1# 2# Synchronizer settings 3# 4Sync { 5 Mode NOTRACK { 6 # 7 # This parameter allows you to set an initial fixed timeout 8 # for the committed entries when this node goes from backup 9 # to primary. This mechanism provides a way to purge entries 10 # that were not recovered appropriately after the specified 11 # fixed timeout. If you set a low value, TCP entries in 12 # Established states with no traffic may hang. For example, 13 # an SSH connection without KeepAlive enabled. If not set, 14 # the daemon uses an approximate timeout value calculation 15 # mechanism. By default, this option is not set. 16 # 17 # CommitTimeout 180 18 19 # 20 # If the firewall replica goes from primary to backup, 21 # the conntrackd -t command is invoked in the script. 22 # This command schedules a flush of the table in N seconds. 23 # This is useful to purge the connection tracking table of 24 # zombie entries and avoid clashes with old entries if you 25 # trigger several consecutive hand-overs. Default is 60 seconds. 26 # 27 # PurgeTimeout 60 28 29 # 30 # This clause allows you to disable the internal cache. Thus, 31 # the synchronization messages are directly send through 32 # the dedicated link. This option is set of off by default. 33 # 34 # DisableInternalCache Off 35 36 # 37 # This clause allows you to disable the external cache. Thus, 38 # the state entries are directly injected into the kernel 39 # conntrack table. As a result, you save memory in user-space 40 # but you consume slots in the kernel conntrack table for 41 # backup state entries. Moreover, disabling the external cache 42 # means more CPU consumption. You need a Linux kernel 43 # >= 2.6.29 to use this feature. By default, this clause is 44 # set off. If you are installing conntrackd for first time, 45 # please read the user manual and I encourage you to consider 46 # using the fail-over scripts instead of enabling this option! 47 # 48 # DisableExternalCache Off 49 } 50 51 # 52 # Multicast IP and interface where messages are 53 # broadcasted (dedicated link). IMPORTANT: Make sure 54 # that iptables accepts traffic for destination 55 # 225.0.0.50, eg: 56 # 57 # iptables -I INPUT -d 225.0.0.50 -j ACCEPT 58 # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT 59 # 60 Multicast { 61 # 62 # Multicast address: The address that you use as destination 63 # in the synchronization messages. You do not have to add 64 # this IP to any of your existing interfaces. If any doubt, 65 # do not modify this value. 66 # 67 IPv4_address 225.0.0.50 68 69 # 70 # The multicast group that identifies the cluster. If any 71 # doubt, do not modify this value. 72 # 73 Group 3780 74 75 # 76 # IP address of the interface that you are going to use to 77 # send the synchronization messages. Remember that you must 78 # use a dedicated link for the synchronization messages. 79 # 80 IPv4_interface 192.168.100.100 81 82 # 83 # The name of the interface that you are going to use to 84 # send the synchronization messages. 85 # 86 Interface eth2 87 88 # The multicast sender uses a buffer to enqueue the packets 89 # that are going to be transmitted. The default size of this 90 # socket buffer is available at /proc/sys/net/core/wmem_default. 91 # This value determines the chances to have an overrun in the 92 # sender queue. The overrun results packet loss, thus, losing 93 # state information that would have to be retransmitted. If you 94 # notice some packet loss, you may want to increase the size 95 # of the sender buffer. The default size is usually around 96 # ~100 KBytes which is fairly small for busy firewalls. 97 # Note: This protocol is best effort, it is really recommended 98 # to increase the buffer size. 99 # 100 SndSocketBuffer 1249280 101 102 # The multicast receiver uses a buffer to enqueue the packets 103 # that the socket is pending to handle. The default size of this 104 # socket buffer is available at /proc/sys/net/core/rmem_default. 105 # This value determines the chances to have an overrun in the 106 # receiver queue. The overrun results packet loss, thus, losing 107 # state information that would have to be retransmitted. If you 108 # notice some packet loss, you may want to increase the size of 109 # of the sender buffer. The default size is usually around 110 # ~100 KBytes which is fairly small for busy firewalls. 111 # Note: This protocol is best effort, it is really recommended 112 # to increase the buffer size. 113 # 114 RcvSocketBuffer 1249280 115 116 # 117 # Enable/Disable message checksumming. This is a good 118 # property to achieve fault-tolerance. In case of doubt, do 119 # not modify this value. 120 # 121 Checksum on 122 } 123 # 124 # You can specify more than one dedicated link. Thus, if one dedicated 125 # link fails, conntrackd can fail-over to another. Note that adding 126 # more than one dedicated link does not mean that state-updates will 127 # be sent to all of them. There is only one active dedicated link at 128 # a given moment. The `Default' keyword indicates that this interface 129 # will be selected as the initial dedicated link. You can have 130 # up to 4 redundant dedicated links. Note: Use different multicast 131 # groups for every redundant link. 132 # 133 # Multicast Default { 134 # IPv4_address 225.0.0.51 135 # Group 3781 136 # IPv4_interface 192.168.100.101 137 # Interface eth3 138 # # SndSocketBuffer 1249280 139 # # RcvSocketBuffer 1249280 140 # Checksum on 141 # } 142 143 # 144 # You can use Unicast UDP instead of Multicast to propagate events. 