diff options
Diffstat (limited to 'docs/configuration/system')
| -rw-r--r-- | docs/configuration/system/acceleration.disable | 7 | ||||
| -rw-r--r-- | docs/configuration/system/acceleration.rst | 39 | ||||
| -rw-r--r-- | docs/configuration/system/conntrack.rst | 167 | ||||
| -rw-r--r-- | docs/configuration/system/host-name.rst | 7 | ||||
| -rw-r--r-- | docs/configuration/system/index.rst | 3 | ||||
| -rw-r--r-- | docs/configuration/system/login.rst | 20 | ||||
| -rw-r--r-- | docs/configuration/system/ntp.rst | 77 | ||||
| -rw-r--r-- | docs/configuration/system/option.rst | 14 | ||||
| -rw-r--r-- | docs/configuration/system/sflow.rst | 63 | ||||
| -rw-r--r-- | docs/configuration/system/sysctl.disable | 2 | ||||
| -rw-r--r-- | docs/configuration/system/sysctl.rst | 12 |
11 files changed, 236 insertions, 175 deletions
diff --git a/docs/configuration/system/acceleration.disable b/docs/configuration/system/acceleration.disable deleted file mode 100644 index b09da38b..00000000 --- a/docs/configuration/system/acceleration.disable +++ /dev/null @@ -1,7 +0,0 @@ -.. _acceleration: - -############ -Acceleration -############ - - diff --git a/docs/configuration/system/acceleration.rst b/docs/configuration/system/acceleration.rst index 62b85c71..63506d6d 100644 --- a/docs/configuration/system/acceleration.rst +++ b/docs/configuration/system/acceleration.rst @@ -63,39 +63,50 @@ Side A: .. code-block:: + set interfaces vti vti1 address '192.168.1.2/24' + set vpn ipsec authentication psk right id '10.10.10.2' + set vpn ipsec authentication psk right id '10.10.10.1' + set vpn ipsec authentication psk right secret 'Qwerty123' set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256' set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256' set vpn ipsec interface 'eth0' - set vpn ipsec site-to-site peer 10.10.10.1 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 10.10.10.1 authentication pre-shared-secret 'Qwerty123' - set vpn ipsec site-to-site peer 10.10.10.1 connection-type 'initiate' - set vpn ipsec site-to-site peer 10.10.10.1 default-esp-group 'MyESPGroup' - set vpn ipsec site-to-site peer 10.10.10.1 ike-group 'MyIKEGroup' - set vpn ipsec site-to-site peer 10.10.10.1 local-address '10.10.10.2' - set vpn ipsec site-to-site peer 10.10.10.1 vti bind 'vti1' + set vpn ipsec site-to-site peer right authentication local-id '10.10.10.2' + set vpn ipsec site-to-site peer right authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer right authentication remote-id '10.10.10.1' + set vpn ipsec site-to-site peer right connection-type 'initiate' + set vpn ipsec site-to-site peer right default-esp-group 'MyESPGroup' + set vpn ipsec site-to-site peer right ike-group 'MyIKEGroup' + set vpn ipsec site-to-site peer right local-address '10.10.10.2' + set vpn ipsec site-to-site peer right remote-address '10.10.10.1' + set vpn ipsec site-to-site peer right vti bind 'vti1' Side B: .. code-block:: set interfaces vti vti1 address '192.168.1.1/24' + set vpn ipsec authentication psk left id '10.10.10.2' + set vpn ipsec authentication psk left id '10.10.10.1' + set vpn ipsec authentication psk left secret 'Qwerty123' set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256' set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256' set vpn ipsec interface 'eth0' - set vpn ipsec site-to-site peer 10.10.10.2 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 10.10.10.2 authentication pre-shared-secret 'Qwerty123' - set vpn ipsec site-to-site peer 10.10.10.2 connection-type 'initiate' - set vpn ipsec site-to-site peer 10.10.10.2 default-esp-group 'MyESPGroup' - set vpn ipsec site-to-site peer 10.10.10.2 ike-group 'MyIKEGroup' - set vpn ipsec site-to-site peer 10.10.10.2 local-address '10.10.10.1' - set vpn ipsec site-to-site peer 10.10.10.2 vti bind 'vti1' + set vpn ipsec site-to-site peer left authentication local-id '10.10.10.1' + set vpn ipsec site-to-site peer left authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer left authentication remote-id '10.10.10.2' + set vpn