The system settings are the top level attributes of the system which apply globally.
Table H.3. system: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
contact | string | - | Contact name |
dos-delay | unsignedInt | 2 | Interrupt DoS restoration counter, leave at default |
dos-limit | unsignedInt | 1000 | Interrupt DoS packet limit, leave at default |
intro | string | - | Home page text |
location | string | - | Location description |
log | NMTOKEN | Web/console | Log system events |
log-debug | NMTOKEN | Not logging | Log system debug messages |
log-error | NMTOKEN | Web/Flash/console | Log system errors |
log-eth | NMTOKEN | Web/console | Log Ethernet messages |
log-eth-debug | NMTOKEN | Not logging | Log Ethernet debug |
log-eth-error | NMTOKEN | Web/Flash/console | Log Ethernet errors |
log-panic | NMTOKEN | Web logs | Log system panic messages |
log-stats | NMTOKEN | Not logging | Log one second stats |
name | string | - | System hostname |
soft-watchdog | boolean | false | Debug - use only if advised; do not use on an unattended FireBrick |
source | string | - | Source of data, used in automated config management |
sw-update | autoloadtype | factory | Load new software automatically |
Table H.4. system: Elements
Element | Type | Instances | Description |
link | link | Optional, unlimited | Home page links |
User names, passwords and abilities for admin users
Table H.6. user: Attributes
Attribute | Type | Default | Description |
allow | List of IPNameRange | - | Restrict logins to be from specific IP addresses |
comment | string | - | Comment |
config | config-access | full | Config access level |
full-name | string | - | Full name |
level | user-level | ADMIN | Login level |
name | (NMTOKEN) username | Not optional | User name |
otp | string | - | OTP serial number |
password | Password | Not optional | User password |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Restrict login to specific routing table |
timeout | duration | 5:00 | Login idle timeout (zero to stay logged in) |
Named logging target
Table H.7. log: Attributes
Attribute | Type | Default | Description |
colour | Colour | - | Colour used in web display |
comment | string | - | Comment |
console | boolean | - | Log immediately to console |
flash | boolean | - | Log immediately to slow flash memory (use with care) |
jtag | boolean | - | Log immediately jtag (development use only) |
name | NMTOKEN | Not optional | Log target name |
source | string | - | Source of data, used in automated config management |
Table H.8. log: Elements
Element | Type | Instances | Description |
log-email | Optional, unlimited | Email settings | |
syslog | log-syslog | Optional, unlimited | Syslog settings |
Logging to a syslog server
Table H.9. log-syslog: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
facility | syslog-facility | LOCAL0 | Facility setting |
port | unsignedShort | 514 | Server port |
server | IPNameAddr | Not optional | Syslog server |
severity | syslog-severity | NOTICE | Severity setting |
source | string | - | Source of data, used in automated config management |
source-ip | IPAddr | - | Use specific source IP |
table | (unsignedByte 0-99) routetable | 0 | Routing table number for sending syslogs |
Logging to email
Table H.10. log-email: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
delay | duration | 1:00 | Delay before sending, since first event to send |
from | string | One made up using serial number | Source email address |
hold-off | duration | 1:00:00 | Delay before sending, since last email |
log | NMTOKEN | Not logging | Log emailing process |
log-debug | NMTOKEN | Not logging | Log emailing debug |
log-error | NMTOKEN | Not logging | Log emailing errors |
port | unsignedShort | 25 | Server port |
retry | duration | 10:00 | Delay before sending, since failed send |
server | IPNameAddr | - | Smart host to use rather than MX |
source | string | - | Source of data, used in automated config management |
subject | string | From first line being logged | Subject |
table | (unsignedByte 0-99) routetable | 0 | Routing table number for sending email |
to | string | Not optional | Target email address |
System services are various generic services that the system provides, and allows access controls and settings for these to be specified. The service is only active if the corresponding element is included in services, otherwise it is disabled.
