1# 2# Synchronizer settings 3# 4Sync { 5 Mode ALARM { 6 # 7 # If a conntrack entry is not modified in <= 15 seconds, then 8 # a message is broadcasted. This mechanism is used to 9 # resynchronize nodes that just joined the multicast group 10 # 11 RefreshTime 15 12 13 # 14 # If we don't receive a notification about the state of 15 # an entry in the external cache after N seconds, then 16 # remove it. 17 # 18 CacheTimeout 180 19 20 # 21 # This parameter allows you to set an initial fixed timeout 22 # for the committed entries when this node goes from backup 23 # to primary. This mechanism provides a way to purge entries 24 # that were not recovered appropriately after the specified 25 # fixed timeout. If you set a low value, TCP entries in 26 # Established states with no traffic may hang. For example, 27 # an SSH connection without KeepAlive enabled. If not set, 28 # the daemon uses an approximate timeout value calculation 29 # mechanism. By default, this option is not set. 30 # 31 # CommitTimeout 180 32 33 # 34 # If the firewall replica goes from primary to backup, 35 # the conntrackd -t command is invoked in the script. 36 # This command schedules a flush of the table in N seconds. 37 # This is useful to purge the connection tracking table of 38 # zombie entries and avoid clashes with old entries if you 39 # trigger several consecutive hand-overs. Default is 60 seconds 40 # 41 # PurgeTimeout 60 42 } 43 44 # 45 # Multicast IP and interface where messages are 46 # broadcasted (dedicated link). IMPORTANT: Make sure 47 # that iptables accepts traffic for destination 48 # 225.0.0.50, eg: 49 # 50 # iptables -I INPUT -d 225.0.0.50 -j ACCEPT 51 # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT 52 # 53 Multicast { 54 # 55 # Multicast address: The address that you use as destination 56 # in the synchronization messages. You do not have to add 57 # this IP to any of your existing interfaces. If any doubt, 58 # do not modify this value. 59 # 60 IPv4_address 225.0.0.50 61 62 # 63 # The multicast group that identifies the cluster. If any 64 # doubt, do not modify this value. 65 # 66 Group 3780 67 68 # 69 # IP address of the interface that you are going to use to 70 # send the synchronization messages. Remember that you must 71 # use a dedicated link for the synchronization messages. 72 # 73 IPv4_interface 192.168.100.100 74 75 # 76 # The name of the interface that you are going to use to 77 # send the synchronization messages. 78 # 79 Interface eth2 80 81 # The multicast sender uses a buffer to enqueue the packets 82 # that are going to be transmitted. The default size of this 83 # socket buffer is available at /proc/sys/net/core/wmem_default. 84 # This value determines the chances to have an overrun in the 85 # sender queue. The overrun results packet loss, thus, losing 86 # state information that would have to be retransmitted. If you 87 # notice some packet loss, you may want to increase the size 88 # of the sender buffer. The default size is usually around 89 # ~100 KBytes which is fairly small for busy firewalls. 90 # 91 SndSocketBuffer 1249280 92 93 # The multicast receiver uses a buffer to enqueue the packets 94 # that the socket is pending to handle. The default size of this 95 # socket buffer is available at /proc/sys/net/core/rmem_default. 96 # This value determines the chances to have an overrun in the 97 # receiver queue. The overrun results packet loss, thus, losing 98 # state information that would have to be retransmitted. If you 99 # notice some packet loss, you may want to increase the size of 100 # the receiver buffer. The default size is usually around 101 # ~100 KBytes which is fairly small for busy firewalls. 102 # 103 RcvSocketBuffer 1249280 104 105 # 106 # Enable/Disable message checksumming. This is a good 107 # property to achieve fault-tolerance. In case of doubt, do 108 # not modify this value. 109 # 110 Checksum on 111 } 112 # 113 # You can specify more than one dedicated link. Thus, if one dedicated 114 # link fails, conntrackd can fail-over to another. Note that adding 115 # more than one dedicated link does not mean that state-updates will 116 # be sent to all of them. There is only one active dedicated link at 117 # a given moment. The `Default' keyword indicates that this interface 118 # will be selected as the initial dedicated link. You can have 119 # up to 4 redundant dedicated links. Note: Use different multicast 120 # groups for every redundant link. 121 # 122 # Multicast Default { 123 # IPv4_address 225.0.0.51 124 # Group 3781 125 # IPv4_interface 192.168.100.101 126 # Interface eth3 127 # # SndSocketBuffer 1249280 128 # # RcvSocketBuffer 1249280 129 # Checksum on 130 # } 131 132 # 133 # You can use Unicast UDP instead of Multicast to propagate events. 