145 # Note that you cannot use unicast UDP and Multicast at the same 146 # time, you can only select one. 147 # 148 # UDP { 149 # 150 # UDP address that this firewall uses to listen to events. 151 # 152 # IPv4_address 192.168.2.100 153 # 154 # or you may want to use an IPv6 address: 155 # 156 # IPv6_address fe80::215:58ff:fe28:5a27 157 158 # 159 # Destination UDP address that receives events, ie. the other 160 # firewall's dedicated link address. 161 # 162 # IPv4_Destination_Address 192.168.2.101 163 # 164 # or you may want to use an IPv6 address: 165 # 166 # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c 167 168 # 169 # UDP port used 170 # 171 # Port 3780 172 173 # 174 # The name of the interface that you are going to use to 175 # send the synchronization messages. 176 # 177 # Interface eth2 178 179 # 180 # The sender socket buffer size 181 # 182 # SndSocketBuffer 1249280 183 184 # 185 # The receiver socket buffer size 186 # 187 # RcvSocketBuffer 1249280 188 189 # 190 # Enable/Disable message checksumming. 191 # 192 # Checksum on 193 # } 194 195 # 196 # You can also use Unicast TCP to propagate events. Thus, the NOTRACK 197 # mode becomes reliable. 198 # 199 # TCP { 200 # 201 # TCP address that this firewall uses to listen to events. 202 # 203 # IPv4_address 192.168.2.100 204 # 205 # or you may want to use an IPv6 address: 206 # 207 # IPv6_address fe80::215:58ff:fe28:5a27 208 209 # 210 # Destination TCP address that receives events, ie. the other 211 # firewall's dedicated link address. 212 # 213 # IPv4_Destination_Address 192.168.2.101 214 # 215 # or you may want to use an IPv6 address: 216 # 217 # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c 218 219 # 220 # TCP port used 221 # 222 # Port 3780 223 224 # 225 # The name of the interface that you are going to use to 226 # send the synchronization messages. 227 # 228 # Interface eth2 229 230 # 231 # The sender socket buffer size 232 # 233 # SndSocketBuffer 1249280 234 235 # 236 # The receiver socket buffer size 237 # 238 # RcvSocketBuffer 1249280 239 240 # 241 # Enable/Disable message checksumming. 242 # 243 # Checksum on 244 # } 245 246 # 247 # Other unsorted options that are related to the synchronization. 248 # 249 # Options { 250 # 251 # TCP state-entries have window tracking disabled by default, 252 # you can enable it with this option. As said, default is off. 253 # This feature requires a Linux kernel >= 2.6.36. 254 # 255 # TCPWindowTracking Off 256 257 # Set this option on if you want to enable the synchronization 258 # of expectations. You have to specify the list of helpers that 259 # you want to enable. Default is off. This feature requires 260 # a Linux kernel >= 3.5. 261 # 262 # ExpectationSync { 263 # ftp 264 # ras 265 # q.931 266 # h.245 267 # sip 268 # } 269 # 270 # You can use this alternatively: 271 # 272 # ExpectationSync On 273 # 274 # If you want to synchronize expectations of all helpers. 275 # } 276} 277 278# 279# General settings 280# 281General { 282 # 283 # Set the nice value of the daemon, this value goes from -20 284 # (most favorable scheduling) to 19 (least favorable). Using a 285 # very low value reduces the chances to lose state-change events. 286 # Default is 0 but this example file sets it to most favourable 287 # scheduling as this is generally a good idea. See man nice(1) for 288 # more information. 289 # 290 Nice -20 291 292 # 293 # Select a different scheduler for the daemon, you can select between 294 # RR and FIFO and the process priority (minimum is 0, maximum is 99). 295 # See man sched_setscheduler(2) for more information. Using a RT 296 # scheduler reduces the chances to overrun the Netlink buffer. 297 # 298 # Scheduler { 299 # Type FIFO 300 # Priority 99 301 # } 302 303 # 304 # Number of buckets in the cache hashtable. The bigger it is, 305 # the closer it gets to O(1) at the cost of consuming more memory. 306 # Read some documents about tuning hashtables for further reference. 307 # 308 HashSize 32768 309 310 # 311 # Maximum number of conntracks, it should be double of: 312 # $ cat /proc/sys/net/netfilter/nf_conntrack_max 313 # since the daemon may keep some dead entries cached for possible 314 # retransmission during state synchronization. 315 # 316 HashLimit 131072 317 318 # 319 # Logfile: on (/var/log/conntrackd.log), off, or a filename 320 # Default: off 321 # 322 LogFile on 323 324 # 325 # Syslog: on, off or a facility name (daemon (default) or local0..7) 326 # Default: off 327 # 328 #Syslog on 329 330 # 331 # Lockfile 332 # 333 LockFile /var/lock/conntrack.lock 334 335 # 336 # Unix socket configuration 337 # 338 UNIX { 339 Path /var/run/conntrackd.ctl 340 Backlog 20 341 } 342 343 # 344 # Netlink event socket buffer size. If you do not specify this clause, 345 # the default buffer size value in /proc/net/core/rmem_default is 346 # used. This default value is usually around 100 Kbytes which is 347 # fairly small for busy firewalls. This leads to event message dropping 348 # and high CPU consumption. This example configuration file sets the 349 # size to 2 MBytes to avoid this sort of problems. 