From a557f4a9c5dfae272660e58500386be65274adeb Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 13 Oct 2008 20:42:52 +0200 Subject: doc: update INSTALL file This patch updates the INSTALL file. Now it only describes the compilation and installation of the conntrack-tools. For further information, we refer to the user manual that is available under doc/manual. Signed-off-by: Pablo Neira Ayuso --- INSTALL | 159 +++++----------------------------------------------------------- 1 file changed, 11 insertions(+), 148 deletions(-) (limited to 'INSTALL') diff --git a/INSTALL b/INSTALL index cfb642e..836ac5e 100644 --- a/INSTALL +++ b/INSTALL @@ -1,4 +1,4 @@ -Copyright (C) 2005-2007 Pablo Neira Ayuso +Copyright (C) 2005-2008 Pablo Neira Ayuso 0.Introduction ============== @@ -12,6 +12,8 @@ Copyright (C) 2005-2007 Pablo Neira Ayuso deploy highly available GNU/Linux firewalls and collect statistics of the firewall use. + Although their names are similar, they are used for different tasks. + 1. Requirements =============== @@ -24,6 +26,7 @@ Copyright (C) 2005-2007 Pablo Neira Ayuso - connection tracking system CONFIG_NF_CONNTRACK=m CONFIG_NF_CONNTRACK_IPV4=m + CONFIG_NF_CONNTRACK_IPV6=m (if you need IPv6 support) - nfnetlink CONFIG_NETFILTER_NETLINK=m @@ -46,12 +49,12 @@ Copyright (C) 2005-2007 Pablo Neira Ayuso -2.Basic Installation -==================== +2.Compilation and Installation +============================== To compile and install conntrack-tools just follow the classical steps: - $ ./configure + $ ./configure --prefix=/usr $ make # make install @@ -67,149 +70,9 @@ Copyright (C) 2005-2007 Pablo Neira Ayuso Check `ldd' for trouble-shooting, read for more information on how libraries work. -3.Setting up conntrackd +3.How-to use and set up ======================= - conntrackd currently have two working modes: statistics and synchronization - modes, both details here below. - -3.1. Synchronization Mode -========================= - - Conntrackd can replicate the status of the connections that are currently - being processed by your stateful firewall based on Linux. This section - describes how to setup the daemon in synchronization mode: - - - o Keepalived version 1.x (http://www.keepalived.org) - check if your distribution comes with a recent version - -3.1.2. Configuration - - 1) Setting up keepalived - - There is an example file available inside the conntrackd tarball: - - For node 1: conntrackd-x.x.x/examples/sync/_type_/node1/keepalived.conf - For node 2: conntrackd-x.x.x/examples/sync/_type_/node2/keepalived.conf - - These files can be used to set up a simple VRRP cluster composed of - two machines that hold the virtual IPs 192.168.0.100 on eth0 and - 192.168.1.100 on eth1. - - If you are not familiar with keepalived, please read the official - docs available at http://www.keepalived.org - - Please, make sure that keepalived is correctly working before passing - to step 2) - - 2) Setting up conntrackd - - To setup 'conntrackd' in synchronization mode, you have to put the - configuration file in the directory /etc/conntrackd. - - On node 1: - # cp examples/sync/_type_/node1/conntrackd.conf /etc/conntrackd.conf - - On node 2: - # cp examples/sync/_type_/node1/conntrackd.conf /etc/conntrackd.conf - - Where _type_ is the synchronization type selected, currently there are - two: the alarm mode and the FTFW mode. The alarm mode consumes - more resources than the FTFW mode but resolves synchronization issues - better. On the other the FTFW mode reduces resource consumption. I'll - provide more information on both approaches soon. - - Do not forget to edit the files in order to adapt them to the - setting that you are deploying. - - Note: If you don't want to put the config file under /etc/conntrackd, - just tell conntrackd where to find it passing the option -C - - 3) Running conntrackd - - Conntrackd can run in console mode, in that case just type 'conntrackd', - otherwise, if you want to run it in daemon mode the type 'conntrackd -d'. - - 4) Checking that conntrackd is working fine - - Conntrackd comes with several facilities to check its status: - - - Dump the cache of connections that are currently being processed by - this node (aka. internal cache): - - # conntrackd -i - - - Dump the cache of connections that has been transfered from - others active nodes in the network (aka. external cache) - - # conntrackd -e - - - Dump statistics collected by the replication daemon: - - # conntrackd -s - - 5) Setting up interaction with keepalived - - If keepalived detects the failure of the active node, then it designates - a candidate node that will replace the failing active. On such event, - the external cache, eg. the cache that contains the connections processed - by other nodes, must be commited. To commit the external cache, just type: - - # conntrackd -c - - See that keepalived provides a shell script interface to interact with - other programs, so we can automate the process of commiting the external - cache by introducing the following line in the keepalived file: - - notify_master /etc/conntrackd/script_master.sh - - The script 'script_master.sh' just the following: - - #!/bin/sh - /usr/sbin/conntrackd -c - - Therefore, on failure event, the candidate node takes over the virtual - IPs and the connections that the failing active was processing. Observe - that this file differs for the FTFW mode. - - 6) Disable TCP window tracking - - Until the appropiate patches don't go into kernel mainline, you will have - to disable TCP window tracking, consider this as a temporary solution: - - # echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal - -3.2. Statistics mode -==================== - - Conntrackd can also run as statistics daemon, if you are not interested in - this mode, just skip it. It is not required in order to get the - synchronization mode working. This section details how to setup the daemon - in statistics mode: - -3.2.1. Requirements - - No extra requirements to set up the statistics mode apart from those detailed - in section 1. - -3.2.2. Configuration - - Setting up conntrackd in statistics mode is rather easy. Just copy the - configuration file - - # cp examples/stats/conntrackd.conf /etc/conntrackd.conf - -3.2.3. Running conntrackd in statistics mode - - To run conntrackd in statistics mode: - - # conntrackd -S - - Alternatively, you can run conntrackd in daemon mode: - - # conntrackd -S -d - - In order to dump the statistics, just type: - - # conntrackd -s + Please, refer to the user manual for further information on how to use and + set up the conntrack-tools. This user manual is is available in the + documentation directory included in this tarball. -- cgit v1.2.3