diff options
Diffstat (limited to 'docs/configuration/service')
| -rw-r--r-- | docs/configuration/service/broadcast-relay.rst | 5 | ||||
| -rw-r--r-- | docs/configuration/service/conntrack-sync.rst | 35 | ||||
| -rw-r--r-- | docs/configuration/service/console-server.rst | 24 | ||||
| -rw-r--r-- | docs/configuration/service/dhcp-relay.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/service/dhcp-server.rst | 81 | ||||
| -rw-r--r-- | docs/configuration/service/eventhandler.rst | 127 | ||||
| -rw-r--r-- | docs/configuration/service/https.rst | 6 | ||||
| -rw-r--r-- | docs/configuration/service/index.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/service/ipoe-server.rst | 8 | ||||
| -rw-r--r-- | docs/configuration/service/monitoring.rst | 107 | ||||
| -rw-r--r-- | docs/configuration/service/ntp.rst | 81 | ||||
| -rw-r--r-- | docs/configuration/service/pppoe-server.rst | 37 | ||||
| -rw-r--r-- | docs/configuration/service/router-advert.rst | 7 | ||||
| -rw-r--r-- | docs/configuration/service/ssh.rst | 36 | ||||
| -rw-r--r-- | docs/configuration/service/webproxy.rst | 11 |
15 files changed, 493 insertions, 78 deletions
diff --git a/docs/configuration/service/broadcast-relay.rst b/docs/configuration/service/broadcast-relay.rst index df48bfd6..b6e2bed7 100644 --- a/docs/configuration/service/broadcast-relay.rst +++ b/docs/configuration/service/broadcast-relay.rst @@ -28,6 +28,11 @@ Configuration want to receive/relay packets on both `eth1` and `eth2` both interfaces need to be added. +.. cfgcmd:: set service broadcast-relay id <n> address <ipv4-address> + + Set the source IP of forwarded packets, otherwise original senders address + is used. + .. cfgcmd:: set service broadcast-relay id <n> port <port> The UDP port number used by your apllication. It is mandatory for this kind diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst index a7cd7060..468b39d9 100644 --- a/docs/configuration/service/conntrack-sync.rst +++ b/docs/configuration/service/conntrack-sync.rst @@ -37,14 +37,14 @@ Most examples below show Multicast, but unicast can be specified by using the Configuration ************* - .. cfgcmd:: set service conntrack-sync accept-protocol +.. cfgcmd:: set service conntrack-sync accept-protocol Accept only certain protocols: You may want to replicate the state of flows depending on their layer 4 protocol. Protocols are: tcp, sctp, dccp, udp, icmp and ipv6-icmp. - .. cfgcmd:: set service conntrack-sync event-listen-queue-size <size> +.. cfgcmd:: set service conntrack-sync event-listen-queue-size <size> The daemon doubles the size of the netlink event socket buffer size if it detects netlink event message dropping. This clause sets the maximum buffer @@ -52,39 +52,52 @@ Configuration Queue size for listening to local conntrack events in MB. - .. cfgcmd:: set service conntrack-sync expect-sync <all|ftp|h323|nfs|sip|sqlnet> +.. cfgcmd:: set service conntrack-sync expect-sync <all|ftp|h323|nfs|sip|sqlnet> Protocol for which expect entries need to be synchronized. - .. cfgcmd:: set service conntrack-sync failover-mechanism vrrp sync-group <group> +.. cfgcmd:: set service conntrack-sync failover-mechanism vrrp sync-group <group> Failover mechanism to use for conntrack-sync. Only VRRP is supported. Required option. - .. cfgcmd:: set service conntrack-sync ignore-address <x.x.x.x> +.. cfgcmd:: set service conntrack-sync ignore-address <x.x.x.x> IP addresses or networks for which local conntrack entries will not be synced - .. cfgcmd:: set service conntrack-sync interface <name> +.. cfgcmd:: set service conntrack-sync interface <name> Interface to use for syncing conntrack entries. - .. cfgcmd:: set service conntrack-sync mcast-group <x.x.x.x> +.. cfgcmd:: set service conntrack-sync interface <name> port <port> + + Port number used by connection. + +.. cfgcmd:: set service conntrack-sync listen-address <ipv4address> + + Local IPv4 