ipsec site-to-site peer left connection-type 'initiate' + set vpn ipsec site-to-site peer left default-esp-group 'MyESPGroup' + set vpn ipsec site-to-site peer left ike-group 'MyIKEGroup' + set vpn ipsec site-to-site peer left local-address '10.10.10.1' + set vpn ipsec site-to-site peer left remote-address '10.10.10.2' + set vpn ipsec site-to-site peer left vti bind 'vti1' a bandwidth test over the VPN got these results: diff --git a/docs/configuration/system/conntrack.rst b/docs/configuration/system/conntrack.rst index 0fe0d575..68a4f2b8 100644 --- a/docs/configuration/system/conntrack.rst +++ b/docs/configuration/system/conntrack.rst @@ -1,13 +1,15 @@ -################### -Connection tracking -################### + +######### +Conntrack +######### VyOS can be configured to track connections using the connection tracking subsystem. Connection tracking becomes operational once either stateful firewall or NAT is configured. -Conntrack Table ---------------- +********* +Configure +********* .. cfgcmd:: set system conntrack table-size <1-50000000> :defaultvalue: @@ -30,12 +32,6 @@ Conntrack Table searching the connection tracking table faster. The hash table uses “buckets” to record entries in the connection tracking table. - -Modules -------- - -Enables ``conntrack`` modules. All modules are enable by default. - .. cfgcmd:: set system conntrack modules ftp .. cfgcmd:: set system conntrack modules h323 .. cfgcmd:: set system conntrack modules nfs @@ -44,12 +40,15 @@ Enables ``conntrack`` modules. All modules are enable by default. .. cfgcmd:: set system conntrack modules sqlnet .. cfgcmd:: set system conntrack modules tftp -Use ``delete system conntrack modules`` to deactive all modules. -Or, for example ftp, ``delete system conntrack modules ftp``. + Configure the connection tracking protocol helper modules. + All modules are enable by default. + | Use `delete system conntrack modules` to deactive all modules. + | Or, for example ftp, `delete system conntrack modules ftp`. -Define Connection Timeouts --------------------------- + +Define Conection Timeouts +========================= VyOS supports setting timeouts for connections according to the connection type. You can set timeout values for generic connections, for ICMP @@ -88,43 +87,101 @@ You can also define custom timeout values to apply to a specific subset of connections, based on a packet and flow selector. To do this, you need to create a rule defining the packet and flow selector. -.. cfgcmd:: set system conntrack timeout custom rule <1-999999> - description <test> -.. cfgcmd:: set system conntrack timeout custom rule <1-999999> - destination address <ip-address> -.. cfgcmd:: set system conntrack timeout custom rule <1-999999> - destination port <value> -.. cfgcmd:: set system conntrack timeout custom rule <1-999999> - inbound-interface <interface> -.. cfgcmd:: set system conntrack timeout custom rule <1-999999> - source address <ip-address> -.. cfgcmd:: set system conntrack timeout custom rule <1-999999> - source port <value> -.. cfgcmd:: set system conntrack timeout custom rule <1-999999> - protocol <protocol> - - Configure customized timeout rules for selective connection tracking. - -Conntrack Ignore ----------------- - -Customized ignore rules, based on a packet and flow selector, can be -configured in VyOS. To do this, you can configure as much rules as -needed using next commands: - -.. cfgcmd:: set system conntrack ignore rule <1-999999> - description <text> -.. cfgcmd:: set system conntrack ignore rule <1-999999> - destination address <ip-address> -.. cfgcmd:: set system conntrack ignore rule <1-999999> - destination port <port> -.. cfgcmd:: set system conntrack ignore rule <1-999999> - inbound-interface <interface> -.. cfgcmd:: set system conntrack ignore rule <1-999999> - protocol <protocol> -.. cfgcmd:: set system conntrack ignore rule <1-999999> - source address <ip-address> -.. cfgcmd:: set system conntrack ignore rule <1-999999> - source port <port> - - Configure customized ignore rules for selective connection tracking. +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> description <test> + + Set a rule description. + + +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination address <ip-address> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source address <ip-address> + + set a destination and/or source address. Accepted input: + + .. code-block:: none + + <x.x.x.x> IP address to match + <x.x.x.x/x> Subnet to match + <x.x.x.x>-<x.x.x.x> + IP range to match + !