H.2. Objects

H.2.1. system: System settings

The system settings are the top level attributes of the system which apply globally.

Table H.3. system: Attributes

AttributeTypeDefaultDescription
comment string -Comment
contact string -Contact name
dos-delay unsignedInt 2Interrupt DoS restoration counter, leave at default
dos-limit unsignedInt 1000Interrupt DoS packet limit, leave at default
intro string -Home page text
location string -Location description
log NMTOKEN Web/consoleLog system events
log-debug NMTOKEN Not loggingLog system debug messages
log-error NMTOKEN Web/Flash/consoleLog system errors
log-eth NMTOKEN Web/consoleLog Ethernet messages
log-eth-debug NMTOKEN Not loggingLog Ethernet debug
log-eth-error NMTOKEN Web/Flash/consoleLog Ethernet errors
log-panic NMTOKEN Web logsLog system panic messages
log-stats NMTOKEN Not loggingLog one second stats
name string -System hostname
soft-watchdog boolean falseDebug - use only if advised; do not use on an unattended FireBrick
source string -Source of data, used in automated config management
sw-update autoloadtype factoryLoad new software automatically

Table H.4. system: Elements

ElementTypeInstancesDescription
link link Optional, unlimitedHome page links

H.2.2. link: Web links

Links to other web pages

Table H.5. link: Attributes

AttributeTypeDefaultDescription
comment string -Comment
name string -Link name
source string -Source of data, used in automated config management
text string -Link text
url string -Link address

H.2.3. user: Admin users

User names, passwords and abilities for admin users

Table H.6. user: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange -Restrict logins to be from specific IP addresses
comment string -Comment
config config-access fullConfig access level
full-name string -Full name
level user-level ADMINLogin level
name (NMTOKEN) username Not optional User name
otp string -OTP serial number
password Password Not optional User password
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Restrict login to specific routing table
timeout duration 5:00Login idle timeout (zero to stay logged in)

H.2.4. log: Log target controls

Named logging target

Table H.7. log: Attributes

AttributeTypeDefaultDescription
colour Colour -Colour used in web display
comment string -Comment
console boolean -Log immediately to console
flash boolean -Log immediately to slow flash memory (use with care)
jtag boolean -Log immediately jtag (development use only)
name NMTOKEN Not optional Log target name
source string -Source of data, used in automated config management

Table H.8. log: Elements

ElementTypeInstancesDescription
email log-email Optional, unlimitedEmail settings
syslog log-syslog Optional, unlimitedSyslog settings

H.2.5. log-syslog: Syslog logger settings

Logging to a syslog server

Table H.9. log-syslog: Attributes

AttributeTypeDefaultDescription
comment string -Comment
facility syslog-facility LOCAL0Facility setting
port unsignedShort 514Server port
server IPNameAddr Not optional Syslog server
severity syslog-severity NOTICESeverity setting
source string -Source of data, used in automated config management
source-ip IPAddr -Use specific source IP
table (unsignedByte 0-99) routetable 0Routing table number for sending syslogs

H.2.6. log-email: Email logger settings

Logging to email

Table H.10. log-email: Attributes

AttributeTypeDefaultDescription
comment string -Comment
delay duration 1:00Delay before sending, since first event to send
from string One made up using serial numberSource email address
hold-off duration 1:00:00Delay before sending, since last email
log NMTOKEN Not loggingLog emailing process
log-debug NMTOKEN Not loggingLog emailing debug
log-error NMTOKEN Not loggingLog emailing errors
port unsignedShort 25Server port
retry duration 10:00Delay before sending, since failed send
server IPNameAddr -Smart host to use rather than MX
source string -Source of data, used in automated config management
subject string From first line being loggedSubject
table (unsignedByte 0-99) routetable 0Routing table number for sending email
to string Not optional Target email address

H.2.7. services: System services

System services are various generic services that the system provides, and allows access controls and settings for these to be specified. The service is only active if the corresponding element is included in services, otherwise it is disabled.

