| # |
| # Synchronizer settings |
| # |
| Sync { |
| Mode ALARM { |
| # |
| # If a conntrack entry is not modified in <= 15 seconds, then |
| # a message is broadcasted. This mechanism is used to |
| # resynchronize nodes that just joined the multicast group |
| # |
| RefreshTime 15 |
| |
| # |
| # If we don't receive a notification about the state of |
| # an entry in the external cache after N seconds, then |
| # remove it. |
| # |
| CacheTimeout 180 |
| |
| # |
| # This parameter allows you to set an initial fixed timeout |
| # for the committed entries when this node goes from backup |
| # to primary. This mechanism provides a way to purge entries |
| # that were not recovered appropriately after the specified |
| # fixed timeout. If you set a low value, TCP entries in |
| # Established states with no traffic may hang. For example, |
| # an SSH connection without KeepAlive enabled. If not set, |
| # the daemon uses an approximate timeout value calculation |
| # mechanism. By default, this option is not set. |
| # |
| # CommitTimeout 180 |
| |
| # |
| # If the firewall replica goes from primary to backup, |
| # the conntrackd -t command is invoked in the script. |
| # This command schedules a flush of the table in N seconds. |
| # This is useful to purge the connection tracking table of |
| # zombie entries and avoid clashes with old entries if you |
| # trigger several consecutive hand-overs. Default is 60 seconds |
| # |
| # PurgeTimeout 60 |
| } |
| |
| # |
| # Multicast IP and interface where messages are |
| # broadcasted (dedicated link). IMPORTANT: Make sure |
| # that iptables accepts traffic for destination |
| # 225.0.0.50, eg: |
| # |
| # iptables -I INPUT -d 225.0.0.50 -j ACCEPT |
| # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT |
| # |
| Multicast { |
| # |
| # Multicast address: The address that you use as destination |
| # in the synchronization messages. You do not have to add |
| # this IP to any of your existing interfaces. If any doubt, |
| # do not modify this value. |
| # |
| IPv4_address 225.0.0.50 |
| |
| # |
| # The multicast group that identifies the cluster. If any |
| # doubt, do not modify this value. |
| # |
| Group 3780 |
| |
| # |
| # IP address of the interface that you are going to use to |
| # send the synchronization messages. Remember that you must |
| # use a dedicated link for the synchronization messages. |
| # |
| IPv4_interface 192.168.100.100 |
| |
| # |
| # The name of the interface that you are going to use to |
| # send the synchronization messages. |
| # |
| Interface eth2 |
| |
| # The multicast sender uses a buffer to enqueue the packets |
| # that are going to be transmitted. The default size of this |
| # socket buffer is available at /proc/sys/net/core/wmem_default. |
| # This value determines the chances to have an overrun in the |
| # sender queue. The overrun results packet loss, thus, losing |
| # state information that would have to be retransmitted. If you |
| # notice some packet loss, you may want to increase the size |
| # of the sender buffer. The default size is usually around |
| # ~100 KBytes which is fairly small for busy firewalls. |
| # |
| SndSocketBuffer 1249280 |
| |
| # The multicast receiver uses a buffer to enqueue the packets |
| # that the socket is pending to handle. The default size of this |
| # socket buffer is available at /proc/sys/net/core/rmem_default. |
| # This value determines the chances to have an overrun in the |
| # receiver queue. The overrun results packet loss, thus, losing |
| # state information that would have to be retransmitted. If you |
| # notice some packet loss, you may want to increase the size of |
| # the receiver buffer. The default size is usually around |
| # ~100 KBytes which is fairly small for busy firewalls. |
| # |
| RcvSocketBuffer 1249280 |
| |
| # |
| # Enable/Disable message checksumming. This is a good |
| # property to achieve fault-tolerance. In case of doubt, do |
| # not modify this value. |
| # |
| Checksum on |
| } |
| # |
| # You can specify more than one dedicated link. Thus, if one dedicated |
| # link fails, conntrackd can fail-over to another. Note that adding |
| # more than one dedicated link does not mean that state-updates will |
| # be sent to all of them. There is only one active dedicated link at |
| # a given moment. The `Default' keyword indicates that this interface |
| # will be selected as the initial dedicated link. You can have |
| # up to 4 redundant dedicated links. Note: Use different multicast |
| # groups for every redundant link. |
| # |
| # Multicast Default { |
| # IPv4_address 225.0.0.51 |
| # Group 3781 |
