firewall -------- .. osdx:cfgcmd:: service firewall .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg id: Firewall IDS and IPS client configuration Only these characters are allowed to be used for setting the client name: alphanumeric characters: a-z A-Z 0-9 special characters: - ( ) , . : _ Notice that also maximum length is limited up to 128 characters. You can define either one client or multiple clients each one having its own configuration and using the defined NFQ queues. Once completed, each client will have its own daemon and you can monitor its status in the operational CLI. :instances: Multiple :ref Required: :ref Required: .. osdx:cfgcmd:: service firewall action-order .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg id: Order in which actions have to be processed Comma-separated list containing the following actions in order of preference .. osdx:cfgcmd:: service firewall algorithm .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Multi pattern algorithm you want to run for scan/search the engine The mpm you choose also decides the distribution of mpm contexts for signature groups. Selecting "ac" requires a single mpm context while the rest of the mpms can run in "full" mode. :arg ac: Aho-Corasick, default implementation :arg ac-bs: Aho-Corasick, reduced memory implementation :arg ac-ks: Aho-Corasick, "Ken Steele" variant :arg auto: Determines the best available algorithm to use :arg hs: Hyperscan, only available at x86_64 processors with SSSE3 support .. osdx:cfgcmd:: service firewall detect-thread-ratio .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Detect threads ratio available per CPU core By default, the firewall creates one "detect" thread per available CPU/CPU core. This setting allows controlling this behaviour. A ratio setting of "2" will create 2 detect threads for each CPU/CPU core. So for a dual core CPU this will result in 4 detect threads. If values below 1 are used, less threads are created. Following the example above, a ratio of 0.5 will result in 1 detect thread being created. Regardless of this setting, a minimum 1 detect thread will always be created :arg float: Detection threads ratio - this value is multiplied by the amount of CPU/CPU cores. (0-65535) .. osdx:cfgcmd:: service firewall flow .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Flow configuration for firewall stream engine Flows are very important - they play a big part in the way the firewall organizes data internally. A flow is a bit similar to a conntrack entry, except that a flow is more general: all packets having the same tuple (source, destination, source port and destination port) belong to the same flow. .. osdx:cfgcmd:: service firewall flow hash-size .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg u32: Size of the hash-table used for organizing flows .. osdx:cfgcmd:: service firewall flow max-memory .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg id: Max memory usage (in bytes) for storing flow information Keeping track of all flows that are taking place uses memory. In particular, the more flows the more memory it will cost. At the point in which this value is reached, despite the value of "prealloc", the flow engine goes into "emergency-mode" and sets shorter timeouts so flows expire earlier (and there is more space for new flows). Defaults to 128MB. .. osdx:cfgcmd:: service firewall flow prealloc .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg u32: Number of pre-allocated flows created when starting the firewall For packets not yet belonging to a flow, the firewall creates one. This operation is a really expensive action and comes with a risk: attackers can compromise the engine system at this part by flooding it if sending lots of packets with different tuples. In such situation, the engine has to create plenty of flows and can easily become overloaded. This setting though instructs the firewall to keep a number of flows ready in memory so it is less vulnerable to this attacks. Defaults to 10000 pre-allocated flows. .. osdx:cfgcmd:: service firewall hashset .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Set of hashes to be used by the firewall when registering traffic .. osdx:cfgcmd:: service firewall hashset file .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg file: File from which different hashes will be loaded All hashes included in the hashset must be calculated with the same hash function (md5, sha1 or sha256) :instances: Multiple .. osdx:cfgcmd:: service firewall logging .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Firewall engine logging options The engine logging system logs information about the application such as errors and other diagnostic information during startup, runtime and shutdown of the firewall engine. Notice that this does not include firewall generated alerts and events. .. osdx:cfgcmd:: service firewall logging filter .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 RegEx expression for filtering logging output With the output filter you can set which part of the event-logs should be displayed. This way, a line will be shown only if the RegEx matches :arg txt: POSIX extended regular expression .. osdx:cfgcmd:: service firewall logging level .