-
Notifications
You must be signed in to change notification settings - Fork 22
/
Copy pathzerod.conf.dist.in
178 lines (148 loc) · 4.71 KB
/
zerod.conf.dist.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
global:
{
// Interfaces list.
// Property "lan" defines LAN interface name.
// Property "wan" defines WAN interface name.
// Property "affinity" defines initial thread affinity for ring threads.
interfaces = (
{ lan = "eth0", wan = "eth1", affinity = 0 }
);
// Pause time before start operating on interfaces (in seconds).
// Sometimes after enabling interface it needs time for initialization.
// Default: 4
interfaces_wait_time = 4;
// Overlords controls authentication, accounting and etc. of client sessions.
// Threads to spawn.
// If you specify more than 1 thread, then session pool will be divided between all overlords.
// Value must be even and not bigger than 16.
// Default: 4
overlord_threads = 4;
// Remote control listen address and port.
// Default: "0.0.0.0:1050"
remote_control_listen = "0.0.0.0:1050";
// Total bandwidth.
// Default: 500M
monitors_total_bandwidth = "500M";
// Per connection bandwidth.
// Default: 50M
monitors_connection_bandwidth = "50M";
// Default: "5M"
non_client_bandwidth_down = "5M";
// Default: "5M"
non_client_bandwidth_up = "5M";
// Pass LLDP packets from network to kernel
// Default: true
lldp_pass_in = true;
// Pass LLDP packets from kernel to network
// Default: true
lldp_pass_out = true;
// Enable coredump.
// Default: true
enable_coredump = true;
}
// This is an example scope.
example:
{
// Subnets dedicated to clients.
subnets_client = (
"192.168.0.0/16"
);
// Subnets dedicated to local network.
subnets_local = (
"192.168.0.0/16"
);
// Exceptions from local subnets.
// For this subnets does not apply port rules and bandwidth limits.
subnets_local_exclude = (
"192.168.0.1/32"
);
// Rules applied on client creation.
default_client_rules = (
"bw.1Mbit.down",
"bw.1Mbit.up"
);
// Perform user authentication/authorization.
// Default: true
radius_auth = true;
// Perform user accounting.
// Enabled radius_auth is required.
// Default: true
radius_accounting = true;
// Path to radius configuration file.
// Default : /etc/radiusclient/radiusclient.conf
radius_config = "/etc/radiusclient/radiusclient.conf";
// Radius NAS identifier.
radius_nas_identifier = "example";
// Maximum number of seconds of service to be provided
// to the user before termination of the session.
// May be overridden by RADIUS Session-Timeout attribute.
// Set 0 to disable.
// Default: 86400 (1 day)
session_timeout = 86400;
// Maximum number of consecutive seconds of idle connection
// allowed to the user before termination of the session.
// May be overridden by RADIUS Idle-Timeout attribute.
// Set 0 to disable.
// Default: 900 (15 min)
session_idle_timeout = 900;
// Accounting update interval in seconds.
// May be overridden by RADIUS Acct-Interim-Interval.
// Default: 600 (10 min)
session_accounting_interval = 600;
// Authentication interval in seconds.
// If auth failed, retry not early than this time.
// Default: 10 (10 secs)
session_authentication_interval = 10;
// Enable HTTP URL blacklisting.
// Default: true
blacklist_enabled = true;
// File with blacklisted URLs.
// Default: /etc/zerod.blacklist
blacklist_file = "@CMAKE_INSTALL_PREFIX@/etc/zerod.blacklist";
// Blacklist reload interval.
// Default: 3600 (seconds)
blacklist_reload_interval = 3600;
// DHCP snooping.
// Default: false
dhcp_snooping = true;
// Default session DHCP lease time in seconds.
// Used only with enabled dhcp_snooping.
// ARP/IP protection works in learning mode during this time after server start.
// Default: 1800 (30 min)
dhcp_default_lease_time = 1800;
// Dynamic ARP protection.
// Enabled dhcp_snooping is required.
// Default: false
dynamic_arp_protection = true;
// IP source guard.
// Enabled dhcp_snooping is required.
// Default: false
ip_verify_source = true;
// All ports <= 1024 is always treated as whitelisted.
ports_whitelist = [
// HTTP(S)
8080, 8081, 4443,
// MS SQL Server
1443, 1434,
// MySQL
3306,
// Oracle SQL
1521, 1522, 1525, 1529,
// Microsoft Terminal Server / Citrix ICA
1494, 1604,
// ICQ
4000,
// Yahoo Messenger
5010,
// AOL Instant Messenger
5190,
// PCAnywhere
5632,
// VNC
5500, 5800, 5900,
// Microsoft PPTP
1723,
// RDP
3389
];
}