addresses for service to listen on. + +.. cfgcmd:: set service conntrack-sync mcast-group <x.x.x.x> Multicast group to use for syncing conntrack entries. Defaults to 225.0.0.50. - .. cfgcmd:: set service conntrack-sync interface <name> peer <address> +.. cfgcmd:: set service conntrack-sync interface <name> peer <address> Peer to send unicast UDP conntrack sync entires to, if not using Multicast configuration from above above. - .. cfgcmd:: set service conntrack-sync sync-queue-size <size> +.. cfgcmd:: set service conntrack-sync sync-queue-size <size> Queue size for syncing conntrack entries in MB. +.. cfgcmd:: set service conntrack-sync disable-external-cache + + This diable the external cache and directly injects the flow-states into the + in-kernel Connection Tracking System of the backup firewall. + ********* Operation ********* @@ -114,11 +127,11 @@ Operation conntrack is not enabled. To enable conntrack, just create a NAT or a firewall rule. :cfgcmd:`set firewall state-policy established action accept` -.. opcmd:: show conntrack-sync external-cache +.. opcmd:: show conntrack-sync cache external Show connection syncing external cache entries -.. opcmd:: show conntrack-sync internal-cache +.. opcmd:: show conntrack-sync cache internal Show connection syncing internal cache entries diff --git a/docs/configuration/service/console-server.rst b/docs/configuration/service/console-server.rst index dd2f5032..c9ea7f77 100644 --- a/docs/configuration/service/console-server.rst +++ b/docs/configuration/service/console-server.rst @@ -26,25 +26,30 @@ times are used to send a single character, and so dividing the signalling bit-rate by ten results in the overall transmission speed in characters per second. This is also the default setting if none of those options are defined. -.. cfgcmd:: set service console-server <device> data-bits [7 | 8] +.. cfgcmd:: set service console-server device <device> data-bits [7 | 8] Configure either seven or eight data bits. This defaults to eight data bits if left unconfigured. -.. cfgcmd:: set service console-server <device> description <string> +.. cfgcmd:: set service console-server device <device> description <string> A user friendly description identifying the connected peripheral. -.. cfgcmd:: set service console-server <device> parity [even | odd | none] +.. cfgcmd:: set service console-server device <device> alias <string> + + A user friendly alias for this connection. Can be used instead of the + device name when connecting. + +.. cfgcmd:: set service console-server device <device> parity [even | odd | none] Set the parity option for the console. If unset this will default to none. -.. cfgcmd:: set service console-server <device> stop-bits [1 | 2] +.. cfgcmd:: set service console-server device <device> stop-bits [1 | 2] Configure either one or two stop bits. This defaults to one stop bits if left unconfigured. -.. cfgcmd:: set service console-server <device> speed +.. cfgcmd:: set service console-server device <device> speed [ 300 | 1200 | 2400 | 4800 | 9600 | 19200 | 38400 | 57600 | 115200 ] .. note:: USB to serial converters will handle most of their work in software @@ -58,7 +63,7 @@ Each individual configured console-server device can be directly exposed to the outside world. A user can directly connect via SSH to the configured port. -.. cfgcmd:: set service console-server <device> ssh port <port> +.. cfgcmd:: set service console-server device <device> ssh port <port> Accept SSH connections for the given `<device>` on TCP port `<port>`. After successfull authentication the user will be directly dropped to @@ -106,3 +111,10 @@ Operation .. hint:: The sequence ``^Ec?`` translates to: ``Ctrl+E c ?``. To quit the session use: ``Ctrl+E c .`` + + .. hint:: If ``alias`` is set, it can be used instead of the device when + connecting. + +.. opcmd:: show log console-server + + Show the console server log.
