1# 2# Synchronizer settings 3# 4Sync { 5 Mode ALARM { 6 # 7 # If a conntrack entry is not modified in <= 15 seconds, then 8 # a message is broadcasted. This mechanism is used to 9 # resynchronize nodes that just joined the multicast group 10 # 11 RefreshTime 15 12 13 # 14 # If we don't receive a notification about the state of 15 # an entry in the external cache after N seconds, then 16 # remove it. 17 # 18 CacheTimeout 180 19 20 # 21 # This parameter allows you to set an initial fixed timeout 22 # for the committed entries when this node goes from backup 23 # to primary. This mechanism provides a way to purge entries 24 # that were not recovered appropriately after the specified 25 # fixed timeout. If you set a low value, TCP entries in 26 # Established states with no traffic may hang. For example, 27 # an SSH connection without KeepAlive enabled. If not set, 28 # the daemon uses an approximate timeout value calculation 29 # mechanism. By default, this option is not set. 30 # 31 # CommitTimeout 180 32 33 # 34 # If the firewall replica goes from primary to backup, 35 # the conntrackd -t command is invoked in the script. 36 # This command schedules a flush of the table in N seconds. 37 # This is useful to purge the connection tracking table of 38 # zombie entries and avoid clashes with old entries if you 39 # trigger several consecutive hand-overs. Default is 60 seconds 40 # 41 # PurgeTimeout 60 42 } 43 44 # 45 # Multicast IP and interface where messages are 46 # broadcasted (dedicated link). IMPORTANT: Make sure 47 # that iptables accepts traffic for destination 48 # 225.0.0.50, eg: 49 # 50 # iptables -I INPUT -d 225.0.0.50 -j ACCEPT 51 # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT 52 # 53 Multicast { 54 # 55 # Multicast address: The address that you use as destination 56 # in the synchronization messages. You do not have to add 57 # this IP to any of your existing interfaces. If any doubt, 58 # do not modify this value. 59 # 60 IPv4_address 225.0.0.50 61 62 # 63 # The multicast group that identifies the cluster. If any 64 # doubt, do not modify this value. 65 # 66 Group 3780 67 68 # 69 # IP address of the interface that you are going to use to 70 # send the synchronization messages. Remember that you must 71 # use a dedicated link for the synchronization messages. 72 # 73 IPv4_interface 192.168.100.100 74 75 # 76 # The name of the interface that you are going to use to 77 # send the synchronization messages. 78 # 79 Interface eth2 80 81 # The multicast sender uses a buffer to enqueue the packets 82 # that are going to be transmitted. The default size of this 83 # socket buffer is available at /proc/sys/net/core/wmem_default. 84 # This value determines the chances to have an overrun in the 85 # sender queue. The overrun results packet loss, thus, losing 86 # state information that would have to be retransmitted. If you 87 # notice some packet loss, you may want to increase the size 88 # of the sender buffer. The default size is usually around 89 # ~100 KBytes which is fairly small for busy firewalls. 90 # 91 SndSocketBuffer 1249280 92 93 # The multicast receiver uses a buffer to enqueue the packets 94 # that the socket is pending to handle. The default size of this 95 # socket buffer is available at /proc/sys/net/core/rmem_default. 96 # This value determines the chances to have an overrun in the 97 # receiver queue. The overrun results packet loss, thus, losing 98 # state information that would have to be retransmitted. If you 99 # notice some packet loss, you may want to increase the size of 100 # the receiver buffer. The default size is usually around 101 # ~100 KBytes which is fairly small for busy firewalls. 102 # 103 RcvSocketBuffer 1249280 104 105 # 106 # Enable/Disable message checksumming. This is a good 107 # property to achieve fault-tolerance. In case of doubt, do 108 # not modify this value. 109 # 110 Checksum on 111 } 112 # 113 # You can specify more than one dedicated link. Thus, if one dedicated 114 # link fails, conntrackd can fail-over to another. Note that adding 115 # more than one dedicated link does not mean that state-updates will 116 # be sent to all of them. There is only one active dedicated link at 117 # a given moment. The `Default' keyword indicates that this interface 118 # will be selected as the initial dedicated link. You can have 119 # up to 4 redundant dedicated links. Note: Use different multicast 120 # groups for every redundant link. 121 # 122 # Multicast Default { 123 # IPv4_address 225.0.0.51 124 # Group 3781 125 # IPv4_interface 192.168.100.101 126 # Interface eth3 127 # # SndSocketBuffer 1249280 128 # # RcvSocketBuffer 1249280 129 # Checksum on 130 # } 131 132 # 133 # You can use Unicast UDP instead of Multicast to propagate events. 