Difference between revisions of "Configuration file"

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search
(Configuration grammar)
(move mpw to mpe)
 
(28 intermediate revisions by 3 users not shown)
Line 36: Line 36:
 
|-
 
|-
 
| <tt>&nbsp; &nbsp; address</tt> ''cidr'' || || Yes ||  || Add an address with netmask using CIDR notation (both IPv4 and IPv6)
 
| <tt>&nbsp; &nbsp; address</tt> ''cidr'' || || Yes ||  || Add an address with netmask using CIDR notation (both IPv4 and IPv6)
 +
|-
 +
| <tt>&nbsp; &nbsp; priority</tt> ''integer'' || || Yes ||  || Set the interface [[route priority]]
 
|-
 
|-
 
| <tt>&nbsp; &nbsp; mtu</tt> ''integer'' || || || || Set the interface's MTU
 
| <tt>&nbsp; &nbsp; mtu</tt> ''integer'' || || || || Set the interface's MTU
Line 45: Line 47:
 
| <tt>&nbsp; &nbsp; ll-client</tt> || || ||  || Configure a link-local IPv4 address
 
| <tt>&nbsp; &nbsp; ll-client</tt> || || ||  || Configure a link-local IPv4 address
 
|- bgcolor=ccccff
 
|- bgcolor=ccccff
| <tt>&nbsp; &nbsp; router-advertisement</tt>  || Routing || ||  || Enable IPv6 router advertisement on this interface
+
| <tt>&nbsp; &nbsp; router-advertisement {</tt>  || Routing || ||  || Enable IPv6 router advertisement on this interface
 +
|- bgcolor=ccccff
 +
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; name-server</tt> ''addr'' || || Yes || ''System's DNS'' || Use the specified name server instead of the system's name servers
 +
|- bgcolor=ccccff
 +
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; search-domain</tt> ''fqdn'' ||  || || ''System's domain'' || Use the specified name server instead of the system's search domain
 +
|- bgcolor=ccccff
 +
| colspan=5 | <tt>&nbsp; &nbsp; }</tt>
 
|- bgcolor=ccccff
 
|- bgcolor=ccccff
 
| <tt>&nbsp; &nbsp; router-solicitation</tt>  || || ||  || Configures an IPv6 route, and possibly address, automatically
 
| <tt>&nbsp; &nbsp; router-solicitation</tt>  || || ||  || Configures an IPv6 route, and possibly address, automatically
Line 52: Line 60:
 
|- bgcolor=ccccff
 
|- bgcolor=ccccff
 
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; label "</tt>''string''<tt>"</tt> || || ||  || Set a label on the route
 
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; label "</tt>''string''<tt>"</tt> || || ||  || Set a label on the route
 +
|- bgcolor=ccccff
 +
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; priority </tt>''number''<tt></tt> || || ||  || Set the route priority
 
|- bgcolor=ccccff
 
|- bgcolor=ccccff
 
| colspan=5 | <tt>&nbsp; &nbsp; }</tt>
 
| colspan=5 | <tt>&nbsp; &nbsp; }</tt>
Line 69: Line 79:
 
| colspan=5 | <tt>&nbsp; &nbsp; }</tt>
 
| colspan=5 | <tt>&nbsp; &nbsp; }</tt>
 
|- bgcolor=ffccff
 
|- bgcolor=ffccff
| <tt>&nbsp; &nbsp; interface svlan</tt>''id'' <tt>{</tt> || 802.1ad || Yes ||  || Create a metro VLAN interface on the parent interface with tag ''id''
+
| <tt>&nbsp; &nbsp; interface svlan</tt>''id'' <tt>{</tt> || 802.1ad || Yes ||  || Create a QinQ/provider bridge VLAN interface on the parent interface with tag ''id''
 
|- bgcolor=ffccff
 
|- bgcolor=ffccff
 
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; </tt>''shared options'' || || Yes ||  || Most shared options such as <tt>interface vlan</tt>''X''
 
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; </tt>''shared options'' || || Yes ||  || Most shared options such as <tt>interface vlan</tt>''X''
Line 184: Line 194:
 
|- bgcolor=ffeedd
 
|- bgcolor=ffeedd
 
| <tt>&nbsp; &nbsp; pptp-proxy</tt> ||  ||  || || Add a pptp-proxy for local clients (multiple clients behind NAT)
 
| <tt>&nbsp; &nbsp; pptp-proxy</tt> ||  ||  || || Add a pptp-proxy for local clients (multiple clients behind NAT)
 +
|- bgcolor=ffeedd
 +
| <tt>&nbsp; &nbsp; sip-proxy</tt> ||  ||  || || Add a sip-proxy for local clients (multiple phones behind NAT)
 
|-
 
|-
 
| colspan=5 | <tt>}</tt>
 
| colspan=5 | <tt>}</tt>
Line 202: Line 214:
 
|-
 
|-
 
| <tt>&nbsp; &nbsp; channel "</tt>''integer''<tt>"</tt> || || ||  || Set the devices's IEEE 802.11 channel
 
| <tt>&nbsp; &nbsp; channel "</tt>''integer''<tt>"</tt> || || ||  || Set the devices's IEEE 802.11 channel
 +
|-
 +
| <tt>&nbsp; &nbsp; lldp || || ||  || Announce [[LLDP]]
 