\ No newline at end of file diff --git a/docs/configuration/service/dhcp-relay.rst b/docs/configuration/service/dhcp-relay.rst index 5ce22edb..a93c1046 100644 --- a/docs/configuration/service/dhcp-relay.rst +++ b/docs/configuration/service/dhcp-relay.rst @@ -47,7 +47,7 @@ Options DHCP packet size surpasses this value it will be forwarded without appending relay agent information. Range 64...1400, default 576. -.. cfgcmd:: set service dhcp-relay relay-options relay-agents-packet +.. cfgcmd:: set service dhcp-relay relay-options relay-agents-packets <append | discard | forward | replace> Four policies for reforwarding DHCP packets exist: @@ -124,7 +124,7 @@ Configuration Options ------- -.. cfgcmd:: set service dhcpv6-relay max-hop-count 'count' +.. cfgcmd:: set service dhcpv6-relay max-hop-count <count> Set maximum hop count before packets are discarded, default: 10 diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index 75f8b8f0..3f4b7b89 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -69,10 +69,17 @@ Configuration respond to the client. The lease will remain abandoned for a minimum of abandon-lease-time seconds (defaults to 24 hours). - If a there are no free addressses but there are abandoned IP addresses, the + If there are no free addresses but there are abandoned IP addresses, the DHCP server will attempt to reclaim an abandoned IP address regardless of the value of abandon-lease-time. +.. cfgcmd:: set service dhcp-server listen-address <address> + + This configuration parameter lets the DHCP server to listen for DHCP + requests sent to the specified address, it is only realistically useful for + a server whose only clients are reached via unicasts, such as via DHCP relay + agents. + Individual Client Subnet ------------------------- @@ -151,7 +158,7 @@ Individual Client Subnet respond to the client. The lease will remain abandoned for a minimum of abandon-lease-time seconds (defaults to 24 hours). - If a there are no free addressses but there are abandoned IP addresses, the + If a there are no free addresses but there are abandoned IP addresses, the DHCP server will attempt to reclaim an abandoned IP address regardless of the value of abandon-lease-time. @@ -225,6 +232,27 @@ inside the subnet definition but can be outside of the range statement. .. hint:: This is the equivalent of the host block in dhcpd.conf of isc-dhcpd. +**Example:** + +* IP address ``192.168.1.100`` shall be statically mapped to client named ``client100`` + +.. code-block:: none + + set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 ip-address 192.168.1.100 + set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 mac-address aa:bb:11:22:33:00 + +The configuration will look as follows: + +.. code-block:: none + + show service dhcp-server shared-network-name NET1 + subnet 192.168.1.0/24 { + static-mapping client1 { + ip-address 192.168.1.100 + mac-address aa:bb:11:22:33:00 + } + } + Options ======= @@ -495,18 +523,6 @@ Operation Mode Show logs from specific `interface` DHCP client process. -.. opcmd:: show log dhcpv6 server - - Show DHCPv6 server daemon log file - -.. opcmd:: show log dhcpv6 client - - Show logs from all DHCPv6 client processes. - -.. opcmd:: show log dhcpv6 client interface <interface> - - Show logs from specific `interface` DHCPv6 client process. - .. opcmd:: restart dhcp server Restart the DHCP server @@ -699,21 +715,14 @@ The configuration will look as follows: .. code-block:: none - show service dhcp-server shared-network-name NET1 - shared-network-name NET1 { - subnet 2001:db8::/64 { - name-server 2001:db8:111::111 - address-range { - start 2001:db8::100 { - stop 2001:db8::199 { - } - } - static-mapping client1 { - ipv6-address 2001:db8::101 - identifier 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff - } - } - } + show service dhcpv6-server shared-network-name NET1 + subnet 2001:db8::/64 { + static-mapping client1 { + identifier 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff + ipv6-address 2001:db8::101 + ipv6-prefix 2001:db8:0:101::/64 + } + } .. start_vyoslinter @@ -722,6 +731,18 @@ The configuration will look as follows: Operation Mode ============== +.. opcmd:: show log dhcpv6 server + + Show DHCPv6 server daemon log file + +.. opcmd:: show log dhcpv6 client + + Show logs from all DHCPv6 client processes. + +.. opcmd:: show