Table H.11. services: Elements

ElementTypeInstancesDescription
dns dns-service OptionalDNS service settings
http http-service OptionalHTTP server settings
ntp ntp-service OptionalNTP client settings (server not implemented yet)
snmp snmp-service OptionalSNMP server settings
telnet telnet-service OptionalTelnet server settings

H.2.8. snmp-service: SNMP service settings

The SNMP service has general service settings and also specific attributes for SNMP such as community

Table H.12. snmp-service: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
comment string -Comment
community string publicCommunity string
local-only boolean falseRestrict access to locally connected Ethernet subnets only
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
port unsignedShort 161Service port
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number

H.2.9. ntp-service: NTP service settings

The NTP settings define how the system clock is set, from what servers, and controls for daylight saving (summer time). The defaults are those that apply to the EU

Table H.13. ntp-service: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
comment string -Comment
local-only boolean trueRestrict access to locally connected Ethernet subnets only
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
ntpserver List of IPNameAddr ntp.firebrick.ltd.ukList of time servers (IP or hostname) from which time may be set by ntp
poll duration 1:00:00NTP poll rate
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number
tz1-name string GMTTimezone 1 name
tz1-offset duration 0Timezone 1 offset from UTC
tz12-date (unsignedByte 1-31) datenum 25Timezone 1 to 2 earliest date in month
tz12-day day SunTimezone 1 to 2 day of week of change
tz12-month month MarTimezone 1 to 2 month
tz12-time time 01:00:00Timezone 1 to 2 local time of change
tz2-name string BSTTimezone 2 name
tz2-offset duration 1:00:00Timezone 2 offset from UTC
tz21-date (unsignedByte 1-31) datenum 25Timezone 2 to 1 earliest date in month
tz21-day day SunTimezone 2 to 1 day of week of change
tz21-month month OctTimezone 2 to 1 month
tz21-time time 02:00:00Timezone 2 to 1 local time of change

H.2.10. telnet-service: Telnet service settings

Telnet control interface

Table H.14. telnet-service: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
comment string -Comment
local-only boolean trueRestrict access to locally connected Ethernet subnets only
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
port unsignedShort 23Service port
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number

H.2.11. http-service: HTTP service settings

Web management pages

Table H.15. http-service: Attributes

AttributeTypeDefaultDescription
access-control-allow-origin string -Additional header for cross site javascript
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
comment string -Comment
css-url string -Additional CSS for web control pages
local-only boolean trueRestrict access to locally connected Ethernet subnets only
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
port unsignedShort 80Service port
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number
trusted List of IPNameRange -List of allowed IP ranges from which additional access to certain functions is available

H.2.12. dns-service: DNS service settings

DNS forwarding resolver service

Table H.16. dns-service: Attributes

AttributeTypeDefaultDescription
allow List of IPNameRange Allow from anywhereList of IP ranges from which service can be accessed
auto-dhcp boolean -Forward and reverse DNS for names in DHCP using this domain
comment string -Comment
domain string -Our domain
local-only boolean trueRestrict access to locally connected Ethernet subnets only
log NMTOKEN Not loggingLog events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
resolvers List of IPAddr -Recursive DNS resolvers to use
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number

Table H.17. dns-service: Elements

ElementTypeInstancesDescription
block dns-block Optional, unlimitedFixed local DNS host blocks
host dns-host Optional, unlimitedFixed local DNS host entries

H.2.13. dns-host: Fixed local DNS host settings

DNS forwarding resolver service

Table H.18. dns-host: Attributes

AttributeTypeDefaultDescription
comment string -Comment
ip List of IPAddr Our IPIP addresses to serve (or our IP if omitted)
name List of string Not optional Host names (can use * as a part of a domain)
restrict List of IPNameRange -List of IP ranges to which this is served
reverse boolean -Map reverse DNS as well
source string -Source of data, used in automated config management
ttl unsignedInt 60Time to live

H.2.14. dns-block: Fixed local DNS blocks

DNS forwarding resolver service

Table H.19. dns-block: Attributes

AttributeTypeDefaultDescription
comment string -Comment
name List of string Not optional Host names (can use * as a part of a domain)
restrict List of IPNameRange -List of IP ranges to which this is served
source string -Source of data, used in automated config management
ttl unsignedInt 60Time to live

