1# 2# Synchronizer settings 3# 4Sync { 5 Mode NOTRACK { 6 # 7 # This parameter allows you to set an initial fixed timeout 8 # for the committed entries when this node goes from backup 9 # to primary. This mechanism provides a way to purge entries 10 # that were not recovered appropriately after the specified 11 # fixed timeout. If you set a low value, TCP entries in 12 # Established states with no traffic may hang. For example, 13 # an SSH connection without KeepAlive enabled. If not set, 14 # the daemon uses an approximate timeout value calculation 15 # mechanism. By default, this option is not set. 16 # 17 # CommitTimeout 180 18 19 # 20 # If the firewall replica goes from primary to backup, 21 # the conntrackd -t command is invoked in the script. 22 # This command schedules a flush of the table in N seconds. 23 # This is useful to purge the connection tracking table of 24 # zombie entries and avoid clashes with old entries if you 25 # trigger several consecutive hand-overs. Default is 60 seconds. 26 # 27 # PurgeTimeout 60 28 29 # 30 # This clause allows you to disable the internal cache. Thus, 31 # the synchronization messages are directly send through 32 # the dedicated link. This option is set of off by default. 33 # 34 # DisableInternalCache Off 35 36 # 37 # This clause allows you to disable the external cache. Thus, 38 # the state entries are directly injected into the kernel 39 # conntrack table. As a result, you save memory in user-space 40 # but you consume slots in the kernel conntrack table for 41 # backup state entries. Moreover, disabling the external cache 42 # means more CPU consumption. You need a Linux kernel 43 # >= 2.6.29 to use this feature. By default, this clause is 44 # set off. If you are installing conntrackd for first time, 45 # please read the user manual and I encourage you to consider 46 # using the fail-over scripts instead of enabling this option! 47 # 48 # DisableExternalCache Off 49 } 50 51 # 52 # Multicast IP and interface where messages are 53 # broadcasted (dedicated link). IMPORTANT: Make sure 54 # that iptables accepts traffic for destination 55 # 225.0.0.50, eg: 56 # 57 # iptables -I INPUT -d 225.0.0.50 -j ACCEPT 58 # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT 59 # 60 Multicast { 61 # 62 # Multicast address: The address that you use as destination 63 # in the synchronization messages. You do not have to add 64 # this IP to any of your existing interfaces. If any doubt, 65 # do not modify this value. 66 # 67 IPv4_address 225.0.0.50 68 69 # 70 # The multicast group that identifies the cluster. If any 71 # doubt, do not modify this value. 72 # 73 Group 3780 74 75 # 76 # IP address of the interface that you are going to use to 77 # send the synchronization messages. Remember that you must 78 # use a dedicated link for the synchronization messages. 79 # 80 IPv4_interface 192.168.100.100 81 82 # 83 # The name of the interface that you are going to use to 84 # send the synchronization messages. 85 # 86 Interface eth2 87 88 # The multicast sender uses a buffer to enqueue the packets 89 # that are going to be transmitted. The default size of this 90 # socket buffer is available at /proc/sys/net/core/wmem_default. 91 # This value determines the chances to have an overrun in the 92 # sender queue. The overrun results packet loss, thus, losing 93 # state information that would have to be retransmitted. If you 94 # notice some packet loss, you may want to increase the size 95 # of the sender buffer. The default size is usually around 96 # ~100 KBytes which is fairly small for busy firewalls. 97 # Note: This protocol is best effort, it is really recommended 98 # to increase the buffer size. 99 # 100 SndSocketBuffer 1249280 101 102 # The multicast receiver uses a buffer to enqueue the packets 103 # that the socket is pending to handle. The default size of this 104 # socket buffer is available at /proc/sys/net/core/rmem_default. 105 # This value determines the chances to have an overrun in the 106 # receiver queue. The overrun results packet loss, thus, losing 107 # state information that would have to be retransmitted. If you 108 # notice some packet loss, you may want to increase the size of 109 # of the sender buffer. The default size is usually around 110 # ~100 KBytes which is fairly small for busy firewalls. 111 # Note: This protocol is best effort, it is really recommended 112 # to increase the buffer size. 113 # 114 RcvSocketBuffer 1249280 115 116 # 117 # Enable/Disable message checksumming. This is a good 118 # property to achieve fault-tolerance. In case of doubt, do 119 # not modify this value. 120 # 121 Checksum on 122 } 123 # 124 # You can specify more than one dedicated link. Thus, if one dedicated 125 # link fails, conntrackd can fail-over to another. Note that adding 126 # more than one dedicated link does not mean that state-updates will 127 # be sent to all of them. There is only one active dedicated link at 128 # a given moment. The `Default' keyword indicates that this interface 129 # will be selected as the initial dedicated link. You can have 130 # up to 4 redundant dedicated links. Note: Use different multicast 131 # groups for every redundant link. 132 # 133 # Multicast Default { 134 # IPv4_address 225.0.0.51 135 # Group 3781 136 # IPv4_interface 192.168.100.101 137 # Interface eth3 138 # # SndSocketBuffer 1249280 139 # # RcvSocketBuffer 1249280 140 # Checksum on 141 # } 142 143 # 144 # You can use Unicast UDP instead of Multicast to propagate events. 