| # IPv4_interface 192.168.100.101 |
| # Interface eth3 |
| # # SndSocketBuffer 1249280 |
| # # RcvSocketBuffer 1249280 |
| # Checksum on |
| # } |
| |
| # |
| # You can use Unicast UDP instead of Multicast to propagate events. |
| # Note that you cannot use unicast UDP and Multicast at the same |
| # time, you can only select one. |
| # |
| # UDP { |
| # |
| # UDP address that this firewall uses to listen to events. |
| # |
| # IPv4_address 192.168.2.100 |
| # |
| # or you may want to use an IPv6 address: |
| # |
| # IPv6_address fe80::215:58ff:fe28:5a27 |
| |
| # |
| # Destination UDP address that receives events, ie. the other |
| # firewall's dedicated link address. |
| # |
| # IPv4_Destination_Address 192.168.2.101 |
| # |
| # or you may want to use an IPv6 address: |
| # |
| # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c |
| |
| # |
| # UDP port used |
| # |
| # Port 3780 |
| |
| # |
| # The name of the interface that you are going to use to |
| # send the synchronization messages. |
| # |
| # Interface eth2 |
| |
| # |
| # The sender socket buffer size |
| # |
| # SndSocketBuffer 1249280 |
| |
| # |
| # The receiver socket buffer size |
| # |
| # RcvSocketBuffer 1249280 |
| |
| # |
| # Enable/Disable message checksumming. |
| # |
| # Checksum on |
| # } |
| |
| # |
| # Other unsorted options that are related to the synchronization. |
| # |
| # Options { |
| # |
| # TCP state-entries have window tracking disabled by default, |
| # you can enable it with this option. As said, default is off. |
| # This feature requires a Linux kernel >= 2.6.36. |
| # |
| # TCPWindowTracking Off |
| |
| # Set this option on if you want to enable the synchronization |
| # of expectations. You have to specify the list of helpers that |
| # you want to enable. Default is off. This feature requires |
| # a Linux kernel >= 3.5. |
| # |
| # ExpectationSync { |
| # ftp |
| # ras |
| # q.931 |
| # h.245 |
| # sip |
| # } |
| # |
| # You can use this alternatively: |
| # |
| # ExpectationSync On |
| # |
| # If you want to synchronize expectations of all helpers. |
| # } |
| } |
| |
| # |
| # General settings |
| # |
| General { |
| # |
| # Enable systemd support. If conntrackd is compiled with the proper |
| # configuration, you can use a systemd service unit of Type=notify |
| # and use conntrackd with systemd watchdog as well. |
| # Default is: off |
| # |
| #Systemd on |
| |
| # |
| # Set the nice value of the daemon, this value goes from -20 |
| # (most favorable scheduling) to 19 (least favorable). Using a |
| # very low value reduces the chances to lose state-change events. |
| # Default is 0 but this example file sets it to most favourable |
| # scheduling as this is generally a good idea. See man nice(1) for |
| # more information. |
| # |
| Nice -20 |
| |
| # |
| # Select a different scheduler for the daemon, you can select between |
| # RR and FIFO and the process priority (minimum is 0, maximum is 99). |
| # See man sched_setscheduler(2) for more information. Using a RT |
| # scheduler reduces the chances to overrun the Netlink buffer. |
| # |
| # Scheduler { |
| # Type FIFO |
| # Priority 99 |
| # } |
| |
| # |
| # Number of buckets in the cache hashtable. The bigger it is, |
| # the closer it gets to O(1) at the cost of consuming more memory. |
| # Read some documents about tuning hashtables for further reference. |
| # |
| HashSize 32768 |
| |
| # |
| # Maximum number of conntracks, it should be double of: |
| # $ cat /proc/sys/net/netfilter/nf_conntrack_max |
| # since the daemon may keep some dead entries cached for possible |
| # retransmission during state synchronization. |
| # |
| HashLimit 131072 |
| |
| # |
| # Logfile: on (/var/log/conntrackd.log), off, or a filename |
| # Default: off |
| # |
| LogFile on |
| |
| # |
| # Syslog: on, off or a facility name (daemon (default) or local0..7) |
| # Default: off |
| # |
| #Syslog on |
| |
| # |
| # Lockfile |
| # |
| LockFile /var/lock/conntrack.lock |
| |
| # |
| # Unix socket configuration |
| # |
| UNIX { |
| Path /var/run/conntrackd.ctl |
| Backlog 20 |
| } |
| |
| # |
| # Netlink event socket buffer size. If you do not specify this clause, |
| # the default buffer size value in /proc/net/core/rmem_default is |
| # used. This default value is usually around 100 Kbytes which is |
| # fairly small for busy firewalls. This leads to event message dropping |
| # and high CPU consumption. This example configuration file sets the |
| # size to 2 MBytes to avoid this sort of problems. |
| # |
| NetlinkBufferSize 2097152 |
| |
| # |
| # The daemon doubles the size of the netlink event socket buffer size |
| # if it detects netlink event message dropping. This clause sets the |