H.2.15. ethernet: Physical port controls

Physical port attributes

Table H.20. ethernet: Attributes

AttributeTypeDefaultDescription
autoneg boolean auto negotiate unless manual 10/100 speed and duplex are setPerform link auto-negotiation
clocking LinkClock prefer-slaveGigabit clock setting
crossover Crossover autoPort crossover configuration
duplex LinkDuplex autoDuplex setting for this port
flow LinkFlow noneFlow control setting
green LinkLED Link/ActivityGreen LED setting
optimise boolean trueenable PHY optimisations
port port Not optional Physical port
power-saving LinkPower fullenable PHY power saving
send-fault LinkFault -Send fault status
shutdown boolean falsePower down this port
speed LinkSpeed autoSpeed setting for this port
yellow LinkLED TxYellow LED setting

H.2.16. portdef: Port grouping and naming

Port grouping and naming

Table H.21. portdef: Attributes

AttributeTypeDefaultDescription
comment string -Comment
name NMTOKEN Not optional Name
ports Set of port Not optional Physical port(s)
source string -Source of data, used in automated config management

H.2.17. interface: Port-group/VLAN interface settings

The interface definition relates to a specific physical port group and VLAN. It includes subnets and VRRP that apply to that interface.

Table H.22. interface: Attributes

AttributeTypeDefaultDescription
comment string -Comment
graph (token) graphname -Graph name
link NMTOKEN -Interface to which this is linked at layer 2
log NMTOKEN Not loggingLog events including DHCP and related events
log-debug NMTOKEN Not loggingLog debug
log-error NMTOKEN Log as eventLog errors
mtu (unsignedShort 576-2000) mtu 1500MTU for this interface
name NMTOKEN -Name
ping IPAddr -Ping address to add loss/latency to graph for interface
port NMTOKEN Not optional Port group name
ra-client boolean trueAccept IPv6 RA and create auto config subnets and routes
restrict-mac boolean -Use only one MAC on this interface
source string -Source of data, used in automated config management
source-filter sfoption -Source filter traffic received via this interface
source-filter-table (unsignedByte 0-99) routetable interface tableRouting table to use for source filtering checks
table (unsignedByte 0-99) routetable 0Routing table applicable
vlan (unsignedShort 0-4095) vlan 0VLAN ID (0=untagged)

Table H.23. interface: Elements

ElementTypeInstancesDescription
dhcp dhcps Optional, unlimitedDHCP server settings
subnet subnet Optional, unlimitedIP subnet on the interface
vrrp vrrp Optional, unlimitedVRRP settings

H.2.18. subnet: Subnet settings

Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set.

Table H.24. subnet: Attributes

AttributeTypeDefaultDescription
accept-dns boolean trueAccept DNS servers specified by DHCP
arp-timeout unsignedShort 60Max lifetime on ARP and ND
broadcast boolean falseIf broadcast address allowed
comment string -Comment
gateway List of IPAddr -One or more gateways to install
ip List of IPSubnet Automatic by DHCPOne or more IP/len
localpref unsignedInt 4294967295Localpref for subnet (highest wins)
mtu (unsignedShort 576-2000) mtu As interfaceMTU for subnet
name string -Name
proxy-arp boolean falseAnswer ARP/ND by proxy if we have routing
ra ramode falseIf to announce IPv6 RA for this subnet
ra-dns List of IP6Addr -List of recursive DNS servers in route announcements
ra-managed dhcpv6control -RA 'M' (managed) flag
ra-max (unsignedShort 4-1800) ra-max 600Max RA send interval
ra-min (unsignedShort 3-1350) ra-min -Min RA send interval
ra-mtu unsignedShort As subnetMTU to use on RA
ra-other dhcpv6control -RA 'O' (other) flag
source string -Source of data, used in automated config management
test IPAddr -Test link state using ARP/ND for this IP
ttl unsignedByte 64TTL for originating traffic via subnet

H.2.19. vrrp: VRRP settings

VRRP settings provide virtual router redundancy for the FireBrick. Profile inactive does not disable vrrp but forces vrrp low priority. Use different VRID on different VLANs.

