + +.. code-block:: none + + # Copyright (c) HashiCorp, Inc. + # SPDX-License-Identifier: MPL-2.0 + + variable "vsphere_server" { + description = "vSphere server" + type = string + } + + variable "vsphere_user" { + description = "vSphere username" + type = string + } + + variable "vsphere_password" { + description = "vSphere password" + type = string + sensitive = true + } + + variable "datacenter" { + description = "vSphere data center" + type = string + } + + variable "cluster" { + description = "vSphere cluster" + type = string + } + + variable "datastore" { + description = "vSphere datastore" + type = string + } + + variable "network_name" { + description = "vSphere network name" + type = string + } + + variable "host" { + description = "name if yor host" + type = string + } + + variable "remotename" { + description = "the name of you VM" + type = string + } + + variable "url_ova" { + description = "the URL to .OVA file or cloude store" + type = string + } + + variable "ansiblepassword" { + description = "Ansible password" + type = string + } + + variable "ansiblehost" { + description = "Ansible host name or IP" + type = string + } + +terraform.tfvars + +.. code-block:: none + + vsphere_user = "" + vsphere_password = "" + vsphere_server = "" + datacenter = "" + datastore = "" + cluster = "" + network_name = "" + host = "" + url_ova = "" + ansiblepassword = "" + ansiblehost = "" + remotename = "" + +Azure_terraform_ansible_single_vyos_instance +-------------------------------------------- + +How to create a single instance and install your configuration using Terraform+Ansible+Vsphere +Step by step: + +Vsphere +------- + +1.1 Collect all data in to file "terraform.tfvars" and create resources fo example "terraform" + +Terraform +--------- + +2.1 Create a UNIX or Windows instance + +2.2 Download and install Terraform + +2.3 Create the folder for example ../vsphere/ + +2.4 Copy all files from my folder /Terraform into your Terraform project + +2.5 Type the commands : + + #cd /your folder + + #terraform init + + +Ansible +------- + +3.1 Create a UNIX instance + +3.2 Download and install Ansible + +3.3 Create the folder for example /root/vsphere/ + +3.4 Copy all files from my folder /Ansible into your Ansible project (ansible.cfg, instance.yml and /group_vars) + +Start +----- + +4.1 Type the commands on your Terrafom instance: + + #cd /your folder + + #terraform plan + + #terraform apply + + #yes + diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst index 0487f863..670ca29f 100644 --- a/docs/configuration/container/index.rst +++ b/docs/configuration/container/index.rst @@ -93,6 +93,11 @@ Configuration Volume is either mounted as rw (read-write - default) or ro (read-only) +.. cfgcmd:: set container name <name> uid <number> +.. cfgcmd:: set container name <name> gid <number> + + Set the User ID or Group ID of the container + .. cfgcmd:: set container name <name> restart [no | on-failure | always] Set the restart behavior of the container. diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 74d5bc20..5d9190d6 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -66,10 +66,10 @@ packetis processed at the **IP Layer**: can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externaly through - **inputt** (for example response to an ssh login attempt to the router). + **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in: - * ``set firewall ipv4 input filter ...``. + * ``set firewall ipv4 output filter ...``. * ``set firewall ipv6 output filter ...``. @@ -81,7 +81,7 @@ packetis processed at the **IP Layer**: destination...``. If the interface where the packet was received is part of a bridge, then -packetis processed at the **Bridge Layer**, which contains a basic setup for +the packet is processed at the **Bridge Layer**, which contains a basic setup for bridge filtering: * **Forward (Bridge)**: stage where traffic that is trespasing through the @@ -89,7 +89,7 @@ bridge filtering: * ``set firewall bridge forward filter ...``. -The main structure VyOS firewall cli is shown next: +The main structure of the VyOS firewall CLI is shown next: .. code-block:: none diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst index 8fc69111..3c983aae 100644 --- a/docs/configuration/protocols/bgp.rst +++ b/docs/configuration/protocols/bgp.rst @@ -209,35 +209,35 @@ Defining Peers .. cfgcmd:: set protocols bgp neighbor <address|interface> local-role <role> [strict] - BGP roles are defined in RFC :rfc:`9234` and provide an easy way to - add route leak prevention, detection and mitigation. The local Role - value is negotiated with the new BGP Role capability which has a - built-in check of the corresponding value. In case of a mismatch the + BGP roles are defined in RFC :rfc:`9234` and provide an easy way to + add route leak prevention, detection and mitigation. The local Role + value is negotiated with the new BGP Role capability which has a + built-in check of the corresponding value. In case of a mismatch the new OPEN Roles Mismatch Notification <2, 11> would be sent. The correct Role pairs are: - + Provider - Customer Peer - Peer RS-Server - RS-Client - If :cfgcmd:`strict` is set the BGP session won’t become established - until the BGP neighbor sets local Role on its side. This + If :cfgcmd:`strict` is set the BGP session won’t become established + until the BGP neighbor sets local Role on its side. This configuration parameter is defined in RFC :rfc:`9234` and is used to enforce the corresponding configuration at your counter-parts side. - - Routes that are sent from provider, rs-server, or the peer local-role - (or if received by customer, rs-client, or the peer local-role) will + + Routes that are sent from provider, rs-server, or the peer local-role + (or if received by customer, rs-client, or the peer local-role) will be marked with a new Only to Customer (OTC) attribute. - + Routes with this attribute can only be sent to your neighbor if your local-role is provider or rs-server. Routes with this attribute can - be received only if your local-role is customer or rs-client. - + be received only if your local-role is customer or rs-client. + In case of peer-peer relationship routes can be received only if OTC value is equal to your neighbor AS number. - + All these rules with OTC will help to detect and mitigate route leaks and happen automatically if local-role is set. @@ -584,6 +584,12 @@ General Configuration Common parameters ^^^^^^^^^^^^^^^^^ +.. cfgcmd:: set protocols bgp parameters allow-martian-nexthop + + When a peer receives a martian nexthop as part of the NLRI for a route + permit the nexthop to be used as such, instead of rejecting and resetting + the connection. + .. cfgcmd:: set protocols bgp parameters router-id <id> This command specifies the router-ID. If router ID is not specified it will @@ -598,6 +604,12 @@ Common parameters Path (both AS number and AS path length), Origin code, MED, IGP metric. Also, the next hop address for each path must be different. +.. cfgcmd:: set protocols bgp parameters no-hard-administrative-reset + + Do not send Hard Reset CEASE Notification for "Administrative Reset" + events. When set and Graceful Restart Notification capability is exchanged + between the peers, Graceful Restart procedures apply, and routes will be retained. + .. cfgcmd:: set protocols bgp parameters log-neighbor-changes This command enable logging neighbor up/down changes and reset reason. @@ -643,6 +655,16 @@ Common parameters compatibility with older versions of VyOS. With this option one can enable :rfc:`8212` functionality to operate. +.. cfgcmd:: set protocols bgp parameters labeled-unicast <explicit-null | + ipv4-explicit-null | ipv6-explicit-null> + + By default, locally advertised prefixes use the implicit-null label to + encode in the outgoing NLRI. + + The following command uses the explicit-null label value for all the + BGP instances. + + Administrative Distance ^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst index 7624d309..e430dc73 100644 --- a/docs/configuration/service/dns.rst +++ b/docs/configuration/service/dns.rst @@ -156,6 +156,20 @@ avoid being tracked by the provider of your upstream DNS server. recursor does not like, it is throttled. Any servers matching the supplied netmasks will never be throttled. +.. cfgcmd:: set service dns forwarding options ecs-add-for <address> + + The requestor netmask for which the requestor IP Address should be used as the + EDNS Client Subnet for outgoing queries. + +.. cfgcmd:: set service dns forwarding options ecs-ipv4-bits <number> + + Number of bits of client IPv4 address to pass when sending EDNS Client Subnet + address information. + +.. cfgcmd:: set service dns forwarding options edns-subnet-allow-list <address|domain> + + The netmask or domain that EDNS Client Subnet should be enabled for in outgoing queries. + Example ======= diff --git a/docs/configuration/service/ids.rst b/docs/configuration/service/ids.rst new file mode 100644 index 00000000..3e508d50 --- /dev/null +++ b/docs/configuration/service/ids.rst @@ -0,0 +1,179 @@ +.. _ids: + +############### +DDoS Protection +############### + +********** +FastNetMon +********** + +FastNetMon is a high-performance DDoS detector/sensor built on top of multiple +packet capture engines: NetFlow, IPFIX, sFlow, AF_PACKET (port mirror). It can +detect hosts in the deployed network sending or receiving large volumes of +traffic, packets/bytes/flows per second and perform a configurable action to +handle that event, such as calling a custom script. + +VyOS includes the FastNetMon Community Edition. + +Configuration +============= + +.. cfgcmd:: set service ids ddos-protection alert-script <text> + + Configure alert script that will be executed when an attack is detected. + +.. cfgcmd:: set service ids ddos-protection ban-time <1-4294967294> + + Configure how long an IP (attacker) should be kept in blocked state. + Default value is 1900. + +.. cfgcmd:: set service ids ddos-protection direction [in | out] + + Configure direction for processing traffic. + +.. cfgcmd:: set service ids ddos-protection exclude-network <x.x.x.x/x> +.. cfgcmd:: set service ids ddos-protection exlude-network <h:h:h:h:h:h:h:h/x> + + Specify IPv4 and/or IPv6 networks which are going to be excluded. + +.. cfgcmd:: set service ids ddos-protection listen-interface <text> + + Configure listen interface for mirroring traffic. + +.. cfgcmd:: set service ids ddos-protection mode [mirror | sflow] + + Configure traffic capture mode. + +.. cfgcmd:: set service ids