Table H.11. services: Elements
Element | Type | Instances | Description |
dns | dns-service | Optional | DNS service settings |
http | http-service | Optional | HTTP server settings |
ntp | ntp-service | Optional | NTP client settings (server not implemented yet) |
snmp | snmp-service | Optional | SNMP server settings |
telnet | telnet-service | Optional | Telnet server settings |
The SNMP service has general service settings and also specific attributes for SNMP such as community
Table H.12. snmp-service: Attributes
Attribute | Type | Default | Description |
allow | List of IPNameRange | Allow from anywhere | List of IP ranges from which service can be accessed |
comment | string | - | Comment |
community | string | public | Community string |
local-only | boolean | false | Restrict access to locally connected Ethernet subnets only |
log | NMTOKEN | Not logging | Log events |
log-debug | NMTOKEN | Not logging | Log debug |
log-error | NMTOKEN | Log as event | Log errors |
port | unsignedShort | 161 | Service port |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
The NTP settings define how the system clock is set, from what servers, and controls for daylight saving (summer time). The defaults are those that apply to the EU
Table H.13. ntp-service: Attributes
Attribute | Type | Default | Description |
allow | List of IPNameRange | Allow from anywhere | List of IP ranges from which service can be accessed |
comment | string | - | Comment |
local-only | boolean | true | Restrict access to locally connected Ethernet subnets only |
log | NMTOKEN | Not logging | Log events |
log-debug | NMTOKEN | Not logging | Log debug |
log-error | NMTOKEN | Log as event | Log errors |
ntpserver | List of IPNameAddr | ntp.firebrick.ltd.uk | List of time servers (IP or hostname) from which time may be set by ntp |
poll | duration | 1:00:00 | NTP poll rate |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
tz1-name | string | GMT | Timezone 1 name |
tz1-offset | duration | 0 | Timezone 1 offset from UTC |
tz12-date | (unsignedByte 1-31) datenum | 25 | Timezone 1 to 2 earliest date in month |
tz12-day | day | Sun | Timezone 1 to 2 day of week of change |
tz12-month | month | Mar | Timezone 1 to 2 month |
tz12-time | time | 01:00:00 | Timezone 1 to 2 local time of change |
tz2-name | string | BST | Timezone 2 name |
tz2-offset | duration | 1:00:00 | Timezone 2 offset from UTC |
tz21-date | (unsignedByte 1-31) datenum | 25 | Timezone 2 to 1 earliest date in month |
tz21-day | day | Sun | Timezone 2 to 1 day of week of change |
tz21-month | month | Oct | Timezone 2 to 1 month |
tz21-time | time | 02:00:00 | Timezone 2 to 1 local time of change |
Telnet control interface
Table H.14. telnet-service: Attributes
Attribute | Type | Default | Description |
allow | List of IPNameRange | Allow from anywhere | List of IP ranges from which service can be accessed |
comment | string | - | Comment |
local-only | boolean | true | Restrict access to locally connected Ethernet subnets only |
log | NMTOKEN | Not logging | Log events |
log-debug | NMTOKEN | Not logging | Log debug |
log-error | NMTOKEN | Log as event | Log errors |
port | unsignedShort | 23 | Service port |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
Web management pages
Table H.15. http-service: Attributes
Attribute | Type | Default | Description |
access-control-allow-origin | string | - | Additional header for cross site javascript |
allow | List of IPNameRange | Allow from anywhere | List of IP ranges from which service can be accessed |
comment | string | - | Comment |
css-url | string | - | Additional CSS for web control pages |
local-only | boolean | true | Restrict access to locally connected Ethernet subnets only |
log | NMTOKEN | Not logging | Log events |
log-debug | NMTOKEN | Not logging | Log debug |
log-error | NMTOKEN | Log as event | Log errors |
port | unsignedShort | 80 | Service port |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
trusted | List of IPNameRange | - | List of allowed IP ranges from which additional access to certain functions is available |
DNS forwarding resolver service
Table H.16. dns-service: Attributes
Attribute | Type | Default | Description |
allow | List of IPNameRange | Allow from anywhere | List of IP ranges from which service can be accessed |
auto-dhcp | boolean | - | Forward and reverse DNS for names in DHCP using this domain |
comment | string | - | Comment |
domain | string | - | Our domain |
local-only | boolean | true | Restrict access to locally connected Ethernet subnets only |
log | NMTOKEN | Not logging | Log events |
log-debug | NMTOKEN | Not logging | Log debug |
log-error | NMTOKEN | Log as event | Log errors |