|-  
 
|-  
 +
| colspan=5 | <tt>}</tt>
 +
|-
 
| colspan=5 | <tt>}</tt>
 
| colspan=5 | <tt>}</tt>
 
|- bgcolor=ccffff
 
|- bgcolor=ccffff
Line 224: Line 240:
 
|- bgcolor=ccffff
 
|- bgcolor=ccffff
 
| <tt>&nbsp; &nbsp; max-addresses</tt> ''integer'' || || || 100 || Specify the bridge's address cache size
 
| <tt>&nbsp; &nbsp; max-addresses</tt> ''integer'' || || || 100 || Specify the bridge's address cache size
 +
|- bgcolor=ccffff
 +
| colspan=5 | <tt>}</tt>
 +
|- bgcolor=ccffff
 +
| <tt>interface vether</tt>''id'' <tt>{</tt> || Bridge || Yes || || Virtual Ethernet interface, specifically for use as bridge member
 +
|- bgcolor=ccffff
 +
| <tt>&nbsp; &nbsp; </tt>''shared options'' || || Yes ||  || Most shared options such as <tt>address</tt> and <tt>group</tt>
 
|- bgcolor=ccffff
 
|- bgcolor=ccffff
 
| colspan=5 | <tt>}</tt>
 
| colspan=5 | <tt>}</tt>
 
|- bgcolor=ffddbb
 
|- bgcolor=ffddbb
| <tt>interface trunk</tt>''id'' <tt>{</tt> || Trunk || Yes || || Create a trunk (link aggregation) interface  
+
| <tt>interface trunk</tt>''id'' <tt>{</tt> || Trunk || Yes || || Create a [[Trunking|trunk]] (link aggregation) interface  
 
|- bgcolor=ffddbb
 
|- bgcolor=ffddbb
 
| <tt>&nbsp; &nbsp; </tt>''shared options'' || || Yes ||  || Most shared options such as <tt>address</tt> and <tt>group</tt>
 
| <tt>&nbsp; &nbsp; </tt>''shared options'' || || Yes ||  || Most shared options such as <tt>address</tt> and <tt>group</tt>
Line 234: Line 256:
 
|-bgcolor=ffddbb
 
|-bgcolor=ffddbb
 
| <tt>&nbsp; &nbsp; protocol</tt> ''trunkproto'' || || || roundrobin || Selects a trunk method such as lacp, failover, loadbalance or broadcast
 
| <tt>&nbsp; &nbsp; protocol</tt> ''trunkproto'' || || || roundrobin || Selects a trunk method such as lacp, failover, loadbalance or broadcast
 +
|-bgcolor=ffddbb
 +
| <tt>&nbsp; &nbsp; mode passive</tt> || || || active || Use passive LACP mode
 +
|-bgcolor=ffddbb
 +
| <tt>&nbsp; &nbsp; timeout fast</tt> || || || slow || Use fast LACP timeout
 
|- bgcolor=ffddbb
 
|- bgcolor=ffddbb
 
| colspan=5 | <tt>}</tt>
 
| colspan=5 | <tt>}</tt>
Line 243: Line 269:
 
| <tt>&nbsp; &nbsp; label</tt> ''integer'' || || || 0 || Sets the MPLS SHIM label
 
| <tt>&nbsp; &nbsp; label</tt> ''integer'' || || || 0 || Sets the MPLS SHIM label
 
|-  bgcolor=ccccff
 
|-  bgcolor=ccccff
 +
| colspan=5 | <tt>}</tt>
 +
|- bgcolor=ccccff
 +
| <tt>interface mpw</tt>''id'' <tt>{</tt> || Tunnel || Yes || || Create an [https://man.openbsd.org/mpw.4 MPLS pseudowire] layer 2 tunnel
 +
|- bgcolor=ccccff
 +
| <tt>&nbsp; &nbsp; </tt>''shared options'' || || Yes ||  || Many shared options such as <tt>firewall</tt> and <tt>group</tt>
 +
|- bgcolor=ccccff
 +
| <tt>&nbsp; &nbsp; label</tt> ''integer'' ''integer''  || || ||  || The local and remote labels
 +
|- bgcolor=ccccff
 +
| <tt>&nbsp; &nbsp; peer</tt> ''addr''  || || ||  || The destination neighbour address
 +
|- bgcolor=ccccff
 +
| <tt>&nbsp; &nbsp; encapsulation</tt> ''type''  || ||  || ethernet || Either <tt>ethernet</tt> or <tt> ethernet-tagged</tt>
 +
|- bgcolor=ccccff
 +
| <tt>&nbsp; &nbsp; control-word </tt> ''yes or no''  || ||  || no || Use of control word or not
 +
|- bgcolor=ccccff
 
| colspan=5 | <tt>}</tt>
 
| colspan=5 | <tt>}</tt>
 
|-  bgcolor=ffeedd
 
|-  bgcolor=ffeedd
Line 251: Line 291:
 
| colspan=5 | <tt>}</tt>
 
| colspan=5 | <tt>}</tt>
 
|-  bgcolor=ffeedd
 
|-  bgcolor=ffeedd
| <tt>interface pflow</tt>''id'' <tt>{</tt> || || Yes || || Create a NetFlow v5 sender
+
| <tt>interface pflow</tt>''id'' <tt>{</tt> || || Yes || || Create a NetFlow or IPFIX sender
 