log dhcpv6 client interface <interface> + + Show logs from specific `interface` DHCPv6 client process. + .. opcmd:: restart dhcpv6 server To restart the DHCPv6 server @@ -732,7 +753,7 @@ Operation Mode .. opcmd:: show dhcpv6 server leases - Show statuses of all assigned leases: + Shows status of all assigned leases: .. code-block:: none diff --git a/docs/configuration/service/eventhandler.rst b/docs/configuration/service/eventhandler.rst new file mode 100644 index 00000000..15f08239 --- /dev/null +++ b/docs/configuration/service/eventhandler.rst @@ -0,0 +1,127 @@ +.. _event-handler: + +############# +Event Handler +############# + +********************************* +Event Handler Technology Overview +********************************* + +Event handler allows you to execute scripts when a string that matches a regex or a regex with +a service name appears in journald logs. You can pass variables, arguments, and a full matching string to the script. + + +****************************** +How to configure Event Handler +****************************** + + `1. Create an event handler`_ + + `2. Add regex to the script`_ + + `3. Add a full path to the script`_ + + `4. Add optional parameters`_ + +********************************* +Event Handler Configuration Steps +********************************* + +1. Create an event handler +========================== + + .. cfgcmd:: set service event-handler event <event-handler name> + + This is an optional command because the event handler will be automatically created after any of the next commands. + + +2. Add regex to the script +=========================================== + + .. cfgcmd:: set service event-handler event <event-handler name> filter pattern <regex> + + This is a mandatory command. Sets regular expression to match against log string message. + + .. note:: The regular expression matches if and only if the entire string matches the pattern. + + + +3. Add a full path to the script +================================ + + .. cfgcmd:: set service event-handler event <event-handler name> script path <path to script> + + This is a mandatory command. Sets the full path to the script. The script file must be executable. + + + +4. Add optional parameters +========================== + + .. cfgcmd:: set service event-handler event <event-handler name> filter syslog-identifier <sylogid name> + + This is an optional command. Filters log messages by syslog-identifier. + + .. cfgcmd:: set service event-handler event <event-handler name> script environment <env name> value <env value> + + This is an optional command. Adds environment and its value to the script. Use separate commands for each environment. + + One implicit environment exists. + + * ``message``: Full message that has triggered the script. + + .. cfgcmd:: set service event-handler event <event-handler name> script arguments <arguments> + + This is an optional command. Adds arguments to the script. Arguments must be separated by spaces. + + .. note:: We don't recomend to use arguments. Using environments is more preffereble. + + +******* +Example +******* + + Event handler that monitors the state of interface eth0. + + .. code-block:: none + + set service event-handler event INTERFACE_STATE_DOWN filter pattern '.*eth0.*,RUNNING,.*->.*' + set service event-handler event INTERFACE_STATE_DOWN filter syslog-identifier 'netplugd' + set service event-handler event INTERFACE_STATE_DOWN script environment interface_action value 'down' + set service event-handler event INTERFACE_STATE_DOWN script environment interface_name value 'eth2' + set service event-handler event INTERFACE_STATE_DOWN script path '/config/scripts/eventhandler.py' + + Event handler script + + .. code-block:: none + + #!