resolvers | List of IPAddr | - | Recursive DNS resolvers to use |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
DNS forwarding resolver service
Table H.18. dns-host: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
ip | List of IPAddr | Our IP | IP addresses to serve (or our IP if omitted) |
name | List of string | Not optional | Host names (can use * as a part of a domain) |
restrict | List of IPNameRange | - | List of IP ranges to which this is served |
reverse | boolean | - | Map reverse DNS as well |
source | string | - | Source of data, used in automated config management |
ttl | unsignedInt | 60 | Time to live |
DNS forwarding resolver service
Table H.19. dns-block: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
name | List of string | Not optional | Host names (can use * as a part of a domain) |
restrict | List of IPNameRange | - | List of IP ranges to which this is served |
source | string | - | Source of data, used in automated config management |
ttl | unsignedInt | 60 | Time to live |
Physical port attributes
Table H.20. ethernet: Attributes
Attribute | Type | Default | Description |
autoneg | boolean | auto negotiate unless manual 10/100 speed and duplex are set | Perform link auto-negotiation |
clocking | LinkClock | prefer-slave | Gigabit clock setting |
crossover | Crossover | auto | Port crossover configuration |
duplex | LinkDuplex | auto | Duplex setting for this port |
flow | LinkFlow | none | Flow control setting |
green | LinkLED | Link/Activity | Green LED setting |
optimise | boolean | true | enable PHY optimisations |
port | port | Not optional | Physical port |
power-saving | LinkPower | full | enable PHY power saving |
send-fault | LinkFault | - | Send fault status |
shutdown | boolean | false | Power down this port |
speed | LinkSpeed | auto | Speed setting for this port |
yellow | LinkLED | Tx | Yellow LED setting |
The interface definition relates to a specific physical port group and VLAN. It includes subnets and VRRP that apply to that interface.
Table H.22. interface: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
graph | (token) graphname | - | Graph name |
link | NMTOKEN | - | Interface to which this is linked at layer 2 |
log | NMTOKEN | Not logging | Log events including DHCP and related events |
log-debug | NMTOKEN | Not logging | Log debug |
log-error | NMTOKEN | Log as event | Log errors |
mtu | (unsignedShort 576-2000) mtu | 1500 | MTU for this interface |
name | NMTOKEN | - | Name |
ping | IPAddr | - | Ping address to add loss/latency to graph for interface |
port | NMTOKEN | Not optional | Port group name |
ra-client | boolean | true | Accept IPv6 RA and create auto config subnets and routes |
restrict-mac | boolean | - | Use only one MAC on this interface |
source | string | - | Source of data, used in automated config management |
source-filter | sfoption | - | Source filter traffic received via this interface |
source-filter-table | (unsignedByte 0-99) routetable | interface table | Routing table to use for source filtering checks |
table | (unsignedByte 0-99) routetable | 0 | Routing table applicable |
vlan | (unsignedShort 0-4095) vlan | 0 | VLAN ID (0=untagged) |
Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set.
Table H.24. subnet: Attributes
Attribute | Type | Default | Description |
accept-dns | boolean | true | Accept DNS servers specified by DHCP |
arp-timeout | unsignedShort | 60 | Max lifetime on ARP and ND |
broadcast | boolean | false | If broadcast address allowed |
comment | string | - | Comment |
gateway | List of IPAddr | - | One or more gateways to install |
ip | List of IPSubnet | Automatic by DHCP | One or more IP/len |
localpref | unsignedInt | 4294967295 | Localpref for subnet (highest wins) |
mtu | (unsignedShort 576-2000) mtu | As interface | MTU for subnet |
name | string | - | Name |
proxy-arp | boolean | false | Answer ARP/ND by proxy if we have routing |
ra | ramode | false | If to announce IPv6 RA for this subnet |
ra-dns | List of IP6Addr | - | List of recursive DNS servers in route announcements |
ra-managed | dhcpv6control | - | RA 'M' (managed) flag |
ra-max | (unsignedShort 4-1800) ra-max | 600 | Max RA send interval |
ra-min | (unsignedShort 3-1350) ra-min | - | Min RA send interval |
ra-mtu | unsignedShort | As subnet | MTU to use on RA |
ra-other | dhcpv6control | - | RA 'O' (other) flag |
source | string | - | Source of data, used in automated config management |
test | IPAddr | - | Test link state using ARP/ND for this IP |
ttl | unsignedByte | 64 | TTL for originating traffic via subnet |
VRRP settings provide virtual router redundancy for the FireBrick. Profile inactive does not disable vrrp but forces vrrp low priority. Use different VRID on different VLANs.