145 # Note that you cannot use unicast UDP and Multicast at the same 146 # time, you can only select one. 147 # 148 # UDP { 149 # 150 # UDP address that this firewall uses to listen to events. 151 # 152 # IPv4_address 192.168.2.100 153 # 154 # or you may want to use an IPv6 address: 155 # 156 # IPv6_address fe80::215:58ff:fe28:5a27 157 158 # 159 # Destination UDP address that receives events, ie. the other 160 # firewall's dedicated link address. 161 # 162 # IPv4_Destination_Address 192.168.2.101 163 # 164 # or you may want to use an IPv6 address: 165 # 166 # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c 167 168 # 169 # UDP port used 170 # 171 # Port 3780 172 173 # 174 # The name of the interface that you are going to use to 175 # send the synchronization messages. 176 # 177 # Interface eth2 178 179 # 180 # The sender socket buffer size 181 # 182 # SndSocketBuffer 1249280 183 184 # 185 # The receiver socket buffer size 186 # 187 # RcvSocketBuffer 1249280 188 189 # 190 # Enable/Disable message checksumming. 191 # 192 # Checksum on 193 # } 194 195 # 196 # You can also use Unicast TCP to propagate events. Thus, the NOTRACK 197 # mode becomes reliable. 198 # 199 # TCP { 200 # 201 # TCP address that this firewall uses to listen to events. 202 # 203 # IPv4_address 192.168.2.100 204 # 205 # or you may want to use an IPv6 address: 206 # 207 # IPv6_address fe80::215:58ff:fe28:5a27 208 209 # 210 # Destination TCP address that receives events, ie. the other 211 # firewall's dedicated link address. 212 # 213 # IPv4_Destination_Address 192.168.2.101 214 # 215 # or you may want to use an IPv6 address: 216 # 217 # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c 218 219 # 220 # TCP port used 221 # 222 # Port 3780 223 224 # 225 # The name of the interface that you are going to use to 226 # send the synchronization messages. 227 # 228 # Interface eth2 229 230 # 231 # The sender socket buffer size 232 # 233 # SndSocketBuffer 1249280 234 235 # 236 # The receiver socket buffer size 237 # 238 # RcvSocketBuffer 1249280 239 240 # 241 # Enable/Disable message checksumming. 242 # 243 # Checksum on 244 # } 245 246 # 247 # Other unsorted options that are related to the synchronization. 248 # 249 # Options { 250 # 251 # TCP state-entries have window tracking disabled by default, 252 # you can enable it with this option. As said, default is off. 253 # This feature requires a Linux kernel >= 2.6.36. 254 # 255 # TCPWindowTracking Off 256 257 # Set this option on if you want to enable the synchronization 258 # of expectations. You have to specify the list of helpers that 259 # you want to enable. Default is off. 260 # 261 # ExpectationSync { 262 # ftp 263 # ras 264 # q.931 265 # h.245 266 # sip 267 # } 268 # 269 # You can use this alternatively: 270 # 271 # ExpectationSync On 272 # 273 # If you want to synchronize expectations of all helpers. 274 # } 275} 276 277# 278# General settings 279# 280General { 281 # 282 # Set the nice value of the daemon, this value goes from -20 283 # (most favorable scheduling) to 19 (least favorable). Using a 284 # very low value reduces the chances to lose state-change events. 285 # Default is 0 but this example file sets it to most favourable 286 # scheduling as this is generally a good idea. See man nice(1) for 287 # more information. 288 # 289 Nice -20 290 291 # 292 # Select a different scheduler for the daemon, you can select between 293 # RR and FIFO and the process priority (minimum is 0, maximum is 99). 294 # See man sched_setscheduler(2) for more information. Using a RT 295 # scheduler reduces the chances to overrun the Netlink buffer. 296 # 297 # Scheduler { 298 # Type FIFO 299 # Priority 99 300 # } 301 302 # 303 # Number of buckets in the cache hashtable. The bigger it is, 304 # the closer it gets to O(1) at the cost of consuming more memory. 305 # Read some documents about tuning hashtables for further reference. 306 # 307 HashSize 32768 308 309 # 310 # Maximum number of conntracks, it should be double of: 311 # $ cat /proc/sys/net/netfilter/nf_conntrack_max 312 # since the daemon may keep some dead entries cached for possible 313 # retransmission during state synchronization. 314 # 315 HashLimit 131072 316 317 # 318 # Logfile: on (/var/log/conntrackd.log), off, or a filename 319 # Default: off 320 # 321 LogFile on 322 323 # 324 # Syslog: on, off or a facility name (daemon (default) or local0..7) 325 # Default: off 326 # 327 #Syslog on 328 329 # 330 # Lockfile 331 # 332 LockFile /var/lock/conntrack.lock 333 334 # 335 # Unix socket configuration 336 # 337 UNIX { 338 Path /var/run/conntrackd.ctl 339 Backlog 20 340 } 341 342 # 343 # Netlink event socket buffer size. If you do not specify this clause, 344 # the default buffer size value in /proc/net/core/rmem_default is 345 # used. This default value is usually around 100 Kbytes which is 346 # fairly small for busy firewalls. This leads to event message dropping 347 # and high CPU consumption. This example configuration file sets the 348 # size to 2 MBytes to avoid this sort of problems. 