<x.x.x.x> Match everything except the specified address + !<x.x.x.x/x> Match everything except the specified subnet + !<x.x.x.x>-<x.x.x.x> + Match everything except the specified range + +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination port <value> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source port <value> + + Set a destination and/or source port. Accepted input: + + .. code-block:: none + + <port name> Named port (any name in /etc/services, e.g., http) + <1-65535> Numbered port + <start>-<end> Numbered port range (e.g., 1001-1005) + + Multiple destination ports can be specified as a comma-separated list. + The whole list can also be "negated" using '!'. For example: + `!22,telnet,http,123,1001-1005`` + + + +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol icmp <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol other <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close-wait <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp established <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp fin-wait <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp last-ack <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-recv <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-sent <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp time-wait <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp other <1-21474836> +.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp stream <1-21474836> + + Set the timeout in secounds for a protocol or state in a custom rule. + + +.. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836> + :defaultvalue: + + Set the maximum number of TCP half-open connections. + +.. cfgcmd:: set system conntrack tcp loose <enable | disable> + :defaultvalue: + + Policy to track previously established connections. + +.. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647> + :defaultvalue: + + Set the number of TCP maximum retransmit attempts. + +.. cfgcmd:: set system conntrack ignore rule <1-9999> description <text> +.. cfgcmd:: set system conntrack ignore rule <1-9999> destination address <ip-address> +.. cfgcmd:: set system conntrack ignore rule <1-9999> destination port <port> +.. cfgcmd:: set system conntrack ignore rule <1-9999> inbound-interface <interface> +.. cfgcmd:: set system conntrack ignore rule <1-9999> protocol <protocol> +.. cfgcmd:: set system conntrack ignore rule <1-9999> source address <ip-address> +.. cfgcmd:: set system conntrack ignore rule <1-9999> source port <port> + + Customized ignore rules, based on a packet and flow selector. + +.. cfgcmd:: set system conntrack log icmp destroy +.. cfgcmd:: set system conntrack log icmp new +.. cfgcmd:: set system conntrack log icmp update +.. cfgcmd:: set system conntrack log other destroy +.. cfgcmd:: set system conntrack log other new +.. cfgcmd:: set system conntrack log other update +.. cfgcmd:: set system conntrack log tcp destroy +.. cfgcmd:: set system conntrack log tcp new +.. cfgcmd:: set system conntrack log tcp update close-wait +.. cfgcmd:: set system conntrack log tcp update established +.. cfgcmd:: set system conntrack log tcp update fin-wait +.. cfgcmd:: set system conntrack log tcp update last-ack +.. cfgcmd:: set system conntrack log tcp update syn-received +.. cfgcmd:: set system conntrack log tcp update time-wait +.. cfgcmd:: set system conntrack log udp destroy +.. cfgcmd:: set system conntrack log udp new +.. cfgcmd:: set system conntrack log udp update + + Log the connection tracking events per protocol.