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg id: Firewall engine log level Determines the severity/importance level of information that will be displayed. Messages of lower levels than the set here will not be shown. Notice that the debug level logging may not be available .. osdx:cfgcmd:: service firewall logging outputs .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Output types used when logging There are several types of output in the firewall: engine statistics, packet counters, etc. Be careful on which log outputs you enable as enabling all of the logs will result in a much lower performance and the use of more disc space :arg eve: JSON output for alerts and events :arg fast: Alerts consisting only on a single line :arg http: Keep tracking of all HTTP requests :arg pcap: Save all packages registered by the firewall :arg verbose: Supplementary information about an alert :arg tls: Line-based log of TLS handshake parameters .. osdx:cfgcmd:: service firewall logging outputs eve .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 JSON output for alerts and events The EVE (Extensible Event Format) is an standard JSON output widely used which allows easy integration with 3rd party tools. .. osdx:cfgcmd:: service firewall logging outputs eve filetype .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 EVE output filetype destination :arg regular: Output to a JSON file :arg redis: Output to a Redis server :arg syslog: Output to the system log .. osdx:cfgcmd:: service firewall logging outputs eve redis .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Redis settings for EVE logging :ref Required: .. osdx:cfgcmd:: service firewall logging outputs eve redis async .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg bool: Read Redis replies asynchronously .. osdx:cfgcmd:: service firewall logging outputs eve redis key .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg id: Key or channel to use .. osdx:cfgcmd:: service firewall logging outputs eve redis mode .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Mode in which events are sent to Redis :arg list: Alias for lpush :arg channel: Alias for publish :arg lpush: Insert at the beginning of the queue (head) :arg rpush: Insert at the end of the queue (tail) :arg publish: Publish events in specified channel .. osdx:cfgcmd:: service firewall logging outputs eve redis port .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Port in which Redis server is listening to :arg u32: Numeric IP port (1-32767) :arg u32: Numeric IP port (60000-65535) .. osdx:cfgcmd:: service firewall logging outputs eve redis server .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Remote address in which Redis server is available :arg ipv4: IPv4 address of the Redis server :arg ipv6: IPv6 address of the Redis server :arg fqdn: Hostname of the Redis server .. osdx:cfgcmd:: service firewall logging outputs eve syslog .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Syslog settings for EVE logging :ref Required: .. osdx:cfgcmd:: service firewall logging outputs eve syslog identity .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Identifier when generating syslog messages Defining an identifier allows later filtering of syslog messages so they can be, for example, send to a remote server based on this identity. :arg id: Identifier when generating syslog messages .. osdx:cfgcmd:: service firewall logging outputs eve syslog level .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Severity level used when generating syslog messages The severity level allows you to define an output level for the generated events. Later on, adjusting "system console log-level" lets you delimit which messages are shown in the system journal. :arg emergency: A panic condition, meaning that the system is unusable :arg alert: A risky situation that implies that an action must be taken immediately :arg critical: A critical condition that has happened because of this event :arg error: Error conditions :arg warning: Warning conditions :arg notice: Normal but significant conditions that may require special handling :arg info: Informational messages that indicate that everything is worked as expected :arg debug: Debug messages normally used for debugging an application .. osdx:cfgcmd:: service firewall logging outputs eve types .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Event types settings for EVE logging .. osdx:cfgcmd:: service firewall logging outputs eve types files .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 File info module settings for EVE logging .. osdx:cfgcmd:: service firewall logging outputs eve types files force-hash .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Logging of checksums from detected files :arg md5: Log md5 hash from detected files :arg sha1: Log sha1 hash from detected files :arg sha256: Log sha256 hash from detected files :instances: Multiple .. osdx:cfgcmd:: service firewall logging outputs fast .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Alerts consisting only on a single line .. osdx:cfgcmd:: service firewall logging outputs http .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Keep tracking of all HTTP requests .. osdx:cfgcmd:: service firewall logging outputs pcap .