134 # Note that you cannot use unicast UDP and Multicast at the same 135 # time, you can only select one. 136 # 137 # UDP { 138 # 139 # UDP address that this firewall uses to listen to events. 140 # 141 # IPv4_address 192.168.2.100 142 # 143 # or you may want to use an IPv6 address: 144 # 145 # IPv6_address fe80::215:58ff:fe28:5a27 146 147 # 148 # Destination UDP address that receives events, ie. the other 149 # firewall's dedicated link address. 150 # 151 # IPv4_Destination_Address 192.168.2.101 152 # 153 # or you may want to use an IPv6 address: 154 # 155 # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c 156 157 # 158 # UDP port used 159 # 160 # Port 3780 161 162 # 163 # The name of the interface that you are going to use to 164 # send the synchronization messages. 165 # 166 # Interface eth2 167 168 # 169 # The sender socket buffer size 170 # 171 # SndSocketBuffer 1249280 172 173 # 174 # The receiver socket buffer size 175 # 176 # RcvSocketBuffer 1249280 177 178 # 179 # Enable/Disable message checksumming. 180 # 181 # Checksum on 182 # } 183 184 # 185 # Other unsorted options that are related to the synchronization. 186 # 187 # Options { 188 # 189 # TCP state-entries have window tracking disabled by default, 190 # you can enable it with this option. As said, default is off. 191 # This feature requires a Linux kernel >= 2.6.36. 192 # 193 # TCPWindowTracking Off 194 195 # Set this option on if you want to enable the synchronization 196 # of expectations. You have to specify the list of helpers that 197 # you want to enable. Default is off. 198 # 199 # ExpectationSync { 200 # ftp 201 # ras 202 # q.931 203 # h.245 204 # sip 205 # } 206 # 207 # You can use this alternatively: 208 # 209 # ExpectationSync On 210 # 211 # If you want to synchronize expectations of all helpers. 212 # } 213} 214 215# 216# General settings 217# 218General { 219 # 220 # Set the nice value of the daemon, this value goes from -20 221 # (most favorable scheduling) to 19 (least favorable). Using a 222 # very low value reduces the chances to lose state-change events. 223 # Default is 0 but this example file sets it to most favourable 224 # scheduling as this is generally a good idea. See man nice(1) for 225 # more information. 226 # 227 Nice -20 228 229 # 230 # Select a different scheduler for the daemon, you can select between 231 # RR and FIFO and the process priority (minimum is 0, maximum is 99). 232 # See man sched_setscheduler(2) for more information. Using a RT 233 # scheduler reduces the chances to overrun the Netlink buffer. 234 # 235 # Scheduler { 236 # Type FIFO 237 # Priority 99 238 # } 239 240 # 241 # Number of buckets in the cache hashtable. The bigger it is, 242 # the closer it gets to O(1) at the cost of consuming more memory. 243 # Read some documents about tuning hashtables for further reference. 244 # 245 HashSize 32768 246 247 # 248 # Maximum number of conntracks, it should be double of: 249 # $ cat /proc/sys/net/netfilter/nf_conntrack_max 250 # since the daemon may keep some dead entries cached for possible 251 # retransmission during state synchronization. 252 # 253 HashLimit 131072 254 255 # 256 # Logfile: on (/var/log/conntrackd.log), off, or a filename 257 # Default: off 258 # 259 LogFile on 260 261 # 262 # Syslog: on, off or a facility name (daemon (default) or local0..7) 263 # Default: off 264 # 265 #Syslog on 266 267 # 268 # Lockfile 269 # 270 LockFile /var/lock/conntrack.lock 271 272 # 273 # Unix socket configuration 274 # 275 UNIX { 276 Path /var/run/conntrackd.ctl 277 Backlog 20 278 } 279 280 # 281 # Netlink event socket buffer size. If you do not specify this clause, 282 # the default buffer size value in /proc/net/core/rmem_default is 283 # used. This default value is usually around 100 Kbytes which is 284 # fairly small for busy firewalls. This leads to event message dropping 285 # and high CPU consumption. This example configuration file sets the 286 # size to 2 MBytes to avoid this sort of problems. 287 # 288 NetlinkBufferSize 2097152 289 290 # 291 # The daemon doubles the size of the netlink event socket buffer size 292 # if it detects netlink event message dropping. This clause sets the 293 # maximum buffer size growth that can be reached. This example file 294 # sets the size to 8 MBytes. 