134 # Note that you cannot use unicast UDP and Multicast at the same 135 # time, you can only select one. 136 # 137 # UDP { 138 # 139 # UDP address that this firewall uses to listen to events. 140 # 141 # IPv4_address 192.168.2.100 142 # 143 # or you may want to use an IPv6 address: 144 # 145 # IPv6_address fe80::215:58ff:fe28:5a27 146 147 # 148 # Destination UDP address that receives events, ie. the other 149 # firewall's dedicated link address. 150 # 151 # IPv4_Destination_Address 192.168.2.101 152 # 153 # or you may want to use an IPv6 address: 154 # 155 # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c 156 157 # 158 # UDP port used 159 # 160 # Port 3780 161 162 # 163 # The name of the interface that you are going to use to 164 # send the synchronization messages. 165 # 166 # Interface eth2 167 168 # 169 # The sender socket buffer size 170 # 171 # SndSocketBuffer 1249280 172 173 # 174 # The receiver socket buffer size 175 # 176 # RcvSocketBuffer 1249280 177 178 # 179 # Enable/Disable message checksumming. 180 # 181 # Checksum on 182 # } 183 184 # 185 # Other unsorted options that are related to the synchronization. 186 # 187 # Options { 188 # 189 # TCP state-entries have window tracking disabled by default, 190 # you can enable it with this option. As said, default is off. 191 # This feature requires a Linux kernel >= 2.6.36. 192 # 193 # TCPWindowTracking Off 194 195 # Set this option on if you want to enable the synchronization 196 # of expectations. You have to specify the list of helpers that 197 # you want to enable. Default is off. This feature requires 198 # a Linux kernel >= 3.5. 199 # 200 # ExpectationSync { 201 # ftp 202 # ras 203 # q.931 204 # h.245 205 # sip 206 # } 207 # 208 # You can use this alternatively: 209 # 210 # ExpectationSync On 211 # 212 # If you want to synchronize expectations of all helpers. 213 # } 214} 215 216# 217# General settings 218# 219General { 220 # 221 # Set the nice value of the daemon, this value goes from -20 222 # (most favorable scheduling) to 19 (least favorable). Using a 223 # very low value reduces the chances to lose state-change events. 224 # Default is 0 but this example file sets it to most favourable 225 # scheduling as this is generally a good idea. See man nice(1) for 226 # more information. 227 # 228 Nice -20 229 230 # 231 # Select a different scheduler for the daemon, you can select between 232 # RR and FIFO and the process priority (minimum is 0, maximum is 99). 233 # See man sched_setscheduler(2) for more information. Using a RT 234 # scheduler reduces the chances to overrun the Netlink buffer. 235 # 236 # Scheduler { 237 # Type FIFO 238 # Priority 99 239 # } 240 241 # 242 # Number of buckets in the cache hashtable. The bigger it is, 243 # the closer it gets to O(1) at the cost of consuming more memory. 244 # Read some documents about tuning hashtables for further reference. 245 # 246 HashSize 32768 247 248 # 249 # Maximum number of conntracks, it should be double of: 250 # $ cat /proc/sys/net/netfilter/nf_conntrack_max 251 # since the daemon may keep some dead entries cached for possible 252 # retransmission during state synchronization. 253 # 254 HashLimit 131072 255 256 # 257 # Logfile: on (/var/log/conntrackd.log), off, or a filename 258 # Default: off 259 # 260 LogFile on 261 262 # 263 # Syslog: on, off or a facility name (daemon (default) or local0..7) 264 # Default: off 265 # 266 #Syslog on 267 268 # 269 # Lockfile 270 # 271 LockFile /var/lock/conntrack.lock 272 273 # 274 # Unix socket configuration 275 # 276 UNIX { 277 Path /var/run/conntrackd.ctl 278 Backlog 20 279 } 280 281 # 282 # Netlink event socket buffer size. If you do not specify this clause, 283 # the default buffer size value in /proc/net/core/rmem_default is 284 # used. This default value is usually around 100 Kbytes which is 285 # fairly small for busy firewalls. This leads to event message dropping 286 # and high CPU consumption. This example configuration file sets the 287 # size to 2 MBytes to avoid this sort of problems. 288 # 289 NetlinkBufferSize 2097152 290 291 # 292 # The daemon doubles the size of the netlink event socket buffer size 293 # if it detects netlink event message dropping. This clause sets the 294 # maximum buffer size growth that can be reached. This example file 295 # sets the size to 8 MBytes. 