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Save all packages registered by the firewall .. osdx:cfgcmd:: service firewall logging outputs syslog .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Fast-like logging messages written to syslog :ref Required: .. osdx:cfgcmd:: service firewall logging outputs syslog identity .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Identifier when generating syslog messages Defining an identifier allows later filtering of syslog messages so they can be, for example, send to a remote server based on this identity. :arg id: Identifier when generating syslog messages .. osdx:cfgcmd:: service firewall logging outputs syslog level .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Severity level used when generating syslog messages The severity level allows you to define an output level for the generated events. Later on, adjusting "system console log-level" lets you delimit which messages are shown in the system journal. :arg emergency: A panic condition, meaning that the system is unusable :arg alert: A risky situation that implies that an action must be taken immediately :arg critical: A critical condition that has happened because of this event :arg error: Error conditions :arg warning: Warning conditions :arg notice: Normal but significant conditions that may require special handling :arg info: Informational messages that indicate that everything is worked as expected :arg debug: Debug messages normally used for debugging an application .. osdx:cfgcmd:: service firewall logging outputs tls .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Line-based log of TLS handshake parameters .. osdx:cfgcmd:: service firewall logging outputs verbose .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Supplementary information about an alert .. osdx:cfgcmd:: service firewall logging rotation .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Firewall logging rotation options .. osdx:cfgcmd:: service firewall logging rotation amount .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg u32: Amount of old log files to keep Log files are rotated 'N' times before being removed. If count is 0 then old versions are removed rather than rotated. .. osdx:cfgcmd:: service firewall logging rotation compress .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Enable compression of old log files using gzip .. osdx:cfgcmd:: service firewall logging rotation periodic .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Periodic rotation for firewall logging files :arg hourly: Hourly rotation of log files :arg daily: Daily rotation of log files :arg weekly: Weekly rotation of log files :arg monthly: Monthly rotation of log files :arg yearly: Yearly rotation of log files .. osdx:cfgcmd:: service firewall logging rotation size .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg id: Size based rotation of log files Log files are rotated only if they grow bigger than "size" bytes. If size is followed by a 'k' then is assumed to be kilobytes. If 'M' is used, size is in megabytes and if 'G' is used, the size is in gigabytes. So "size 100", "size 100k", "size 100M" and "size 100G" are all valid. In addition, this option can be mixed with the periodic one, meaning that a log file usually is rotated when the specified interval has passed unless the file grows bigger than the given size. .. osdx:cfgcmd:: service firewall max-pending-packets .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg u32: Number of packets preallocated per thread With this setting you can set the number of packets you allow the firewall to process simultaneously. This can range from one packet to tens of thousands of thousands of packets. It is a trade of higer performance and higher memory usage or lower performance and lower memory usage (in terms of RAM). Choosing a low number of packets being processed while having many CPUs can result in not making use of the whole router capacity .. osdx:cfgcmd:: service firewall mode .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Firewall running mode :instances: Unique .. osdx:cfgcmd:: service firewall mode inline .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Run the firewall in inline mode From the two modes available, this one is the widely used one. Inline mode puts the firewall in between communications and checks traffic based on given rules, dropping it if necessary or allowing the packets .. osdx:cfgcmd:: service firewall mode inline queue .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Queue(s) used by the firewall when registering traffic Using NFQUEUE in nftables rules will send packets to the firewall. You can define at traffic policies how much queues will be created and how do they behave. Having multiple queues is known as a load-balanced setup from which the firewall can obtain packets. :ref Reference: traffic queue * .. osdx:cfgcmd:: service firewall mode monitor .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Run the firewall in monitor mode Monitor mode runs the firewall as if it was a sniffer: looking at every packet received on the given interface(s) and generating alerts based on the given rulesets. Nevertheless, this mode does nothing with packets and they are always accepted. Notice that monitor mode may use more system resources. .. osdx:cfgcmd:: service firewall mode monitor interfaces .