|-  bgcolor=ffeedd
 
|-  bgcolor=ffeedd
 
| <tt>&nbsp; &nbsp; </tt>''shared options'' || || Yes ||  || Many shared options such as <tt>mtu</tt> and <tt>group</tt>
 
| <tt>&nbsp; &nbsp; </tt>''shared options'' || || Yes ||  || Many shared options such as <tt>mtu</tt> and <tt>group</tt>
 +
|- bgcolor=ffeedd
 +
| <tt>&nbsp; &nbsp; sender</tt> ''addr'' || || ||  || Which address to use when sending NetFlow data
 
|- bgcolor=ffeedd
 
|- bgcolor=ffeedd
 
| <tt>&nbsp; &nbsp; server</tt> ''addr'' || || ||  || Which server to send NetFlow data to
 
| <tt>&nbsp; &nbsp; server</tt> ''addr'' || || ||  || Which server to send NetFlow data to
 
|- bgcolor=ffeedd
 
|- bgcolor=ffeedd
 
| <tt>&nbsp; &nbsp; port</tt> ''integer'' || || || 2055  || NetFlow port
 
| <tt>&nbsp; &nbsp; port</tt> ''integer'' || || || 2055  || NetFlow port
 +
|- bgcolor=ffeedd
 +
| <tt>&nbsp; &nbsp; protocol</tt> ''integer'' || || || 5  || NetFlow protocol (5 or 10)
 
|-  bgcolor=ffeedd
 
|-  bgcolor=ffeedd
 
| colspan=5 | <tt>}</tt>
 
| colspan=5 | <tt>}</tt>
 
|-  
 
|-  
| <tt>interface gif</tt>''id'' <tt>{</tt> || VPN || Yes || || Create a generic tunnel interface
+
| <tt>interface</tt> ''tunnelname'' <tt>{</tt> || Tunnel || Yes || || The tunnel options are shared and applies to all tunnel types
|-
 
| <tt>&nbsp; &nbsp; </tt>''shared options'' || || Yes ||  || Many shared options such as <tt>firewall</tt> and <tt>group</tt>
 
 
|-
 
|-
 
| <tt>&nbsp; &nbsp; address</tt> ''cidr'' ''addr'' || || || || Specifies the local and remote interface addresses
 
| <tt>&nbsp; &nbsp; address</tt> ''cidr'' ''addr'' || || || || Specifies the local and remote interface addresses
Line 270: Line 312:
 
|-
 
|-
 
| <tt>&nbsp; &nbsp; tdomain</tt> ''integer''  || || || 0 || Place the tunnel addresses in one of the [[routing domains]]
 
| <tt>&nbsp; &nbsp; tdomain</tt> ''integer''  || || || 0 || Place the tunnel addresses in one of the [[routing domains]]
 +
|-
 +
| colspan=5 | <tt>}</tt>
 +
|-
 +
| <tt>interface etherip</tt>''id'' <tt>{</tt> || Tunnel || Yes || || Create a [[EtherIP]] tunnel interface
 +
|-
 +
| <tt>&nbsp; &nbsp; </tt>''tunnel options'' || || Yes ||  || The tunnel options <tt>tunnel</tt> and <tt>domain</tt>
 +
|-
 +
| <tt>&nbsp; &nbsp; </tt>''shared options'' || || Yes ||  || Many shared options such as <tt>firewall</tt> and <tt>group</tt>
 +
|-
 +
| colspan=5 | <tt>}</tt>
 +
|-
 +
| <tt>interface gif</tt>''id'' <tt>{</tt> || Tunnel || Yes || || Create a generic tunnel interface
 +
|-
 +
| <tt>&nbsp; &nbsp; </tt>''tunnel options'' || || Yes ||  || The tunnel options <tt>tunnel</tt> and <tt>domain</tt>
 +
|-
 +
| <tt>&nbsp; &nbsp; </tt>''shared options'' || || Yes ||  || Many shared options such as <tt>firewall</tt> and <tt>group</tt>
 
|-  
 
|-  
 
| colspan=5 | <tt>}</tt>
 
| colspan=5 | <tt>}</tt>
 
|-  
 
|-  
| <tt>interface gre</tt>''id'' <tt>{</tt> || || Yes || || Create a GRE tunnel interface
+
| <tt>interface vxlan</tt>''id'' <tt>{</tt> || Tunnel || Yes || || Create a VXLAN tunnel
 +
|-
 +
| <tt>&nbsp; &nbsp; </tt>''tunnel options'' || || Yes ||  || The tunnel options <tt>tunnel</tt> and <tt>domain</tt>
 
|-  
 
|-  
 
| <tt>&nbsp; &nbsp; </tt>''shared options'' || || Yes ||  || Many shared options such as <tt>firewall</tt> and <tt>group</tt>
 
| <tt>&nbsp; &nbsp; </tt>''shared options'' || || Yes ||  || Many shared options such as <tt>firewall</tt> and <tt>group</tt>
 