Table H.25. vrrp: Attributes

AttributeTypeDefaultDescription
answer-ping boolean trueWhether to answer PING to VRRP IPs when master
comment string -Comment
delay unsignedInt 60Delay after routing established before priority returns to normal
interval unsignedShort 100Transit interval (centiseconds)
ip List of IPAddr Not optional One or more IP addresses to announce
log NMTOKEN Not loggingLog events
log-error NMTOKEN log as eventLog errors
low-priority unsignedByte 1Lower priority applicable until routing established
name NMTOKEN -Name
preempt boolean trueWhether pre-empt allowed
priority unsignedByte 100Normal priority
source string -Source of data, used in automated config management
test List of IPAddr -List of IPs to which routing must exist else low priority (deprecated)
use-vmac boolean trueWhether to use the special VMAC or use normal MAC
version3 boolean v2 for IPv4, v3 for IPv6Use only version 3
vrid unsignedByte 42VRID

H.2.20. dhcps: DHCP server settings

Settings for DHCP server

Table H.26. dhcps: Attributes

AttributeTypeDefaultDescription
boot IP4Addr -Next/boot server
boot-file string -Boot filename
class string -Class match
client-name string -Client name match
comment string -Comment
dns List of IP4Addr Our IPDNS resolvers
domain string From system settingsDNS domain
domain-search string -DNS domain search list (list will be truncated to fit one attribute)
force boolean -Send all options even if not requested
gateway List of IP4Addr Our IPGateway
ip List of IP4Range 0.0.0.0/0Address pool
lease duration 2:00:00Lease length
log NMTOKEN Not loggingLog events (allocations)
mac List up to 12 (hexBinary) macprefix -Partial or full MAC addresses
name string -Name
ntp List of IP4Addr From system settingsNTP server
source string -Source of data, used in automated config management
syslog List of IP4Addr -Syslog server
time List of IP4Addr Our IPTime server

Table H.27. dhcps: Elements

ElementTypeInstancesDescription
send dhcp-attr-hex Optional, unlimitedAdditional attributes to send (hex)
send-ip dhcp-attr-ip Optional, unlimitedAdditional attributes to send (IP)
send-number dhcp-attr-number Optional, unlimitedAdditional attributes to send (numeric)
send-string dhcp-attr-string Optional, unlimitedAdditional attributes to send (string)

H.2.21. dhcp-attr-hex: DHCP server attributes (hex)

Additional DHCP server attributes (hex)

Table H.28. dhcp-attr-hex: Attributes

AttributeTypeDefaultDescription
comment string -Comment
force boolean -Send even if not requested
id unsignedByte Not optional Attribute type code/tag
name string -Name
value hexBinary Not optional Value
vendor boolean -Add as vendor specific option (under option 43)

H.2.22. dhcp-attr-string: DHCP server attributes (string)

Additional DHCP server attributes (string)

Table H.29. dhcp-attr-string: Attributes

AttributeTypeDefaultDescription
comment string -Comment
force boolean -Send even if not requested
id unsignedByte Not optional Attribute type code/tag
name string -Name
value string Not optional Value
vendor boolean -Add as vendor specific option (under option 43)

H.2.23. dhcp-attr-number: DHCP server attributes (numeric)

Additional DHCP server attributes (numeric)

Table H.30. dhcp-attr-number: Attributes

AttributeTypeDefaultDescription
comment string -Comment
force boolean -Send even if not requested
id unsignedByte Not optional Attribute type code/tag
name string -Name
value unsignedInt Not optional Value
vendor boolean -Add as vendor specific option (under option 43)

H.2.24. dhcp-attr-ip: DHCP server attributes (IP)

Additional DHCP server attributes (IP)

Table H.31. dhcp-attr-ip: Attributes

AttributeTypeDefaultDescription
comment string -Comment
force boolean -Send even if not requested
id unsignedByte Not optional Attribute type code/tag
name string -Name
value IP4Addr Not optional Value
vendor boolean -Add as vendor specific option (under option 43)

H.2.25. route: Static routes

Static routes define prefixes which are permanently in the routing table, and whether these should be announced by routing protocols or not.