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg ifc: Interfaces to monitor You can configure the firewall to listen on mutiple interfaces, depending on your needs. Take into account that more interfaces is more traffic so more system resources are needed. :instances: List of values .. osdx:cfgcmd:: service firewall ruleset .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Set of rules to be used by the firewall when registering traffic .. osdx:cfgcmd:: service firewall ruleset compressed .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg file: Compressed file containing :instances: Multiple .. osdx:cfgcmd:: service firewall ruleset compressed digest .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg id: If the ruleset is encrypted, digest used during key derivation .. osdx:cfgcmd:: service firewall ruleset compressed encrypted-password .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg password: If the file is encrypted, the encrypted password used for decrypting it .. osdx:cfgcmd:: service firewall ruleset compressed file .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg txt: File(s) inside the compressed ruleset to use - if not defined, every present file will be used :instances: Multiple .. osdx:cfgcmd:: service firewall ruleset compressed iterations .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg u32: If the ruleset is encrypted and the key derived with PBKDF2, the iterations used during derivation (usually, 10000) .. osdx:cfgcmd:: service firewall ruleset compressed key-length .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 If the ruleset is encrypted, the key length used during key derivation :arg u32: "File was encrypted using AES-128" (128) :arg u32: "File was encrypted using AES-192" (192) :arg u32: "File was encrypted using AES-256" (256) .. osdx:cfgcmd:: service firewall ruleset compressed password .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg txt: If the ruleset is encrypted, the password used for decrypting it Due to intellectual property, one can opt-in for encrypting their ruleset. Currently, OSDx supports having the ruleset encrypted with AES-CBC 128/192/256 with multiple digest algorithms. .. osdx:cfgcmd:: service firewall ruleset file .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg file: File from which different rules will be loaded :instances: Multiple .. osdx:cfgcmd:: service firewall ruleset file digest .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg id: If the file is encrypted, digest used during key derivation .. osdx:cfgcmd:: service firewall ruleset file encrypted-password .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg password: If the file is encrypted, the encrypted password used for decrypting it .. osdx:cfgcmd:: service firewall ruleset file iterations .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg u32: If the file is encrypted and the key derived with PBKDF2, the iterations used during derivation (usually, 10000) .. osdx:cfgcmd:: service firewall ruleset file key-length .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 If the file is encrypted, the key length used during key derivation :arg u32: "File was encrypted using AES-128" (128) :arg u32: "File was encrypted using AES-192" (192) :arg u32: "File was encrypted using AES-256" (256) .. osdx:cfgcmd:: service firewall ruleset file password .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg txt: If the file is encrypted, the password used for decrypting it Due to intellectual property, one can opt-in for encrypting their files. Currently, OSDx supports having the files encrypted with AES-CBC 128/192/256 with multiple digest algorithms. .. osdx:cfgcmd:: service firewall ruleset patch .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg file: Patch file applied to an existing ruleset Patch file are files that are generated with the "diff" tool and contains the minimum amount of bytes for upgrading from one version of a file to the next one. In this situation, patches are using for changing some rules in a ruleset without needing to download the entire ruleset again. Notice that the filenames (ruleset and patch) must be equals: - Ruleset: ddos-drop.rules - Patch: ddos-drop.patch :instances: Multiple .. osdx:cfgcmd:: service firewall ruleset patch digest .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg id: If the patch is encrypted, digest used during key derivation .. osdx:cfgcmd:: service firewall ruleset patch encrypted-password .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg password: If the file is encrypted, the encrypted password used for decrypting it .. osdx:cfgcmd:: service firewall ruleset patch file .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg txt: File(s) inside the compressed patchset to use - if not defined, every present file will be used :instances: Multiple .. osdx:cfgcmd:: service firewall ruleset patch iterations .