|-
 
|-
| <tt>&nbsp; &nbsp; address</tt> ''cidr'' ''addr'' || || || || Specifies the local and remote interface addresses
+
| <tt>&nbsp; &nbsp; vnet-id any</tt>  || || ||  || Multipoint-to-multipoint
 +
|-
 +
| <tt>&nbsp; &nbsp; vnet-id</tt> ''integer'' || || ||  || VXLAN network identifier
 +
|-
 +
| <tt>&nbsp; &nbsp; tunnel-ttl</tt> ''integer'' || || || || Set the IP or multicast TTL of the tunnel packets.
 +
|-
 +
| colspan=5 | <tt>}</tt>
 +
|-
 +
| <tt>interface mobileip</tt>''id'' <tt>{</tt> || Tunnel || Yes || || Create a Mobile IP (RFC 2004) tunnel interface
 +
|-
 +
| <tt>&nbsp; &nbsp; </tt>''tunnel options'' || || Yes ||  || The tunnel options <tt>tunnel</tt> and <tt>domain</tt>
 +
|-
 +
| <tt>&nbsp; &nbsp; </tt>''shared options'' || || Yes ||  || Many shared options such as <tt>firewall</tt> and <tt>group</tt>
 
|-
 
|-
| <tt>&nbsp; &nbsp; tunnel</tt> ''addr'' ''addr'' || || || || Specifies the local and remote tunnel endpoint addresses
+
| colspan=5 | <tt>}</tt>
 +
|-
 +
| <tt>interface gre</tt>''id'' <tt>{</tt> || Tunnel || Yes || || Create a GRE tunnel interface
 
|-  
 
|-  
| <tt>&nbsp; &nbsp; tdomain</tt> ''integer'' || || || 0 || Place the tunnel addresses in one of the [[routing domains]]
+
| <tt>&nbsp; &nbsp; </tt>''tunnel options'' || || Yes || || The tunnel options <tt>tunnel</tt> and <tt>domain</tt>
 
|-  
 
|-  
 +
| <tt>&nbsp; &nbsp; </tt>''shared options'' || || Yes ||  || Many shared options such as <tt>firewall</tt> and <tt>group</tt>
 +
|-
 
| colspan=5 | <tt>}</tt>
 
| colspan=5 | <tt>}</tt>
 
|-  
 
|-  
 
| <tt>interface enc</tt>''id'' <tt>{</tt> || || Yes || || Create an additional encapsulation interface (<tt>enc0</tt> always exists)
 
| <tt>interface enc</tt>''id'' <tt>{</tt> || || Yes || || Create an additional encapsulation interface (<tt>enc0</tt> always exists)
 +
|-
 +
| <tt>&nbsp; &nbsp; </tt>''shared options'' || || Yes ||  || Many shared options such as <tt>firewall</tt> and <tt>group</tt>
 +
|-
 +
| colspan=5 | <tt>}</tt>
 +
|-
 +
| <tt>interface pair</tt>''id'' <tt>{</tt> || || Yes || || Create a virtual Ethernet [https://man.openbsd.org/pair.4 pair] interface
 +
|-
 +
| <tt>&nbsp; &nbsp; member pair</tt>''id''  || || ||  || The other pair interface to patch
 
|-  
 
|-  
 
| <tt>&nbsp; &nbsp; </tt>''shared options'' || || Yes ||  || Many shared options such as <tt>firewall</tt> and <tt>group</tt>
 
| <tt>&nbsp; &nbsp; </tt>''shared options'' || || Yes ||  || Many shared options such as <tt>firewall</tt> and <tt>group</tt>
Line 297: Line 381:
 
| colspan=5 | <tt>}</tt>
 
| colspan=5 | <tt>}</tt>
 
|-  
 
|-  
| <tt>ipsec {</tt> || || || || IPSec and IKE configuration, including macros
+
| <tt>ipsec {</tt> || || || || IPsec and IKE configuration, including macros
 
|-  
 
|-  
 
| <tt>&nbsp; &nbsp; flow ...</tt> || || Yes ||  || Manual <tt>ipsecctl</tt> flow policy, requesting encryption based on its conditions
 
| <tt>&nbsp; &nbsp; flow ...</tt> || || Yes ||  || Manual <tt>ipsecctl</tt> flow policy, requesting encryption based on its conditions
Line 305: Line 389:
 
| <tt>&nbsp; &nbsp; ike ...</tt>|| || Yes ||  || Automatic <tt>ipsecctl</tt> IKE policy for <tt>isakmpd</tt>
 
| <tt>&nbsp; &nbsp; ike ...</tt>|| || Yes ||  || Automatic <tt>ipsecctl</tt> IKE policy for <tt>isakmpd</tt>
 
|-  
 
|-  
| <tt>&nbsp; &nbsp; ikev2 ...</tt>|| || Yes ||  || An IKEv2 policy for <tt>iked</tt>
+
| colspan=5 | <tt>}</tt>
 
|-  
 
|-  
| colspan=5 | <tt>}</tt>
+
| <tt>ike {</tt>  ''config'' || || || || [[IKEv2]] [https://man.openbsd.org/iked.conf.5 configuration] for <tt>iked</tt>
 
|-  
 
|-  
 
| <tt>vpn-server {</tt> || || || || L2TP and PPTP server for roaming clients
 
| <tt>vpn-server {</tt> || || || || L2TP and PPTP server for roaming clients
Line 347: Line 431:
 
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; user "</tt>''string''<tt>" {</tt> ||  || Yes ||  || Remote access users
 
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; user "</tt>''string''<tt>" {</tt> ||  || Yes ||  || Remote access users
 
|-
 
|-
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; password "</tt>''string''<tt>"</tt>||  || ||  || The password's Blowfish crypt
+
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; password "</tt>''string''<tt>"</tt>||  || ||  || The password ($b$base64-encoded)
 
|-
 
|-
 
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; full-name "</tt>''string''<tt>"</tt>||  || ||  || The user's full name
 