\ No newline at end of file diff --git a/docs/configuration/system/host-name.rst b/docs/configuration/system/host-name.rst index 79fae851..d062fc62 100644 --- a/docs/configuration/system/host-name.rst +++ b/docs/configuration/system/host-name.rst @@ -46,7 +46,12 @@ Static Hostname Mapping How an IP address is assigned to an interface in :ref:`ethernet-interface`. This section shows how to statically map an IP address to a hostname for local -(meaning on this VyOS instance) name resolution. +(meaning on this VyOS instance) name resolution. This is the VyOS equivalent to +`/etc/hosts` file entries. + +.. note:: Do *not* manually edit `/etc/hosts`. This file will automatically be + regenerated on boot based on the settings in this section, which means you'll + lose all your manual edits. Instead, configure static host mappings as follows. .. cfgcmd:: set system static-host-mapping host-name <hostname> inet <address> diff --git a/docs/configuration/system/index.rst b/docs/configuration/system/index.rst index 5bf781af..23edaa3f 100644 --- a/docs/configuration/system/index.rst +++ b/docs/configuration/system/index.rst @@ -17,10 +17,11 @@ System lcd login name-server - ntp option proxy + sflow syslog + sysctl task-scheduler time-zone diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst index c4cc232d..a5c1b558 100644 --- a/docs/configuration/system/login.rst +++ b/docs/configuration/system/login.rst @@ -54,6 +54,8 @@ and paste it. Some terminal emulators may accidentally split this over several lines. Be attentive when you paste it that it only pastes as a single line. The third part is simply an identifier, and is for your own reference. +.. seealso:: SSH :ref:`ssh_operation` + .. cfgcmd:: set system login user <username> authentication public-keys <identifier> key <key> @@ -85,24 +87,6 @@ The third part is simply an identifier, and is for your own reference. ``from="10.0.0.0/24"`` to restrict where the user may connect from when using this key. -.. cfgcmd:: loadkey <username> <location> - - **Deprecation notice:** ``loadkey`` has been deprecated in favour of - :opcmd:`generate public-key-commands` and will be removed in a future - version. See :ref:`ssh`. - - SSH keys can not only be specified on the command-line but also loaded for - a given user with `<username>` from a file pointed to by `<location>.` Keys - can be either loaded from local filesystem or any given remote location - using one of the following :abbr:`URIs (Uniform Resource Identifier)`: - - * ``<file>`` - Load from file on local filesystem path - * ``scp://<user>@<host>:/<file>`` - Load via SCP from remote machine - * ``sftp://<user>@<host>/<file>`` - Load via SFTP from remote machine - * ``ftp://<user>@<host>/<file>`` - Load via FTP from remote machine - * ``http://<host>/<file>`` - Load via HTTP from remote machine - * ``tftp://<host>/<file>`` - Load via TFTP from remote machine - MFA/2FA authentication using OTP (one time passwords) ----------------------------------------------------- diff --git a/docs/configuration/system/ntp.rst b/docs/configuration/system/ntp.rst deleted file mode 100644 index 223447f5..00000000 --- a/docs/configuration/system/ntp.rst +++ /dev/null @@ -1,77 +0,0 @@ -.. _ntp: - -### -NTP -### - -:abbr:`NTP (Network Time Protocol`) is a networking protocol for clock -synchronization between computer systems over packet-switched, variable-latency -data networks. In operation since before 1985, NTP is one of the oldest Internet -protocols in current use. - -NTP is intended to synchronize all participating computers to within a few -milliseconds of :abbr:`UTC (Coordinated Universal Time)`. It uses the -intersection algorithm, a modified version of Marzullo's algorithm, to select -accurate time servers and is designed to mitigate the effects of variable -network latency. NTP can usually maintain time to within tens of milliseconds -over the public Internet, and can achieve better than one millisecond accuracy -in local area networks under ideal conditions. Asymmetric routes and network -congestion can cause errors of 100 ms or more. - -The protocol is usually described in terms of a client-server model, but can as -easily be used in peer-to-peer relationships where both peers consider the other -to be a potential time source. Implementations send and receive timestamps using -:abbr:`UDP (User Datagram Protocol)` on port number 123. - -NTP supplies a warning of any impending leap second adjustment, but no -information about local time zones or daylight saving time is transmitted. - -The current protocol is version 4 (NTPv4), which is a proposed standard as -documented in :rfc:`5905`. It is backward compatible with version 3, specified -in :rfc:`1305`. - -Configuration -============= - -.. cfgcmd:: set system ntp server <address> - - Configure one or more servers for synchronisation. Server name can be either - an IP address or :abbr:`FQDN (Fully