349 # 350 NetlinkBufferSize 2097152 351 352 # 353 # The daemon doubles the size of the netlink event socket buffer size 354 # if it detects netlink event message dropping. This clause sets the 355 # maximum buffer size growth that can be reached. This example file 356 # sets the size to 8 MBytes. 357 # 358 NetlinkBufferSizeMaxGrowth 8388608 359 360 # 361 # If the daemon detects that Netlink is dropping state-change events, 362 # it automatically schedules a resynchronization against the Kernel 363 # after 30 seconds (default value). Resynchronizations are expensive 364 # in terms of CPU consumption since the daemon has to get the full 365 # kernel state-table and purge state-entries that do not exist anymore. 366 # Be careful of setting a very small value here. You have the following 367 # choices: On (enabled, use default 30 seconds value), Off (disabled) 368 # or Value (in seconds, to set a specific amount of time). If not 369 # specified, the daemon assumes that this option is enabled. 370 # 371 # NetlinkOverrunResync On 372 373 # If you want reliable event reporting over Netlink, set on this 374 # option. If you set on this clause, it is a good idea to set off 375 # NetlinkOverrunResync. This option is off by default and you need 376 # a Linux kernel >= 2.6.31. 377 # 378 # NetlinkEventsReliable Off 379 380 # 381 # By default, the daemon receives state updates following an 382 # event-driven model. You can modify this behaviour by switching to 383 # polling mode with the PollSecs clause. This clause tells conntrackd 384 # to dump the states in the kernel every N seconds. With regards to 385 # synchronization mode, the polling mode can only guarantee that 386 # long-lifetime states are recovered. The main advantage of this method 387 # is the reduction in the state replication at the cost of reducing the 388 # chances of recovering connections. 389 # 390 # PollSecs 15 391 392 # 393 # The daemon prioritizes the handling of state-change events coming 394 # from the core. With this clause, you can set the maximum number of 395 # state-change events (those coming from kernel-space) that the daemon 396 # will handle after which it will handle other events coming from the 397 # network or userspace. A low value improves interactivity (in terms of 398 # real-time behaviour) at the cost of extra CPU consumption. 399 # Default (if not set) is 100. 400 # 401 # EventIterationLimit 100 402 403 # 404 # Event filtering: This clause allows you to filter certain traffic, 405 # There are currently three filter-sets: Protocol, Address and 406 # State. The filter is attached to an action that can be: Accept or 407 # Ignore. Thus, you can define the event filtering policy of the 408 # filter-sets in positive or negative logic depending on your needs. 409 # You can select if conntrackd filters the event messages from 410 # user-space or kernel-space. The kernel-space event filtering 411 # saves some CPU cycles by avoiding the copy of the event message 412 # from kernel-space to user-space. The kernel-space event filtering 413 # is prefered, however, you require a Linux kernel >= 2.6.29 to 414 # filter from kernel-space. If you want to select kernel-space 415 # event filtering, use the keyword 'Kernelspace' instead of 416 # 'Userspace'. 417 # 418 Filter From Userspace { 419 # 420 # Accept only certain protocols: You may want to replicate 421 # the state of flows depending on their layer 4 protocol. 422 # 423 Protocol Accept { 424 TCP 425 SCTP 426 DCCP 427 # UDP 428 # ICMP # This requires a Linux kernel >= 2.6.31 429 # IPv6-ICMP # This requires a Linux kernel >= 2.6.31 430 } 431 432 # 433 # Ignore traffic for a certain set of IP's: Usually all the 434 # IP assigned to the firewall since local traffic must be 435 # ignored, only forwarded connections are worth to replicate. 436 # Note that these values depends on the local IPs that are 437 # assigned to the firewall. 438 # 439 Address Ignore { 440 IPv4_address 127.0.0.1 # loopback 441 IPv4_address 192.168.0.100 # virtual IP 1 442 IPv4_address 192.168.1.100 # virtual IP 2 443 IPv4_address 192.168.0.1 444 IPv4_address 192.168.1.1 445 IPv4_address 192.168.100.100 # dedicated link ip 446 # 447 # You can also specify networks in format IP/cidr. 448 # IPv4_address 192.168.0.0/24 449 # 450 # You can also specify an IPv6 address 451 # IPv6_address ::1 452 } 453 454 # 455 # Uncomment this line below if you want to filter by flow state. 456 # This option introduces a trade-off in the replication: it 457 # reduces CPU consumption at the cost of having lazy backup 458 # firewall replicas. The existing TCP states are: SYN_SENT, 459 # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, 460 # TIME_WAIT, CLOSED, LISTEN. 461 # 462 # State Accept { 463 # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP 464 # } 465 } 466} 467