350 # 351 NetlinkBufferSize 2097152 352 353 # 354 # The daemon doubles the size of the netlink event socket buffer size 355 # if it detects netlink event message dropping. This clause sets the 356 # maximum buffer size growth that can be reached. This example file 357 # sets the size to 8 MBytes. 358 # 359 NetlinkBufferSizeMaxGrowth 8388608 360 361 # 362 # If the daemon detects that Netlink is dropping state-change events, 363 # it automatically schedules a resynchronization against the Kernel 364 # after 30 seconds (default value). Resynchronizations are expensive 365 # in terms of CPU consumption since the daemon has to get the full 366 # kernel state-table and purge state-entries that do not exist anymore. 367 # Be careful of setting a very small value here. You have the following 368 # choices: On (enabled, use default 30 seconds value), Off (disabled) 369 # or Value (in seconds, to set a specific amount of time). If not 370 # specified, the daemon assumes that this option is enabled. 371 # 372 # NetlinkOverrunResync On 373 374 # If you want reliable event reporting over Netlink, set on this 375 # option. If you set on this clause, it is a good idea to set off 376 # NetlinkOverrunResync. This option is off by default and you need 377 # a Linux kernel >= 2.6.31. 378 # 379 # NetlinkEventsReliable Off 380 381 # 382 # By default, the daemon receives state updates following an 383 # event-driven model. You can modify this behaviour by switching to 384 # polling mode with the PollSecs clause. This clause tells conntrackd 385 # to dump the states in the kernel every N seconds. With regards to 386 # synchronization mode, the polling mode can only guarantee that 387 # long-lifetime states are recovered. The main advantage of this method 388 # is the reduction in the state replication at the cost of reducing the 389 # chances of recovering connections. 390 # 391 # PollSecs 15 392 393 # 394 # The daemon prioritizes the handling of state-change events coming 395 # from the core. With this clause, you can set the maximum number of 396 # state-change events (those coming from kernel-space) that the daemon 397 # will handle after which it will handle other events coming from the 398 # network or userspace. A low value improves interactivity (in terms of 399 # real-time behaviour) at the cost of extra CPU consumption. 400 # Default (if not set) is 100. 401 # 402 # EventIterationLimit 100 403 404 # 405 # Event filtering: This clause allows you to filter certain traffic, 406 # There are currently three filter-sets: Protocol, Address and 407 # State. The filter is attached to an action that can be: Accept or 408 # Ignore. Thus, you can define the event filtering policy of the 409 # filter-sets in positive or negative logic depending on your needs. 410 # You can select if conntrackd filters the event messages from 411 # user-space or kernel-space. The kernel-space event filtering 412 # saves some CPU cycles by avoiding the copy of the event message 413 # from kernel-space to user-space. The kernel-space event filtering 414 # is prefered, however, you require a Linux kernel >= 2.6.29 to 415 # filter from kernel-space. If you want to select kernel-space 416 # event filtering, use the keyword 'Kernelspace' instead of 417 # 'Userspace'. 418 # 419 Filter From Userspace { 420 # 421 # Accept only certain protocols: You may want to replicate 422 # the state of flows depending on their layer 4 protocol. 423 # 424 Protocol Accept { 425 TCP 426 SCTP 427 DCCP 428 # UDP 429 # ICMP # This requires a Linux kernel >= 2.6.31 430 # IPv6-ICMP # This requires a Linux kernel >= 2.6.31 431 } 432 433 # 434 # Ignore traffic for a certain set of IP's: Usually all the 435 # IP assigned to the firewall since local traffic must be 436 # ignored, only forwarded connections are worth to replicate. 437 # Note that these values depends on the local IPs that are 438 # assigned to the firewall. 439 # 440 Address Ignore { 441 IPv4_address 127.0.0.1 # loopback 442 IPv4_address 192.168.0.100 # virtual IP 1 443 IPv4_address 192.168.1.100 # virtual IP 2 444 IPv4_address 192.168.0.1 445 IPv4_address 192.168.1.1 446 IPv4_address 192.168.100.100 # dedicated link ip 447 # 448 # You can also specify networks in format IP/cidr. 449 # IPv4_address 192.168.0.0/24 450 # 451 # You can also specify an IPv6 address 452 # IPv6_address ::1 453 } 454 455 # 456 # Uncomment this line below if you want to filter by flow state. 457 # This option introduces a trade-off in the replication: it 458 # reduces CPU consumption at the cost of having lazy backup 459 # firewall replicas. The existing TCP states are: SYN_SENT, 460 # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, 461 # TIME_WAIT, CLOSED, LISTEN. 462 # 463 # State Accept { 464 # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP 465 # } 466 } 467} 468