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; full-name "</tt>''string''<tt>"</tt>||  || ||  || The user's full name
Line 377: Line 461:
 
| colspan=5 | <tt>}</tt>
 
| colspan=5 | <tt>}</tt>
 
|- bgcolor=ccccff
 
|- bgcolor=ccccff
| <tt>bgp {</tt> || Routing || || || BGPv4 configuration for <tt>bgpd</tt>
+
| <tt>bgp</tt> ''rdomain'' <tt>{</tt> || Routing || || || [https://man.openbsd.org/bgpd.conf.5 BGPv4 configuration] for <tt>bgpd</tt>, routing domain can be omitted
 
|- bgcolor=ccccff
 
|- bgcolor=ccccff
 
| <tt>&nbsp; &nbsp; AS</tt> ''integer'' || ||  ||  || Set the local autonomous system number
 
| <tt>&nbsp; &nbsp; AS</tt> ''integer'' || ||  ||  || Set the local autonomous system number
Line 393: Line 477:
 
| colspan=5 | <tt>}</tt>
 
| colspan=5 | <tt>}</tt>
 
|- bgcolor=ccccff
 
|- bgcolor=ccccff
| <tt>ospf {</tt> ''config'' || || || || OSPFv2 configuration for <tt>ospfd</tt>
+
| <tt>ospf {</tt> ''config'' || || || || [https://man.openbsd.org/ospfd.conf.5 OSPFv2 configuration] for <tt>ospfd</tt>
 
|- bgcolor=ccccff
 
|- bgcolor=ccccff
| <tt>ospf6 {</tt> ''config'' || || || || OSPFv3 configuration for <tt>ospf6d</tt>
+
| <tt>ospf6 {</tt> ''config'' || || || || [https://man.openbsd.org/ospf6d.conf.5 OSPFv3 configuration] for <tt>ospf6d</tt>
 
|- bgcolor=ccccff
 
|- bgcolor=ccccff
| <tt>ldp {</tt> ''config'' || || || || MPLS LDP configuration for <tt>ldpd</tt>
+
| <tt>eigrp {</tt> ''config'' || || || || [https://man.openbsd.org/eigrpd.conf.5 EIGRP configuration] for <tt>eigrpd</tt>
 
|- bgcolor=ccccff
 
|- bgcolor=ccccff
| <tt>load-balancer {</tt> ''config'' || || || || Load balancing and availability configuration for <tt>relayd</tt>
+
| <tt>ldp {</tt> ''config'' || || || || [https://man.openbsd.org/ldpd.conf.5 MPLS LDP configuration] for <tt>ldpd</tt>
 +
|- bgcolor=ccccff
 +
| <tt>load-balancer {</tt> ''config'' || || || || [https://man.openbsd.org/relayd.conf.5 Load balancing configuration] for <tt>relayd</tt>
 
|-  
 
|-  
 
| <tt>cluster {</tt> || || || || Cluster configuration
 
| <tt>cluster {</tt> || || || || Cluster configuration
Line 442: Line 528:
 
|-
 
|-
 
| <tt>&nbsp; &nbsp; ntp {</tt> ||  || ||  || Network time
 
| <tt>&nbsp; &nbsp; ntp {</tt> ||  || ||  || Network time
 +
|-
 +
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; rdomain </tt> ''integer'' ||  || || 0 ||
 
|-
 
|-
 
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; server</tt> ''addr or fqdn'' ||  || Yes ||  || NTP server to sync with
 
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; server</tt> ''addr or fqdn'' ||  || Yes ||  || NTP server to sync with
Line 448: Line 536:
 
|-
 
|-
 
| <tt>&nbsp; &nbsp; syslog {</tt> ||  || ||  || Remote logging
 
| <tt>&nbsp; &nbsp; syslog {</tt> ||  || ||  || Remote logging
 +
|-
 +
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; rdomain </tt> ''integer'' ||  || || 0 ||
 
|-
 
|-
 
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; server</tt> ''addr or fqdn'' ||  || Yes ||  || Syslog server to send logs to
 
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; server</tt> ''addr or fqdn'' ||  || Yes ||  || Syslog server to send logs to
Line 465: Line 555:
 
| <tt>&nbsp; &nbsp; ssh-server {</tt> ||  || ||  || Secure shell server
 
| <tt>&nbsp; &nbsp; ssh-server {</tt> ||  || ||  || Secure shell server
 
|-
 
|-
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; listen </tt> ''addr'' ||  || || any ||  
+
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; rdomain </tt> ''integer'' ||  || || 0 ||
 +
|-
 +
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; listen </tt> ''addr'' ||  || || any ||  
 
|-
 
|-
 
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; port </tt> ''integer'' ||  || || 22 ||  
 
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; port </tt> ''integer'' ||  || || 22 ||  
Line 479: Line 571:
 
| <tt>&nbsp; &nbsp; http-server {</tt> ||  || ||  || Web (HTTPS) server
 
| <tt>&nbsp; &nbsp; http-server {</tt> ||  || ||  || Web (HTTPS) server
 
|-
 
|-
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; listen </tt> ''addr'' ||  || || any ||  
+
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; rdomain </tt> ''integer'' ||  || || 0 ||
 +
|-
 +
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; listen </tt> ''addr'' ||  || || any ||  
 
|-
 
|-
 
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; port </tt> ''integer'' ||  || || 443 ||  
 