Qualified Domain Name)`. - - There are 3 default NTP server set. You are able to change them. - - * ``0.pool.ntp.org`` - * ``1.pool.ntp.org`` - * ``2.pool.ntp.org`` - -.. cfgcmd:: set system ntp server <address> <noselect | pool | preempt | prefer> - - Configure one or more attributes to the given NTP server. - - * ``noselect`` marks the server as unused, except for display purposes. The - server is discarded by the selection algorithm. - - * ``pool`` mobilizes persistent client mode association with a number of - remote servers. - - * ``preempt`` a preemptable association is expendable. - - * ``prefer`` marks the server as preferred. All other things being equal, - this host will be chosen for synchronization among a set of correctly - operating hosts. - -.. cfgcmd:: set system ntp listen-address <address> - - NTP process will only listen on the specified IP address. You must specify - the `<address>` and optionally the permitted clients. Multiple listen - addresses can be configured. - -.. cfgcmd:: set system ntp allow-clients address <address> - - List of networks or client addresses permitted to contact this NTP server. - - Multiple networks can be configured. - -.. cfgcmd:: set system ntp vrf <name> - - Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst index a4e08245..c9c9bfb1 100644 --- a/docs/configuration/system/option.rst +++ b/docs/configuration/system/option.rst @@ -39,6 +39,20 @@ HTTP client .. note:: `source-address` and `source-interface` can not be used at the same time. +********** +SSH client +********** + +.. cfgcmd:: set system option ssh-client source-address <address> + + Use the specified address on the local machine as the source address of the + connection. Only useful on systems with more than one address. + +.. cfgcmd:: set system option ssh-client source-interface <interface> + + Use the address of the specified interface on the local machine as the + source address of the connection. + *************** Keyboard Layout *************** diff --git a/docs/configuration/system/sflow.rst b/docs/configuration/system/sflow.rst new file mode 100644 index 00000000..b131d8a9 --- /dev/null +++ b/docs/configuration/system/sflow.rst @@ -0,0 +1,63 @@ +.. _ntp: + +##### +sFlow +##### + +VyOS supports sFlow accounting for both IPv4 and IPv6 traffic. The system acts as a flow exporter, and you are free to use it with any compatible collector. + +sFlow is a technology that enables monitoring of network traffic by sending sampled packets to a collector device. + +The sFlow accounting based on hsflowd https://sflow.net/ + +Configuration +============= + +.. cfgcmd:: set system sflow agent-address <address> + + Configure sFlow agent IPv4 or IPv6 address + + +.. cfgcmd:: set system sflow agent-interface <interface> + + Configure agent IP address associated with this interface. + + +.. cfgcmd:: set system sflow drop-monitor-limit <limit> + + Dropped packets reported on DROPMON Netlink channel by Linux kernel are exported via the standard sFlow v5 extension for reporting dropped packets + +.. cfgcmd:: set system sflow interface <interface> + + Configure and enable collection of flow information for the interface identified by <interface>. + + You can configure multiple interfaces which whould participate in sflow accounting. + + +.. cfgcmd:: set system sflow polling <sec> + + Configure schedule counter-polling in seconds (default: 30) + +.. cfgcmd:: set system sflow sampling-rate <rate> + + Use this command to configure the sampling rate for sFlow accounting (default: 1000) + +.. cfgcmd:: set system sflow server <address> port <port> + + Configure address of sFlow collector. sFlow server at <address> can be both listening on an IPv4 or IPv6 address. + + +Example +======= + +.. code-block:: none + + set system sflow agent-address '192.0.2.14' + set system sflow agent-interface 'eth0' + set system sflow drop-monitor-limit '50' + set system sflow interface 'eth0' + set system sflow interface 'eth1' + set system sflow polling '30' + set system sflow sampling-rate '1000' + set system sflow server 192.0.2.1 port '6343' + set system sflow server 203.0.113.23 port '6343' diff --git a/docs/configuration/system/sysctl.disable b/docs/configuration/system/sysctl.disable deleted file mode 100644 index 82ffd159..00000000 --- a/docs/configuration/system/sysctl.disable +++ /dev/null @@ -1,2 +0,0 @@ -sysctl -######
\ No newline at end of file diff --git a/docs/configuration/system/sysctl.rst b/docs/configuration/system/sysctl.rst new file mode 100644 index 00000000..06e15031 --- /dev/null +++ b/docs/configuration/system/sysctl.rst @@ -0,0 +1,12 @@ +.. _sysctl: + +###### +Sysctl +###### + +This chapeter describes how to configure kernel parameters at runtime. + +``sysctl`` is used to modify kernel parameters at runtime. The parameters +available are those listed under /proc/sys/. + +.. cfgcmd:: set system sysctl parameter <parameter> value <value> |