ddos-protection network <x.x.x.x/x> +.. cfgcmd:: set service ids ddos-protection network <h:h:h:h:h:h:h:h/x> + + Specify IPv4 and/or IPv6 networks that should be protected/monitored. + +.. cfgcmd:: set service ids ddos-protection sflow listen-address <x.x.x.x> + + Configure local IPv4 address to listen for sflow. + +.. cfgcmd:: set service ids ddos-protection sflow port <1-65535> + + Configure port number to be used for sflow conection. Default port is 6343. + +.. cfgcmd:: set service ids ddos-protection threshold general + [fps | mbps | pps] <0-4294967294> + + Configure general threshold parameters. + +.. cfgcmd:: set service ids ddos-protection threshold icmp + [fps | mbps | pps] <0-4294967294> + + Configure ICMP threshold parameters. + +.. cfgcmd:: set service ids ddos-protection threshold tcp + [fps | mbps | pps] <0-4294967294> + + Configure TCP threshold parameters + +.. cfgcmd:: set service ids ddos-protection threshold udp + [fps | mbps | pps] <0-4294967294> + + Configure UDP threshold parameters + +Example +======= + +A configuration example can be found in this section. +In this simplified scenario, main things to be considered are: + + * Network to be protected: 192.0.2.0/24 (public IPs use by + customers) + + * **ban-time** and **threshold**: these values are kept very low in order + to easily identify and generate and attack. + + * Direction: **in** and **out**. Protect public network from external + attacks, and identify internal attacks towards internet. + + * Interface **eth0** used to connect to upstream. + +Since we are analyzing attacks to and from our internal network, two types +of attacks can be identified, and differents actions are needed: + + * External attack: an attack from the internet towards an internal IP + is identify. In this case, all connections towards such IP will be + blocked + + * Internal attack: an attack from the internal network (generated by a + customer) towards the internet is identify. In this case, all connections + from this particular IP/Customer will be blocked. + + +So, firewall configuration needed for this setup: + +.. code-block:: none + + set firewall group address-group FNMS-DST-Block + set firewall group address-group FNMS-SRC-Block + + set firewall ipv4 forward filter rule 10 action 'drop' + set firewall ipv4 forward filter rule 10 description 'FNMS - block destination' + set firewall ipv4 forward filter rule 10 destination group address-group 'FNMS-DST-Block' + + set firewall ipv4 forward filter rule 20 action 'drop' + set firewall ipv4 forward filter rule 20 description 'FNMS - Block source' + set firewall ipv4 forward filter rule 20 source group address-group 'FNMS-SRC-Block' + +Then, FastNetMon configuration: + +.. code-block:: none + + set service ids ddos-protection alert-script '/config/scripts/fnm-alert.sh' + set service ids ddos-protection ban-time '10' + set service ids ddos-protection direction 'in' + set service ids ddos-protection direction 'out' + set service ids ddos-protection listen-interface 'eth0' + set service ids ddos-protection mode 'mirror' + set service ids ddos-protection network '192.0.2.0/24' + set service ids ddos-protection threshold general pps '100' + +And content of the script: + +.. code-block:: none + + #!/bin/bash + + # alert-script is called twice. + # When an attack occurs, the program calls a bash script twice: + # 1st time when threshold exceed + # 2nd when we collect 100 packets for detailed audit of what happened. + + # Do nothing if “attack_details” is passed as an argument + if [ "${4}" == "attack_details" ]; then + # Do nothing + exit + fi + # Arguments: + ip=$1 + direction=$2 + pps_rate=$3 + action=$4 + + logger -t FNMS "** Start - Running alert script **" + + if [ "${direction}" == "incoming" ] ; then + group="FNMS-DST-Block" + origin="external" + else + group="FNMS-SRC-Block" + origin="internal" + fi + + if [ "${action}" == "ban" ] ; then + logger -t FNMS "Attack detected for IP ${ip} and ${direction} direction from ${origin} network. Need to block IP address." + logger -t FNMS "Adding IP address ${ip} to firewall group ${group}." + sudo nft add element ip vyos_filter A_${group} { ${ip} } + else + logger -t FNMS "Timeout for IP ${ip}, removing it from group ${group}." + sudo nft delete element ip vyos_filter A_${group} { ${ip} } + fi + logger -t FNMS "** End - Running alert script **" + exit diff --git a/docs/configuration/service/index.rst b/docs/configuration/service/index.rst index 1195348f..56ce55eb 100644 --- a/docs/configuration/service/index.rst +++ b/docs/configuration/service/index.rst @@ -13,7 +13,9 @@ Service dhcp-relay dhcp-server dns + eventhandler https + ids ipoe-server lldp mdns @@ -26,4 +28,4 @@ Service ssh tftp-server webproxy - eventhandler + diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst index c9c9bfb1..4a1c3bd3 100644 --- a/docs/configuration/system/option.rst +++ b/docs/configuration/system/option.rst @@ -22,6 +22,14 @@ General Play an audible beep to the system speaker when system is ready. +Kernel +====== + +.. cfgcmd:: set system option kernel disable-mitigations + + Disable all optional CPU mitigations. This improves system performance, + but it may also expose users to several CPU vulnerabilities. + *********** HTTP client *********** |