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg u32: If the patch is encrypted and the key derived with PBKDF2, the iterations used during derivation (usually, 10000) .. osdx:cfgcmd:: service firewall ruleset patch key-length .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 If the patch is encrypted, the key length used during key derivation :arg u32: "File was encrypted using AES-128" (128) :arg u32: "File was encrypted using AES-192" (192) :arg u32: "File was encrypted using AES-256" (256) .. osdx:cfgcmd:: service firewall ruleset patch password .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg txt: If the patch is encrypted, the password used for decrypting it Due to intellectual property, one can opt-in for encrypting their patchset. Currently, OSDx supports having the patchset encrypted with AES-CBC 128/192/256 with multiple digest algorithms. .. osdx:cfgcmd:: service firewall runmode .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg id: Runmode the engine should use. Firewall consists on several building blocks running all together. The way such building blocks are arranged together is called "runmode", and there are several predefined: single, workers and autofp. - workers: generally, gives the best performance. Packets are properly balanced over firewall processing units. - autofp: usually used when processing PCAP files or certain IPS setups, like NFQ. There are more capture units and the packet is served to the processing untis. Choosing each runmode will directly affect the performance of the firewall, so it is recommended to tweak this setting under your needs. .. osdx:cfgcmd:: service firewall stats .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Engine statistics such as packet counters, memory use counters and more .. osdx:cfgcmd:: service firewall stats interval .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg u32: Interval in seconds in which statistics are dumped Setting this value below 3 or 4 seconds is not useful due to how the processing units are synchronized internally .. osdx:cfgcmd:: service firewall stream .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Stream engine configuration for TCP connections The stream engine keeps track of TCP connections. The engine consists on two parts: the stream tracking and the reassembly engine. The stream tracking engine monitors the state of a connection. The reassembly engine reconstructs the flow as it used to be, so it will be recognized by the firewall. .. osdx:cfgcmd:: service firewall stream async-oneside .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Async stream handling Some networks make it more complicated to see all packets of a connection: network-traffic follows a different route than the other part, which means that traffic goes asynchronous. Enable this option to make sure that the firewall will check the one part it does see, instead of "getting confused" .. osdx:cfgcmd:: service firewall stream bypass .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Bypasses a flow/session when either side reaches its depth bypass can lead to missing important traffic. Use with care .. osdx:cfgcmd:: service firewall stream bypass action .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Actions to apply to the packet and/or flow when a verdict takes place There are two possible verdicts for a packet/flow that is analyzed by the firewall: - Accept - Drop Such verdict initially accepts only the packet itself but it is also possible to change the entire flow control associated with such packet. In example, if a packet can be bypassed the flow can also be bypassed. Either way, if a packet must be dropped the entire flow shall be dropped also. This helps preventing packets reaching the firewall and taking either the "fast-path" (bypass) or being dropped as soon as possible (when they are received by the kernel). .. osdx:cfgcmd:: service firewall stream bypass action accept .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Actions to apply to the packet and/or flow when they are accepted If a packet/flow is accepted and can be bypassed (either because of rules or because the maximum depth was reached), the actions that are set will be executed. .. osdx:cfgcmd:: service firewall stream bypass action accept set .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Attributes to set to a packet/flow whenever it is accepted .. osdx:cfgcmd:: service firewall stream bypass action accept set conntrack .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Attributes to set to the flow associated with the analyzed packet Set some specific attributes to the conntrack associated with the analyzed packet when such packet is accepted. .. osdx:cfgcmd:: service firewall stream bypass action accept set conntrack offload-flag .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Set the offload flag to the flow associated with the accepted packet Enabling this option will change the status of the conntrack flow associated with the accepted packet, marking it as possibly bypassed. You can run "show system conntrack" and should see "(Sc: bypass)" within the marked flow. .. osdx:cfgcmd:: service firewall stream bypass action drop .