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; port </tt> ''integer'' ||  || || 443 ||  
Line 485: Line 579:
 
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; rsa-key</tt> { ''data'' ||  || ||  || The private RSA key
 
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; rsa-key</tt> { ''data'' ||  || ||  || The private RSA key
 
|-
 
|-
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; x509-cert</tt> { ''data'' ||  || ||  || The X.509 certificate
+
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; x509-certificate</tt> { ''data'' ||  || ||  || The X.509 certificate
 +
|-
 +
| <tt>&nbsp; &nbsp; lldp-server {</tt> ||  || ||  || [[LLDP]] server
 +
|-
 +
| <tt>&nbsp; &nbsp; &nbsp; &nbsp; receive </tt> ||  || ||  || Listen for other LLDP senders
 
|-
 
|-
 
| <tt>&nbsp; &nbsp; }</tt> ||  || ||  ||  
 
| <tt>&nbsp; &nbsp; }</tt> ||  || ||  ||  

Latest revision as of 15:27, 3 January 2019

This page mainly describes the syntax of the configuration. The functionality of the system is fully defined by its configuration file, and system modifications such as skeleton files if root access is enabled. Since root access is disabled by default, administrators can normally get a complete picture of the system by studying the configuration file. From the web administration, it can be viewed on the Configuration > Plain-text editor page. Using the CLI (for example over SSH) it is viewed with configure by typing

[email protected]> configure
[]
[email protected]# show
bgp {
...

How the file is used by the system

The configuration is stored in a revision-managed database. Every time a new configuration is saved, it is commited to the database. The current (running) configuration is shown by checking out the latest configuration revision; called HEAD. Each revision is associated with a revision number, which is a simple, increasing integer counter. When a user commits a configuration, it's first applied (made effective to the system). If the application was successful, it is saved.

Whenever a new configuration is applied, it's transformed into event keys, which may have an ID and several values. These new keys are compared to the old (running configuration) keys, comprising an event list. If a user commits a configuration which results in no events (differences in keys) an exception (error) is given. One example of this would be if a user added the line media autoselect to an interface. Since autoselect is the default media type, no event would be generated by this configuration change (which is correct, since it doesn't not represent a change in the system state). If a list of events were generated, it's delivered to the backend's routines responsible of updating the system state. The minimally necessary change in order to bring the system into the new requested state will be performed.

Upon boot (system startup) the latest revision (HEAD) is checked out by the backend, and compared to the old list of keys, which is of course empty. Thus, a every change necessary to bring a reset system into the state requested by the configuration is performed.

File format and syntax

The configuration has a hierarchical format, with one statement per line, and child/parent relationships indicated by curly brackets and tabs. For example, an IP address 2a01:2b0:3030:1337::1 on a network with prefix length 64 and a matching gateway configured an a VLAN with tag 1 on a physical interface with device name em0 would be represented as

interface em0 {
    interface vlan1 {
        address 2a01:2b0:3030:1337::da7a/64
        route default 2a01:2b0:3030:1337::1
    }
}

Configuration grammar

The table below specifies the entire configuration grammar, and what it does.