295 # 296 NetlinkBufferSizeMaxGrowth 8388608 297 298 # 299 # If the daemon detects that Netlink is dropping state-change events, 300 # it automatically schedules a resynchronization against the Kernel 301 # after 30 seconds (default value). Resynchronizations are expensive 302 # in terms of CPU consumption since the daemon has to get the full 303 # kernel state-table and purge state-entries that do not exist anymore. 304 # Be careful of setting a very small value here. You have the following 305 # choices: On (enabled, use default 30 seconds value), Off (disabled) 306 # or Value (in seconds, to set a specific amount of time). If not 307 # specified, the daemon assumes that this option is enabled. 308 # 309 # NetlinkOverrunResync On 310 311 # If you want reliable event reporting over Netlink, set on this 312 # option. If you set on this clause, it is a good idea to set off 313 # NetlinkOverrunResync. This option is off by default and you need 314 # a Linux kernel >= 2.6.31. 315 # 316 # NetlinkEventsReliable Off 317 318 # 319 # By default, the daemon receives state updates following an 320 # event-driven model. You can modify this behaviour by switching to 321 # polling mode with the PollSecs clause. This clause tells conntrackd 322 # to dump the states in the kernel every N seconds. With regards to 323 # synchronization mode, the polling mode can only guarantee that 324 # long-lifetime states are recovered. The main advantage of this method 325 # is the reduction in the state replication at the cost of reducing the 326 # chances of recovering connections. 327 # 328 # PollSecs 15 329 330 # 331 # The daemon prioritizes the handling of state-change events coming 332 # from the core. With this clause, you can set the maximum number of 333 # state-change events (those coming from kernel-space) that the daemon 334 # will handle after which it will handle other events coming from the 335 # network or userspace. A low value improves interactivity (in terms of 336 # real-time behaviour) at the cost of extra CPU consumption. 337 # Default (if not set) is 100. 338 # 339 # EventIterationLimit 100 340 341 # 342 # Event filtering: This clause allows you to filter certain traffic, 343 # There are currently three filter-sets: Protocol, Address and 344 # State. The filter is attached to an action that can be: Accept or 345 # Ignore. Thus, you can define the event filtering policy of the 346 # filter-sets in positive or negative logic depending on your needs. 347 # You can select if conntrackd filters the event messages from 348 # user-space or kernel-space. The kernel-space event filtering 349 # saves some CPU cycles by avoiding the copy of the event message 350 # from kernel-space to user-space. The kernel-space event filtering 351 # is prefered, however, you require a Linux kernel >= 2.6.29 to 352 # filter from kernel-space. If you want to select kernel-space 353 # event filtering, use the keyword 'Kernelspace' instead of 354 # 'Userspace'. 355 # 356 Filter From Userspace { 357 # 358 # Accept only certain protocols: You may want to replicate 359 # the state of flows depending on their layer 4 protocol. 360 # 361 Protocol Accept { 362 TCP 363 SCTP 364 DCCP 365 # UDP 366 # ICMP # This requires a Linux kernel >= 2.6.31 367 # IPv6-ICMP # This requires a Linux kernel >= 2.6.31 368 } 369 370 # 371 # Ignore traffic for a certain set of IP's: Usually all the 372 # IP assigned to the firewall since local traffic must be 373 # ignored, only forwarded connections are worth to replicate. 374 # Note that these values depends on the local IPs that are 375 # assigned to the firewall. 376 # 377 Address Ignore { 378 IPv4_address 127.0.0.1 # loopback 379 IPv4_address 192.168.0.100 # virtual IP 1 380 IPv4_address 192.168.1.100 # virtual IP 2 381 IPv4_address 192.168.0.1 382 IPv4_address 192.168.1.1 383 IPv4_address 192.168.100.100 # dedicated link ip 384 # 385 # You can also specify networks in format IP/cidr. 386 # IPv4_address 192.168.0.0/24 387 # 388 # You can also specify an IPv6 address 389 # IPv6_address ::1 390 } 391 392 # 393 # Uncomment this line below if you want to filter by flow state. 394 # This option introduces a trade-off in the replication: it 395 # reduces CPU consumption at the cost of having lazy backup 396 # firewall replicas. The existing TCP states are: SYN_SENT, 397 # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, 398 # TIME_WAIT, CLOSED, LISTEN. 399 # 400 # State Accept { 401 # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP 402 # } 403 } 404} 405