From 847971e3dd85ab5d061d6fb2792a8a16383e670b Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 16 Jan 2011 23:26:15 +0100 Subject: doc: update conntrack-tools manual This update adds to the documentation the following information: * add reference to "Demystifying cluster-based fault-tolerant firewalls" * add how-to disable the external cache * add how-to disable the internal cache * add how-to set the synchronization transport protocol * document iptables CT target * ask for sponsors to finish H323 and SIP support. Signed-off-by: Pablo Neira Ayuso --- doc/manual/conntrack-tools.tmpl | 118 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 112 insertions(+), 6 deletions(-) (limited to 'doc/manual') diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl index 621b05f..8a4e15d 100644 --- a/doc/manual/conntrack-tools.tmpl +++ b/doc/manual/conntrack-tools.tmpl @@ -19,7 +19,7 @@ - 2008-2010 + 2008-2011 Pablo Neira Ayuso @@ -37,9 +37,9 @@ This document details how to install and configure the conntrack-tools - >= 0.9.8. This software is under development, for that reason, it is likely - that this document will evolve in the future to cover new features and - changes. + >= 0.9.15. This software is under development, for that reason, it is + likely that this document will evolve in the future to cover new features + and changes. @@ -346,6 +346,11 @@ conntrack v0.9.7 (conntrack-tools): 1 flow entries has been deleted. Active-Backup setup + Stateful firewall architectures + A good reading to extend the information about firewall architectures is Demystifying cluster-based fault-tolerant firewalls published in IEEE Internet Computing magazine. + + + In the Active-Backup setup, one of the stateful firewall replicas filters traffic and the other acts as backup. If you use this approach, you have to copy the script primary-backup.sh to: @@ -512,6 +517,106 @@ conntrack v0.9.7 (conntrack-tools): 1 flow entries has been deleted. +Other configuration options + + The daemon allows several configuration options that you may want to + enable. This section contains some information about them. + +Disabling external cache + + It is possible to disable the external cache. Thus, + conntrackd directly injects the flow-states into the + in-kernel Connection Tracking System of the backup firewall. You can do it + by enabling the DisableExternalCache option in the + conntrackd.conf configuration file: + + + +Sync { + Mode FTFW { + [...] + DisableExternalCache Off + } +} + + + You can also use this option with the NOTRACK and ALARM modes. This + increases CPU consumption in the backup firewall but now you do not need + to commit the flow-states during the master failures since they are already + in the in-kernel Connection Tracking table. Moreover, you save memory in + the backup firewall since you do not need to store the foreign flow-states + anymore. + + + + +Disabling internal cache + + You can also disable the internal cache by means of the + DisableInternalCache option in the + conntrackd.conf configuration file: + + + +Sync { + Mode NOTRACK { + [...] + DisableInternalCache Off + } +} + + + However, this option is only available for the NOTRACK mode. This + mode provides unreliable flow-state synchronization between firewalls. + Thus, if flow-states are lost during the synchronization, the protocol + provides no way to recover them. + + + + +Using UDP, TCP or multicast for flow-state synchronization + + You can use up to three different transport layer protocols to + synchronize flow-state changes between the firewalls: UDP, TCP and + Multicast. UDP and multicast are unreliable but together with the FT-FW + mode provide partial reliable flow-state synchronization. + + + The preferred choice is FT-FW over UDP, or multicast alternatively. + TCP introduces latency in the flow-state synchronization due to the + congestion control. Under flow-state message are lost, the FIFO delivery + becomes also a problem since the backup firewall quickly gets out of + sync. For that reason, its use is discouraged. Note that using TCP only + makes sense with the NOTRACK mode. + + + + + +Filtering Connection tracking events with iptables + + Since Linux kernel >= 2.6.34, iptables provides the + CT iptables target that allows to reduce the + amount of Connection Tracking events that are delivered to user-space. + The following example shows how to only generate the + assured event: + + + # iptables -I PREROUTING -t raw -j CT --ctevents assured + + + Assured flows + One flow is assured if the firewall has seen traffic for it in + both directions. + + + Reducing the amount of events generated helps to reduce CPU + consumption in the active firewall. + + + + + Troubleshooting Problems with conntrackd? The following list @@ -587,12 +692,13 @@ conntrack v0.9.7 (conntrack-tools): 1 flow entries has been deleted. - Does conntrackd support the H.323, SIP and NetBios connection tracking helpers? + Does conntrackd support the H.323 and SIP connection tracking helpers? - No. This is not implemented yet, sorry. + No. This is not implemented yet, sorry. If you are interested in + sponsoring this support, please contact me. -- cgit v1.2.3