/usr/bin/env python3 + # + # VyOS event-handler script example + from os import environ + import subprocess + from sys import exit + + # Perform actions according to requirements + def process_event() -> None: + # Get variables + message_text = environ.get('message') + interface_name = environ.get('interface_name') + interface_action = environ.get('interface_action') + # Print the message that triggered this script + print(f'Logged message: {message_text}') + # Prepare a command to run + command = f'sudo ip link set {interface_name} {interface_action}'.split() + # Execute a command + subprocess.run(command) + + if __name__ == '__main__': + try: + # Run script actions and exit + process_event() + exit(0) + except Exception as err: + # Exit properly in case if something in the script goes wrong + print(f'Error running script: {err}') + exit(1) diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst index 22533db5..08b16575 100644 --- a/docs/configuration/service/https.rst +++ b/docs/configuration/service/https.rst @@ -28,6 +28,10 @@ Configuration Set the listen port of the local API, this has no effect on the webserver. The default is port 8080 +.. cfgcmd:: set service https api socket + + Use local socket for API + .. cfgcmd:: set service https api strict Enforce strict path checking @@ -89,4 +93,4 @@ To use this full configuration we asume a public accessible hostname. set service https virtual-host rtr01 listen-address 198.51.100.2 set service https virtual-host rtr01 listen-port 11443 set service https virtual-host rtr01 server-name rtr01.example.com - set service https api-restrict virtual-host rtr01.example.com + set service https api-restrict virtual-host rtr01 diff --git a/docs/configuration/service/index.rst b/docs/configuration/service/index.rst index 11a1a118..1195348f 100644 --- a/docs/configuration/service/index.rst +++ b/docs/configuration/service/index.rst @@ -18,6 +18,7 @@ Service lldp mdns monitoring + ntp pppoe-server router-advert salt-minion @@ -25,3 +26,4 @@ Service ssh tftp-server webproxy + eventhandler diff --git a/docs/configuration/service/ipoe-server.rst b/docs/configuration/service/ipoe-server.rst index d8b9e6b7..e42ab42e 100644 --- a/docs/configuration/service/ipoe-server.rst +++ b/docs/configuration/service/ipoe-server.rst @@ -39,7 +39,7 @@ the configuration. .. code-block:: none - set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06 + set service ipoe-server authentication interface eth2 mac 08:00:27:2f:d8:06 set service ipoe-server authentication mode 'local' set service ipoe-server name-server '10.10.1.1' set service ipoe-server name-server '10.10.1.2' @@ -70,7 +70,7 @@ IPv6 DNS addresses are optional. .. code-block:: none - set service ipoe-server authentication interface eth3 mac-address 08:00:27:2F:D8:06 + set service ipoe-server authentication interface eth3 mac 08:00:27:2F:D8:06 set service ipoe-server authentication mode 'local' set service ipoe-server client-ipv6-pool delegate '2001:db8:1::/48' delegation-prefix '56' set service ipoe-server client-ipv6-pool prefix '2001:db8::/48' mask '64' @@ -131,8 +131,8 @@ The rate-limit is set in kbit/sec. .. code-block:: none - set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06 rate-limit download '500' - set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06 rate-limit upload '500' + set service ipoe-server authentication interface eth2 mac 08:00:27:2f:d8:06 rate-limit download '500' + set service ipoe-server authentication interface eth2 mac 08:00:27:2f:d8:06 rate-limit upload '500' set service ipoe-server authentication mode 'local' set service ipoe-server name-server '10.10.1.1' set service ipoe-server name-server '10.10.1.2' diff --git a/docs/configuration/service/monitoring.rst b/docs/configuration/service/monitoring.rst index 7396f142..755669e1 100644 --- a/docs/configuration/service/monitoring.rst +++ b/docs/configuration/service/monitoring.rst @@ -1,10 +1,111 @@ Monitoring ---------- -Monitoring functionality with ``telegraf`` and ``InfluxDB 2`` is provided. +Azure-data-explorer +=================== +Telegraf output plugin azure-data-explorer_ + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer authentication client-id <client-id> + + Authentication application client-id. + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer authentication client-secret <client-secret> + + Authentication application client-secret. + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer authentication tenant-id <tenant-id> + + Authentication application tenant-id + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer database <name> + + Remote databe name. + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer group-metrics <single-table | table-per-metric> + + Type of metrics grouping when push to Azure Data Explorer. The default is + ``table-per-metric``. + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer table <name> + + Name of the single table Only if set group-metrics single-table. + +.. cfgcmd:: set service monitoring telegraf azure-data-explorer url <url> + + Remote URL. + +Prometheus-client +================= +Telegraf output plugin prometheus-client_ + +.. cfgcmd:: set service monitoring telegraf prometheus-client + + Output plugin Prometheus client + +.. cfgcmd:: set service monitoring telegraf prometheus-client allow-from <prefix> + + Networks allowed to query this server + +.. cfgcmd:: set service monitoring telegraf prometheus-client authentication username <username> + + HTTP basic authentication username + +.. cfgcmd:: set service monitoring telegraf prometheus-client authentication password <password> + + HTTP basic authentication username + +.. cfgcmd:: set service monitoring telegraf prometheus-client listen-address <address> + + Local IP addresses to listen on + +.. cfgcmd:: set service monitoring telegraf prometheus-client metric-version <1 | 2> + + Metris version, the default is ``2`` + +.. cfgcmd:: set service monitoring telegraf prometheus-client port <port> + + Port number used by connection, default is ``9273`` + +Example: + +.. code-block:: none + + set service monitoring telegraf prometheus-client + +.. code-block:: none + + vyos@r14:~$ curl --silent localhost:9273/metrics | egrep -v "#" | grep cpu_usage_system + cpu_usage_system{cpu="cpu-total",host="r14"} 0.20040080160320556 + cpu_usage_system{cpu="cpu0",host="r14"} 0.17182130584191915 + cpu_usage_system{cpu="cpu1",host="r14"} 0.22896393817971655 + +Splunk +====== +Telegraf output plugin splunk_. HTTP Event Collector. + +.. cfgcmd:: set service monitoring telegraf splunk authentication insecure + + Use TLS but skip host validation + +.. cfgcmd:: set service monitoring telegraf splunk authentication token <token> + + Authorization token + +.. cfgcmd:: set service monitoring telegraf splunk authentication url <url> + + Remote URL to Splunk collector + +Example: + +.. code-block:: none + + set service monitoring telegraf splunk authentication insecure + set service monitoring telegraf splunk authentication token 'xxxxf5b8-xxxx-452a-xxxx-43828911xxxx' + set service monitoring telegraf splunk url 'https://192.0.2.10:8088/services/collector' Telegraf ======== +Monitoring functionality with ``telegraf`` and ``InfluxDB 2`` is provided. Telegraf is the open source server agent to help you collect metrics, events and logs from your routers. @@ -43,3 +144,7 @@ An example of a configuration that sends ``telegraf`` metrics to remote set service monitoring telegraf port '8086' set service monitoring telegraf source 'all' set service monitoring telegraf url 'http://r1.influxdb2.local' + +.. _azure-data-explorer: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/azure_data_explorer +.. _prometheus-client: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/prometheus_client +.. _splunk: https://www.splunk.com/en_us/blog/it/splunk-metrics-via-telegraf.html
\ No newline at end of file diff --git a/docs/configuration/service/ntp.rst b/docs/configuration/service/ntp.rst new file mode 100644 index 00000000..5b718c4f --- /dev/null +++ b/docs/configuration/service/ntp.rst @@ -0,0 +1,81 @@ +.. _ntp: + +### +NTP +### + +:abbr:`NTP (Network Time Protocol`) is a networking protocol for clock +synchronization between computer systems over packet-switched, variable-latency +data networks. In operation since before 1985, NTP is one of the oldest Internet +protocols in current use. + +NTP is intended to synchronize all participating computers to within a few +milliseconds of :abbr:`UTC (Coordinated Universal Time)`. It uses the +intersection algorithm, a modified version of Marzullo's algorithm, to select +accurate time servers and is designed to mitigate the effects of variable +network latency. NTP can usually maintain time to within tens of milliseconds +over the public Internet, and can achieve better than one millisecond accuracy +in local area networks under ideal conditions. Asymmetric routes and network +congestion can cause errors of 100 ms or more. + +The protocol is usually described in terms of a client-server model, but can as +easily be used in peer-to-peer relationships where both peers consider the other +to be a potential time source. Implementations send and receive timestamps using +:abbr:`UDP (User Datagram Protocol)` on port number 123. + +NTP supplies a warning of any impending leap second adjustment, but no +information about local time zones or daylight saving time is transmitted. + +The current protocol is version 4 (NTPv4), which is a proposed standard as +documented in :rfc:`5905`. It is backward compatible with version 3, specified +in :rfc:`1305`. + +.. note:: VyOS 1.4 uses chrony instead of ntpd (see :vytask:`T3008`) which will + no longer accept anonymous NTP requests as in VyOS 1.3. All configurations + will be migrated to keep the anonymous functionality. For new setups if you + have clients using your VyOS installation as NTP server, you must specify + the `allow-client` directive. + +Configuration +============= + +.. cfgcmd:: set service ntp server <address> + + Configure one or more servers for synchronisation. Server name can be either + an IP address or :abbr:`FQDN (Fully Qualified Domain Name)`. + + There are 3 default NTP server set. You are able to change them. + + * ``0.pool.ntp.org`` + * ``1.pool.ntp.org`` + * ``2.pool.ntp.org`` + +.. cfgcmd:: set service ntp server <address> <noselect | pool | prefer> + + Configure one or more attributes to the given NTP server. + + * ``noselect`` marks the server as unused, except for display purposes. The + server is discarded by the selection algorithm. + + * ``pool`` mobilizes persistent client mode association with a number of + remote servers. + + * ``prefer`` marks the server as preferred. All other things being equal, + this host will be chosen for synchronization among a set of correctly + operating hosts. + +.. cfgcmd:: set service ntp listen-address <address> + + NTP process will only listen on the specified IP address. You must specify + the `<address>` and optionally the permitted clients. Multiple listen + addresses can be configured. + +.. cfgcmd:: set service ntp allow-client address <address> + + List of networks or client addresses permitted to contact this NTP server. + + Multiple networks/client IP addresses can be configured. + +.. cfgcmd:: set service ntp vrf <name> + + Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst index ad99cec0..69e357f3 100644 --- a/docs/configuration/service/pppoe-server.rst +++ b/docs/configuration/service/pppoe-server.rst @@ -1,3 +1,5 @@ +:lastproofread: 2022-09-17 + .. _pppoe-server: ############ @@ -106,10 +108,10 @@ and then configure it. .. cfgcmd:: set service pppoe-server authentication radius server <address> key <secret> - + Use this command to configure the IP address and the shared secret key of your RADIUS server. You can have multiple RADIUS servers - configured if you wish to achieve redundancy. + configured if you wish to achieve redundancy. .. code-block:: none @@ -169,25 +171,24 @@ CoA request. Automatic VLAN Creation ----------------------- -.. cfgcmd:: set service pppoe-server interface <interface> - <vlan-id | vlan range> <text> +.. cfgcmd:: set service pppoe-server interface <interface> vlan <id | range> - VLAN's can be created by accel-ppp on the fly via the use of a Kernel - module named `vlan_mon`, which is monitoring incoming vlans and - creates the necessary VLAN if required and allowed. VyOS supports the - use of either VLAN ID's or entire ranges, both values can be defined - at the same time for an interface. When configured, the PPPoE will - create the necessary VLANs when required. Once the user session has - been cancelled and the VLAN is not needed anymore, VyOS will remove - it again. + VLAN's can be created by Accel-ppp on the fly via the use of a Kernel module + named `vlan_mon`, which is monitoring incoming vlans and creates the + necessary VLAN if required and allowed. VyOS supports the use of either + VLAN ID's or entire ranges, both values can be defined at the same time for + an interface. -.. code-block:: none + When configured, PPPoE will create the necessary VLANs when required. Once + the user session has been cancelled and the VLAN is not needed anymore, VyOS + will remove it again. - set service pppoe-server interface eth3 vlan-id 100 - set service pppoe-server interface eth3 vlan-id 200 - set service pppoe-server interface eth3 vlan-range 500-1000 - set service pppoe-server interface eth3 vlan-range 2000-3000 +.. code-block:: none + set service pppoe-server interface eth3 vlan 100 + set service pppoe-server interface eth3 vlan 200 + set service pppoe-server interface eth3 vlan 500-1000 + set service pppoe-server interface eth3 vlan 2000-3000 Bandwidth Shaping @@ -201,7 +202,7 @@ For Local Users .. cfgcmd:: set service pppoe-server authentication local-users username <name> rate-limit <download | upload> - + Use this command to configure a data-rate limit to PPPOoE clients for traffic download or upload. The rate-limit is set in kbit/sec. diff --git a/docs/configuration/service/router-advert.rst b/docs/configuration/service/router-advert.rst index 36fa600d..eb1a6844 100644 --- a/docs/configuration/service/router-advert.rst +++ b/docs/configuration/service/router-advert.rst @@ -8,7 +8,6 @@ Router Advertisements They are part of what is known as :abbr:`SLAAC (Stateless Address Autoconfiguration)`. - Supported interface types: * bonding @@ -21,7 +20,7 @@ Supported interface types: * vxlan * wireguard * wireless - * wirelessmodem + * wwan Enabling Advertisments @@ -31,7 +30,7 @@ Enabling Advertisments .. stop_vyoslinter -.. csv-table:: +.. csv-table:: :header: "Field", "VyOS Option", "Description" :widths: 10, 10, 20 @@ -61,6 +60,8 @@ Advertising a Prefix :header: "VyOS Field", "Description" :widths: 10,30 + "decrement-lifetime", "Lifetime is decremented by the number of seconds since the last RA - use in conjunction with a DHCPv6-PD prefix" + "deprecate-prefix", "Upon shutdown, this option will deprecate the prefix by announcing it in the shutdown RA" "no-autonomous-flag","Prefix can not be used for stateless address auto-configuration" "no-on-link-flag","Prefix can not be used for on-link determination" "preferred-lifetime","Time in seconds that the prefix will remain preferred (default 4 hours)" diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst index ad410a3c..5eaa971f 100644 --- a/docs/configuration/service/ssh.rst +++ b/docs/configuration/service/ssh.rst @@ -109,6 +109,38 @@ Configuration Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. +Dynamic-protection +================== +Protects host from brute-force attacks against +SSH. Log messages are parsed, line-by-line, for recognized patterns. If an +attack, such as several login failures within a few seconds, is detected, the +offending IP is blocked. Offenders are unblocked after a set interval. + +.. cfgcmd:: set service ssh dynamic-protection + + Allow ``ssh`` dynamic-protection. + +.. cfgcmd:: set service ssh dynamic-protection allow-from <address | prefix> + + Whitelist of addresses and networks. Always allow inbound connections from + these systems. + +.. cfgcmd:: set service ssh dynamic-protection block-time <sec> + + Block source IP in seconds. Subsequent blocks increase by a factor of 1.5 + The default is 120. + +.. cfgcmd:: set service ssh dynamic-protection detect-time <sec> + + Remember source IP in seconds before reset their score. The default is 1800. + +.. cfgcmd:: set service ssh dynamic-protection threshold <sec> + + Block source IP when their cumulative attack score exceeds threshold. The + default is 30. + +.. _ssh_operation: + Operation ========= @@ -157,13 +189,13 @@ Operation ``/config/auth/id_rsa_rpki.pub`` will be created. -.. opcmd:: generate public-key-command name <username> path <location> +.. opcmd:: generate public-key-command user <username> path <location> Generate the configuration mode commands to add a public key for :ref:`ssh_key_based_authentication`. ``<location>`` can be a local path or a URL pointing at a remote file. - Supported remote protocols are FTP, HTTP, HTTPS, SCP/SFTP and TFTP. + Supported remote protocols are FTP, FTPS, HTTP, HTTPS, SCP/SFTP and TFTP. Example: diff --git a/docs/configuration/service/webproxy.rst b/docs/configuration/service/webproxy.rst index e8f6423e..a6c5ff0a 100644 --- a/docs/configuration/service/webproxy.rst +++ b/docs/configuration/service/webproxy.rst @@ -137,6 +137,17 @@ Configuration set service webproxy reply-body-max-size 2048 +.. cfgcmd:: set service webproxy safe-ports <port> + + Add new port to Safe-ports acl. Ports included by default in Safe-ports acl: + 21, 70, 80, 210, 280, 443, 488, 591, 777, 873, 1025-65535 + +.. cfgcmd:: set service webproxy ssl-safe-ports <port> + + Add new port to SSL-ports acl. Ports included by default in SSL-ports acl: + 443 + + Authentication ============== |