Table H.32. route: Attributes

AttributeTypeDefaultDescription
comment string -Comment
gateway List of IPAddr Not optional One or more target gateway IPs
graph (token) graphname -Graph name
ip List of IPPrefix Not optional One or more network prefixes
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
source string -Source of data, used in automated config management
speed unsignedInt -Egress rate limit (b/s)
table (unsignedByte 0-99) routetable 0Routing table number

H.2.26. blackhole: Dead end networks

Networks that go nowhere

Table H.33. blackhole: Attributes

AttributeTypeDefaultDescription
comment string -Comment
ip List of IPPrefix Not optional One or more network prefixes
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number

H.2.27. loopback: Locally originated networks

Loopback addresses define local IP addresses

Table H.34. loopback: Attributes

AttributeTypeDefaultDescription
comment string -Comment
ip List of IPAddr Not optional One or more local network addresses
localpref unsignedInt 4294967295Localpref of network (highest wins)
name string -Name
source string -Source of data, used in automated config management
table (unsignedByte 0-99) routetable 0Routing table number

H.2.28. cqm: Constant Quality Monitoring settings

Constant quality monitoring (graphs and data) have a number of settings. Most of the graphing settings can be overridden when a graph is collected so these define the defaults in many cases.

Table H.35. cqm: Attributes

AttributeTypeDefaultDescription
ave Colour #08fColour for average latency
axis Colour blackAxis colour
background Colour whiteBackground colour
bottom unsignedByte 11Pixels space at bottom of graph
dateformat string %Y-%m-%dDate format
dayformat string %aDay format
fail Colour redColour for failed (dropped) seconds
fail-level unsignedInt 1Fail level not expected on low usage
fail-level1 unsignedByte 3Loss level 1
fail-level2 unsignedByte 50Loss level 2
fail-score unsignedByte 200Score for fail and low usage
fail-score1 unsignedByte 100Score for on/above level 1
fail-score2 unsignedByte 200Score for on/above level 2
fail-usage unsignedInt 128000Usage below which fail is not expected
fblogo Colour #bd1220Colour for logo
graticule Colour greyGraticule colour
heading string -Heading of graph
hourformat string %HHour format
key unsignedByte 90Pixels space for key
label-ave string AvLabel for average latency
label-fail string %FailLabel for seconds (%) failed
label-latency string LatencyLabel for latency
label-max string MaxLabel for maximum latency
label-min string MinLabel for minimum latency
label-off string OffLabel for off line seconds
label-period string PeriodLabel for period
label-poll string PollsLabel for polls
label-rej string %RejectLabel for rejected seconds
label-rx string RxLabel for Rx traffic level
label-score string ScoreLabel for score
label-sent string SentLabel for seconds polled
label-time string TimeLabel for time
label-traffic string Traffic (bit/s)Label for traffic level
label-tx string TxLabel for Tx traffic level
latency-level unsignedInt 100000000Latency level not expected on low usage
latency-level1 unsignedInt 100000000Latency level 1 (ns)
latency-level2 unsignedInt 500000000Latency level 2 (ns)
latency-score unsignedByte 200Score for high latency and low usage
latency-score1 unsignedByte 10Score for on/above level 1
latency-score2 unsignedByte 20Score for on/above level 2
latency-usage unsignedInt 128000Usage below which latency is not expected
left unsignedByte 0Pixels space left of main graph
log NMTOKEN Not loggingLog events
max Colour greenColour for maximum latency
min Colour #008Colour for minimum latency
ms-max positiveInteger 500ms max height
off Colour #c8fColour for off line seconds
outside Colour transparentColour for outer border
rej Colour #f8cColour for off line seconds
right unsignedByte 50Pixels space right of main graph
rx Colour #800Colour for Rx traffic level
secret Secret -Secret for MD5 coded URLs
sent Colour #ff8Colour for polled seconds
subheading string -Subheading of graph
text Colour blackColour for text
text1 string -Text line 1
text2 string -Text line 2
text3 string -Text line 3
text4 string -Text line 4
timeformat string %Y-%m-%d %H:%M:%STime format
top unsignedByte 4Pixels space at top of graph
tx Colour #080Colour for Tx traffic level

H.2.29. ip-group: IP Group

Named IP group

Table H.36. ip-group: Attributes

AttributeTypeDefaultDescription
comment string -Comment
ip List of IPRange -One or more IP ranges or IP/len
name string Not optional Name
source string -Source of data, used in automated config management
users List of NMTOKEN -Include IP of (time limited) logged in web users