296 # 297 NetlinkBufferSizeMaxGrowth 8388608 298 299 # 300 # If the daemon detects that Netlink is dropping state-change events, 301 # it automatically schedules a resynchronization against the Kernel 302 # after 30 seconds (default value). Resynchronizations are expensive 303 # in terms of CPU consumption since the daemon has to get the full 304 # kernel state-table and purge state-entries that do not exist anymore. 305 # Be careful of setting a very small value here. You have the following 306 # choices: On (enabled, use default 30 seconds value), Off (disabled) 307 # or Value (in seconds, to set a specific amount of time). If not 308 # specified, the daemon assumes that this option is enabled. 309 # 310 # NetlinkOverrunResync On 311 312 # If you want reliable event reporting over Netlink, set on this 313 # option. If you set on this clause, it is a good idea to set off 314 # NetlinkOverrunResync. This option is off by default and you need 315 # a Linux kernel >= 2.6.31. 316 # 317 # NetlinkEventsReliable Off 318 319 # 320 # By default, the daemon receives state updates following an 321 # event-driven model. You can modify this behaviour by switching to 322 # polling mode with the PollSecs clause. This clause tells conntrackd 323 # to dump the states in the kernel every N seconds. With regards to 324 # synchronization mode, the polling mode can only guarantee that 325 # long-lifetime states are recovered. The main advantage of this method 326 # is the reduction in the state replication at the cost of reducing the 327 # chances of recovering connections. 328 # 329 # PollSecs 15 330 331 # 332 # The daemon prioritizes the handling of state-change events coming 333 # from the core. With this clause, you can set the maximum number of 334 # state-change events (those coming from kernel-space) that the daemon 335 # will handle after which it will handle other events coming from the 336 # network or userspace. A low value improves interactivity (in terms of 337 # real-time behaviour) at the cost of extra CPU consumption. 338 # Default (if not set) is 100. 339 # 340 # EventIterationLimit 100 341 342 # 343 # Event filtering: This clause allows you to filter certain traffic, 344 # There are currently three filter-sets: Protocol, Address and 345 # State. The filter is attached to an action that can be: Accept or 346 # Ignore. Thus, you can define the event filtering policy of the 347 # filter-sets in positive or negative logic depending on your needs. 348 # You can select if conntrackd filters the event messages from 349 # user-space or kernel-space. The kernel-space event filtering 350 # saves some CPU cycles by avoiding the copy of the event message 351 # from kernel-space to user-space. The kernel-space event filtering 352 # is prefered, however, you require a Linux kernel >= 2.6.29 to 353 # filter from kernel-space. If you want to select kernel-space 354 # event filtering, use the keyword 'Kernelspace' instead of 355 # 'Userspace'. 356 # 357 Filter From Userspace { 358 # 359 # Accept only certain protocols: You may want to replicate 360 # the state of flows depending on their layer 4 protocol. 361 # 362 Protocol Accept { 363 TCP 364 SCTP 365 DCCP 366 # UDP 367 # ICMP # This requires a Linux kernel >= 2.6.31 368 # IPv6-ICMP # This requires a Linux kernel >= 2.6.31 369 } 370 371 # 372 # Ignore traffic for a certain set of IP's: Usually all the 373 # IP assigned to the firewall since local traffic must be 374 # ignored, only forwarded connections are worth to replicate. 375 # Note that these values depends on the local IPs that are 376 # assigned to the firewall. 377 # 378 Address Ignore { 379 IPv4_address 127.0.0.1 # loopback 380 IPv4_address 192.168.0.100 # virtual IP 1 381 IPv4_address 192.168.1.100 # virtual IP 2 382 IPv4_address 192.168.0.1 383 IPv4_address 192.168.1.1 384 IPv4_address 192.168.100.100 # dedicated link ip 385 # 386 # You can also specify networks in format IP/cidr. 387 # IPv4_address 192.168.0.0/24 388 # 389 # You can also specify an IPv6 address 390 # IPv6_address ::1 391 } 392 393 # 394 # Uncomment this line below if you want to filter by flow state. 395 # This option introduces a trade-off in the replication: it 396 # reduces CPU consumption at the cost of having lazy backup 397 # firewall replicas. The existing TCP states are: SYN_SENT, 398 # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, 399 # TIME_WAIT, CLOSED, LISTEN. 400 # 401 # State Accept { 402 # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP 403 # } 404 } 405} 406