Grammar Category Multiple  Default Comment
interface name { Generic Yes The options in this scope are shared, and applies to most interface types
    group "string" Yes Add the interface to a group (good way to name interfaces)
    description "string" Only visual free-text description of the interface
    address cidr Yes Add an address with netmask using CIDR notation (both IPv4 and IPv6)
    priority integer Yes Set the interface route priority
    mtu integer Set the interface's MTU
    ll-address lladdr Set the interface's link layer (MAC) address
    proxy-arp cidr Yes   Add proxy-arp for a host or CIDR (inclusive).
    ll-client Configure a link-local IPv4 address
    router-advertisement { Routing Enable IPv6 router advertisement on this interface
        name-server addr Yes System's DNS Use the specified name server instead of the system's name servers
        search-domain fqdn System's domain Use the specified name server instead of the system's search domain
    }
    router-solicitation Configures an IPv6 route, and possibly address, automatically
    route cidr addr { Yes Add a static route to cidr via gateway address (both IPv4 and IPv6)
        label "string" Set a label on the route
        priority number Set the route priority
    }
    rdomain integer 0 Place the interface in one of the routing domains
    mpls Enable MPLS label processing on the interface
    metric integer 0 Set the metric to integer hops, used by some routing protocols
    interface vlanid { 802.1q Yes Create a VLAN interface on the parent interface with tag id
        shared options Yes Most shared options such as address and group
        tag integer vlan's id Set the interface's VLAN tag
    }
    interface svlanid { 802.1ad Yes Create a QinQ/provider bridge VLAN interface on the parent interface with tag id
        shared options Yes Most shared options such as interface vlanX
        tag integer svlan's id Set the interface's VLAN tag
    }
    interface carpid { Failover Yes Create a failover (redundant address) on the parent interface
        shared options Yes Most shared options such as address and group
        vhid integer 1 Set the virtual (redundant) IP's ID
        advbase integer 1 Set the announce interval in seconds
        advskew integer 0 Skew the announce interval
        password "string" Empty Set the authentication key
    }
    interface pfsyncid { Yes Create a firewall state synchronization interface on the parent interface
        shared options Yes Many shared options such as description and group
        sync-peer ipv4addr If specified, synchronize with this peer instead of multicasting
    }
    interface pppoeid { Yes Create a PPPoE interface on the parent interface
        shared options Yes Many shared options such as description and group
        user username Set the PPPoE username
        password password Set the PPPoE password
    }
    dhcp-client { DHCP Configure the parent interface's address automatically using DHCP
        timeout integer 60 DHCP client timeout in seconds
        retry integer 300 DHCP client total retry timeout in seconds
        request "string" Yes Everything Objects to request, such as "router" or "name-server"
    }
    dhcp-server { Announce the parent interface's network configuration using DHCP
        router addr Parent's address Use the specified address instead of the interface's first address
        range addr addr Calculated Use the specified address range instead of the automatically calculated
        name-server addr Yes System's DNS Use the specified name server instead of the system's name servers
        search-domain fqdn System's domain Use the specified name server instead of the system's search domain
        lease-time integer 43200 Set the lease time, in seconds
        max-lease-time integer 86400 Set the lease time, in seconds
        option integer hex Yes Set options (eg. option 43 0x..)
        host "string" { Yes Create a reserved DHCP lease (BOOTP host)
            ll-address lladdr The reserved host's link layer (MAC) address
            address ipv4addr The reserved host's IPv4 address
        }
    }
    dhcp-relay { Relay DHCP on the parent interface
        server addr Yes Add a server to the list of servers to forward requests to
        option integer Yes Set options (eg. option 82)
    }
    dhcp6-client DHCPv6 Configure the parent interface's IPv6 address automatically using DHCPv6
    dhcp6-delegate { Configure the parent interface's IPv6 address using DHCPv6 PD (prefix delegation)
        address addr ::1:0:0:0:1/64 The address to prepend after the delegated prefix (SLA ID)
        interface interface any Specify a specific dhcp6-client by parent interface
    }
    dhcp6-server { Announce using DHCPv6, affects router-advertisement flags
        range addr addr Use stateful (managed) DHCPv6, affects router-advertisement flags
        name-server addr Yes System's DNS Use the specified name server instead of the system's name servers
        search-domain fqdn System's domain Use the specified name server instead of the system's search domain
        lease-time integer 3600 Set the lease time, in seconds
    }
    firewall { Generic Yes Add firewall rules (pf) directly to the interface as a conditional anchor
        firewall rules Yes Firewall rules such as pass and block
    }
    ftp-proxy Add a ftp-proxy for local clients (active FTP)
    pptp-proxy Add a pptp-proxy for local clients (multiple clients behind NAT)
    sip-proxy Add a sip-proxy for local clients (multiple phones behind NAT)
}
interface device { Physical Yes Interface options for physical interfaces
    shared options Yes Most shared options such as address and group
    media media autoselect Set the devices's media type, such as "10baseT"
    mediaopt mediaopt Set the devices's media options, such as "full-duplex" or "hostap" for 802.11
    mode mode autoselect Set the devices's mode, such as "11g" for 802.11 wireless interfaces
    ssid "string" Set the devices's IEEE 802.11 ESSID
    wpa-psk "string" Set the devices's IEEE 802.11 WPA2 key
    channel "integer" Set the devices's IEEE 802.11 channel
    lldp Announce LLDP
}
}
interface bridgeid { Bridge Yes Create a bridge interface
    shared options Yes Most shared options such as address and group
    member interface { Yes Add an interface as a member to the bridge by specifying it's name
        stp no Specify to enable STP on the member interface
        edge yes or no auto Specify to manually set the edge status
        ptp yes or no auto Specify to manually set the PTP status
    }
    link2 Specify to enable Link2
    protocol rstp or stp rstp STP protocol
    max-addresses integer 100 Specify the bridge's address cache size
}
interface vetherid { Bridge Yes Virtual Ethernet interface, specifically for use as bridge member
    shared options Yes Most shared options such as address and group
}
interface trunkid { Trunk Yes Create a trunk (link aggregation) interface
    shared options Yes Most shared options such as address and group
    member interface Yes Adds an interface to the link aggregate
    protocol trunkproto roundrobin Selects a trunk method such as lacp, failover, loadbalance or broadcast
    mode passive active Use passive LACP mode
    timeout fast slow Use fast LACP timeout
}
interface mpeid { Routing Yes Create an MPLS provider edge interface