| # maximum buffer size growth that can be reached. This example file |
| # sets the size to 8 MBytes. |
| # |
| NetlinkBufferSizeMaxGrowth 8388608 |
| |
| # |
| # If the daemon detects that Netlink is dropping state-change events, |
| # it automatically schedules a resynchronization against the Kernel |
| # after 30 seconds (default value). Resynchronizations are expensive |
| # in terms of CPU consumption since the daemon has to get the full |
| # kernel state-table and purge state-entries that do not exist anymore. |
| # Be careful of setting a very small value here. You have the following |
| # choices: On (enabled, use default 30 seconds value), Off (disabled) |
| # or Value (in seconds, to set a specific amount of time). If not |
| # specified, the daemon assumes that this option is enabled. |
| # |
| # NetlinkOverrunResync On |
| |
| # If you want reliable event reporting over Netlink, set on this |
| # option. If you set on this clause, it is a good idea to set off |
| # NetlinkOverrunResync. This option is off by default and you need |
| # a Linux kernel >= 2.6.31. |
| # |
| # NetlinkEventsReliable Off |
| |
| # |
| # By default, the daemon receives state updates following an |
| # event-driven model. You can modify this behaviour by switching to |
| # polling mode with the PollSecs clause. This clause tells conntrackd |
| # to dump the states in the kernel every N seconds. With regards to |
| # synchronization mode, the polling mode can only guarantee that |
| # long-lifetime states are recovered. The main advantage of this method |
| # is the reduction in the state replication at the cost of reducing the |
| # chances of recovering connections. |
| # |
| # PollSecs 15 |
| |
| # |
| # The daemon prioritizes the handling of state-change events coming |
| # from the core. With this clause, you can set the maximum number of |
| # state-change events (those coming from kernel-space) that the daemon |
| # will handle after which it will handle other events coming from the |
| # network or userspace. A low value improves interactivity (in terms of |
| # real-time behaviour) at the cost of extra CPU consumption. |
| # Default (if not set) is 100. |
| # |
| # EventIterationLimit 100 |
| |
| # |
| # Event filtering: This clause allows you to filter certain traffic, |
| # There are currently three filter-sets: Protocol, Address and |
| # State. The filter is attached to an action that can be: Accept or |
| # Ignore. Thus, you can define the event filtering policy of the |
| # filter-sets in positive or negative logic depending on your needs. |
| # You can select if conntrackd filters the event messages from |
| # user-space or kernel-space. The kernel-space event filtering |
| # saves some CPU cycles by avoiding the copy of the event message |
| # from kernel-space to user-space. The kernel-space event filtering |
| # is prefered, however, you require a Linux kernel >= 2.6.29 to |
| # filter from kernel-space. If you want to select kernel-space |
| # event filtering, use the keyword 'Kernelspace' instead of |
| # 'Userspace'. |
| # |
| Filter From Userspace { |
| # |
| # Accept only certain protocols: You may want to replicate |
| # the state of flows depending on their layer 4 protocol. |
| # |
| Protocol Accept { |
| TCP |
| SCTP |
| DCCP |
| # UDP |
| # ICMP # This requires a Linux kernel >= 2.6.31 |
| # IPv6-ICMP # This requires a Linux kernel >= 2.6.31 |
| } |
| |
| # |
| # Ignore traffic for a certain set of IP's: Usually all the |
| # IP assigned to the firewall since local traffic must be |
| # ignored, only forwarded connections are worth to replicate. |
| # Note that these values depends on the local IPs that are |
| # assigned to the firewall. |
| # |
| Address Ignore { |
| IPv4_address 127.0.0.1 # loopback |
| IPv4_address 192.168.0.100 # virtual IP 1 |
| IPv4_address 192.168.1.100 # virtual IP 2 |
| IPv4_address 192.168.0.1 |
| IPv4_address 192.168.1.1 |
| IPv4_address 192.168.100.100 # dedicated link ip |
| # |
| # You can also specify networks in format IP/cidr. |
| # IPv4_address 192.168.0.0/24 |
| # |
| # You can also specify an IPv6 address |
| # IPv6_address ::1 |
| } |
| |
| # |
| # Uncomment this line below if you want to filter by flow state. |
| # This option introduces a trade-off in the replication: it |
| # reduces CPU consumption at the cost of having lazy backup |
| # firewall replicas. The existing TCP states are: SYN_SENT, |
| # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, |
| # TIME_WAIT, CLOSED, LISTEN. |
| # |
| # State Accept { |
| # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP |
| # } |
| } |
| } |