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Actions to apply to the packet and/or flow when they are dropped If a packet/flow is dropped, the actions that are set will be executed. .. osdx:cfgcmd:: service firewall stream bypass action drop set .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Attributes to set to a packet/flow whenever it is dropped .. osdx:cfgcmd:: service firewall stream bypass action drop set xdp-early-drop .. raw:: html SDE M10-Smart M2 Atlas840 AresC640 :arg ifc: Set an XDP filter per interface that will drop malicious flows Configuring a list of interfaces will install an XDP filter per interface which can be used by the firewall for notifying about a flow that can be dropped at the earliest stage possible. This option is very useful for preventing packages not even reaching the firewall but also the kernel, making it the greatest option when trying, for example, to protect against a DDoS attack. :instances: List of values .. osdx:cfgcmd:: service firewall stream bypass depth .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg id: Depth of the reassembly Maximum depth of the reassembly in which packets are bypassed when reached. This field accepts a value in bytes with an optional suffix indicating the magnitude (kb, mb or gb - value must be lowercase). .. osdx:cfgcmd:: service firewall stream bypass mark .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg u32: Custom mark used when bypassing a packet Use bypass mark for implementing NFQ bypass. The firewall will set the given mark on a packet of a flow that needs to be bypassed. The ruleset has to directly accept all packets of a flow once it has been marked. .. osdx:cfgcmd:: service firewall stream bypass mask .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg u32: Custom mask used when bypassing a packet Use bypass mask for implementing NFQ bypass. Note than the mask is used by the firewall to detect whether the packet/flow must be bypassed by NFQ by doing the 'AND' operation with such values (bypass_mask & bypass_mark). The firewall will set then the given mask on a packet of a flow that needs to be bypassed. The ruleset has to directly accept all packets of a flow once it has been marked. .. osdx:cfgcmd:: service firewall stream bypass set-connmark .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Set conntrack mark instead of packet mark The final behavior is the same as when only setting both "mark" and "mask" with the difference that the resulting mark will be set into the conntrack mark instead. .. osdx:cfgcmd:: service firewall stream drop-invalid .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Drop packets that are seen invalid by the stream engine .. osdx:cfgcmd:: service firewall stream inline .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Set stream to inline mode so the firewall switches to blocking mode :arg yes: Stream is always in inline mode - firewall always blocking :arg no: Stream is never in inline mode :arg auto: Stream is only in inline mode if IPS is enabled .. osdx:cfgcmd:: service firewall stream max-memory .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg id: Max memory usage (in bytes) for tracking a TCP session Firewall stream tracking engine keeps information about the flow being tracked in .. osdx:cfgcmd:: service firewall stream midstream .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Pick sessions that have already started A TCP session starts with the three-way-handshake. After that, data can be sent and received. As a session can last a long time, it may happend that the firewall is started after a few TCP sessions have started, missing the original setup of all those sessions (which usually includes a lot of information). If you want to allow the firewall to join a session after it has started, mark this option .. osdx:cfgcmd:: service firewall stream no-validate-checksum .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 Process all packets, even if they have an invalid valid checksum All TCP packets have a so-called checksum. This is an internal code which makes possible to see if a packet has arrived in a good state. The stream-engine will not process packets with a wrong checksum unless this option is enabled .. osdx:cfgcmd:: service firewall stream reassembly-max-memory .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg id: Max memory reserved (in bytes) for stream data reconstruction Stream reassembly is an expensive operation and uses lots of resources. For avoiding resource starvation, maximum reserved memory can be limited so reduce memory usage. Defaults to 256MB. .. osdx:cfgcmd:: service firewall validator-timeout .. raw:: html SDE M10-Smart M2 Atlas840 RS420 AresC640 :arg u32: Validator timeout, in seconds The validator is a process that ensures the firewall is up and running, there is at least one valid rule, and the configuration makes sense (in the firewall's context). By default, it will wait up-to 5 minutes (300 seconds) for the OK message to appear. However, it can happen that such a message will take longer than that: - If the log level is different than "notice" (or any lower value), it won't be logged. - If there are plenty of rules, it may take more than the given time. Adjust this value accordingly to the number of rules that are going to be used.