    shared options Yes Many shared options such as firewall and group
    label integer 0 Sets the MPLS SHIM label
}
interface mpwid { Tunnel Yes Create an MPLS pseudowire layer 2 tunnel
    shared options Yes Many shared options such as firewall and group
    label integer integer The local and remote labels
    peer addr The destination neighbour address
    encapsulation type ethernet Either ethernet or ethernet-tagged
    control-word yes or no no Use of control word or not
}
interface pflogid { Generic Yes Create an additional firewall log interface
    shared options Yes Many shared options such as group
}
interface pflowid { Yes Create a NetFlow or IPFIX sender
    shared options Yes Many shared options such as mtu and group
    sender addr Which address to use when sending NetFlow data
    server addr Which server to send NetFlow data to
    port integer 2055 NetFlow port
    protocol integer 5 NetFlow protocol (5 or 10)
}
interface tunnelname { Tunnel Yes The tunnel options are shared and applies to all tunnel types
    address cidr addr Specifies the local and remote interface addresses
    tunnel addr addr Specifies the local and remote tunnel endpoint addresses
    tdomain integer 0 Place the tunnel addresses in one of the routing domains
}
interface etheripid { Tunnel Yes Create a EtherIP tunnel interface
    tunnel options Yes The tunnel options tunnel and domain
    shared options Yes Many shared options such as firewall and group
}
interface gifid { Tunnel Yes Create a generic tunnel interface
    tunnel options Yes The tunnel options tunnel and domain
    shared options Yes Many shared options such as firewall and group
}
interface vxlanid { Tunnel Yes Create a VXLAN tunnel
    tunnel options Yes The tunnel options tunnel and domain
    shared options Yes Many shared options such as firewall and group
    vnet-id any Multipoint-to-multipoint
    vnet-id integer VXLAN network identifier
    tunnel-ttl integer Set the IP or multicast TTL of the tunnel packets.
}
interface mobileipid { Tunnel Yes Create a Mobile IP (RFC 2004) tunnel interface
    tunnel options Yes The tunnel options tunnel and domain
    shared options Yes Many shared options such as firewall and group
}
interface greid { Tunnel Yes Create a GRE tunnel interface
    tunnel options Yes The tunnel options tunnel and domain
    shared options Yes Many shared options such as firewall and group
}
interface encid { Yes Create an additional encapsulation interface (enc0 always exists)
    shared options Yes Many shared options such as firewall and group
}
interface pairid { Yes Create a virtual Ethernet pair interface
    member pairid The other pair interface to patch
    shared options Yes Many shared options such as firewall and group
}
interface loid { Yes Create an additional loopback interface (lo0 always exists)
    shared options Yes Many shared options such as firewall and group
}
ipsec { IPsec and IKE configuration, including macros
    flow ... Yes Manual ipsecctl flow policy, requesting encryption based on its conditions
    esp ... Yes Manual ipsecctl SA of the specified type
    ike ... Yes Automatic ipsecctl IKE policy for isakmpd
}
ike { config IKEv2 configuration for iked
vpn-server { L2TP and PPTP server for roaming clients
    l2tp { Enable the L2TP server
        secret "string" The IKE shared secret
    }
    pptp Enable the PPTP server
    pool cidr 192.0.2.0/24 Override the default address pool
    listen addr any Explicitly bind an IP address
    interface interface wan Allow clients to connected from somewhere else than WAN
    name-server "string" Yes System's name-server Override the default name servers to be distributed
    search-domain fqdn System's domain Use the specified name server instead of the system's search domain
    route "cidr" Yes Send classless static routes to client
    option integer hex Yes Send DHCP option to client
    authentication "string" { Yes An authentication group (for firewall filtering) with users in it
        radius default Enable RADIUS support for this group, default is optional
        name-server "string" Yes Servers's name-server Override the default name servers to be distributed
        search-domain fqdn Servers's domain Use the specified name server instead of the server's search domain
        route "cidr" Yes Send classless static routes to client
        option integer hex Yes Send DHCP option to client
        user "string" { Yes Remote access users
            password "string" The password ($b$base64-encoded)
            full-name "string" The user's full name
        }
    }
    radius { Enable external RADIUS authentication
        server addr Yes Address of radius servers
        secret "string" Shared secret
        accounting Enable accounting
    }
}
firewall { Generic Add firewall rules (pf)
    pass ... Yes Allow packets matching the conditions
    block ... Yes Block packets matching the conditions
    match ... Yes Modify packets matching the condition without changing their pass/block state
}
bgp rdomain { Routing BGPv4 configuration for bgpd, routing domain can be omitted
    AS integer Set the local autonomous system number
    network cidr Yes Announce the specified network as belonging to our AS
    rdomain integer { Yes Setup and distribution of Virtual Private Networks
    }
    neighbor addr { Yes Establishes TCP connections to other BGP speakers
    }
}
ospf { config OSPFv2 configuration for ospfd
ospf6 { config OSPFv3 configuration for ospf6d
eigrp { config EIGRP configuration for eigrpd
ldp { config MPLS LDP configuration for ldpd
load-balancer { config Load balancing configuration for relayd
cluster { Cluster configuration
    peer address { Cluster peer
    }
}
system { Collection of settings having to do with the appliance's system
    host-name fqdn The system's host name
    keyboard-layout layout us The system's keyboard layout (video console)
    time-zone timezone The system's time zone
    dns {
        name-server addr Yes DNS server to be used by the system, and distributed to clients
        search-domain fqdn The system's search domain
    }
    authentication { Collection of system users
        root-password "string" The root access password's Blowfish crypt
        user "string" { Yes System users
            password "string" The password's Blowfish crypt
            full-name "string" The user's full name
            class "string" The user's login class
        }
    }
    ntp { Network time
        rdomain integer 0
        server addr or fqdn Yes NTP server to sync with
    }
    syslog { Remote logging
        rdomain integer 0
        server addr or fqdn Yes Syslog server to send logs to
    }
    snmp-server { SNMP server
        read-only community string public
        system location string
        ... Other options for snmpd
    }
    ssh-server { Secure shell server
        rdomain integer 0
        listen addr any
        port integer 22
        ecdsa-key { data The private elliptic-curve key
        dsa-key { data The private DSA key
        rsa-key { data The private RSA key
    }
    http-server { Web (HTTPS) server
        rdomain integer 0
        listen addr any
        port integer 443
        rsa-key { data The private RSA key
        x509-certificate { data The X.509 certificate
    lldp-server { LLDP server
        receive Listen for other LLDP senders
    }
}