Table H.25. vrrp: Attributes
Attribute | Type | Default | Description |
answer-ping | boolean | true | Whether to answer PING to VRRP IPs when master |
comment | string | - | Comment |
delay | unsignedInt | 60 | Delay after routing established before priority returns to normal |
interval | unsignedShort | 100 | Transit interval (centiseconds) |
ip | List of IPAddr | Not optional | One or more IP addresses to announce |
log | NMTOKEN | Not logging | Log events |
log-error | NMTOKEN | log as event | Log errors |
low-priority | unsignedByte | 1 | Lower priority applicable until routing established |
name | NMTOKEN | - | Name |
preempt | boolean | true | Whether pre-empt allowed |
priority | unsignedByte | 100 | Normal priority |
source | string | - | Source of data, used in automated config management |
test | List of IPAddr | - | List of IPs to which routing must exist else low priority (deprecated) |
use-vmac | boolean | true | Whether to use the special VMAC or use normal MAC |
version3 | boolean | v2 for IPv4, v3 for IPv6 | Use only version 3 |
vrid | unsignedByte | 42 | VRID |
Settings for DHCP server
Table H.26. dhcps: Attributes
Attribute | Type | Default | Description |
boot | IP4Addr | - | Next/boot server |
boot-file | string | - | Boot filename |
class | string | - | Class match |
client-name | string | - | Client name match |
comment | string | - | Comment |
dns | List of IP4Addr | Our IP | DNS resolvers |
domain | string | From system settings | DNS domain |
domain-search | string | - | DNS domain search list (list will be truncated to fit one attribute) |
force | boolean | - | Send all options even if not requested |
gateway | List of IP4Addr | Our IP | Gateway |
ip | List of IP4Range | 0.0.0.0/0 | Address pool |
lease | duration | 2:00:00 | Lease length |
log | NMTOKEN | Not logging | Log events (allocations) |
mac | List up to 12 (hexBinary) macprefix | - | Partial or full MAC addresses |
name | string | - | Name |
ntp | List of IP4Addr | From system settings | NTP server |
source | string | - | Source of data, used in automated config management |
syslog | List of IP4Addr | - | Syslog server |
time | List of IP4Addr | Our IP | Time server |
Table H.27. dhcps: Elements
Element | Type | Instances | Description |
send | dhcp-attr-hex | Optional, unlimited | Additional attributes to send (hex) |
send-ip | dhcp-attr-ip | Optional, unlimited | Additional attributes to send (IP) |
send-number | dhcp-attr-number | Optional, unlimited | Additional attributes to send (numeric) |
send-string | dhcp-attr-string | Optional, unlimited | Additional attributes to send (string) |
Additional DHCP server attributes (numeric)
Table H.30. dhcp-attr-number: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
force | boolean | - | Send even if not requested |
id | unsignedByte | Not optional | Attribute type code/tag |
name | string | - | Name |
value | unsignedInt | Not optional | Value |
vendor | boolean | - | Add as vendor specific option (under option 43) |
Static routes define prefixes which are permanently in the routing table, and whether these should be announced by routing protocols or not.
Table H.32. route: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
gateway | List of IPAddr | Not optional | One or more target gateway IPs |
graph | (token) graphname | - | Graph name |
ip | List of IPPrefix | Not optional | One or more network prefixes |
localpref | unsignedInt | 4294967295 | Localpref of network (highest wins) |
name | string | - | Name |
source | string | - | Source of data, used in automated config management |
speed | unsignedInt | - | Egress rate limit (b/s) |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
Networks that go nowhere
Table H.33. blackhole: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
ip | List of IPPrefix | Not optional | One or more network prefixes |
localpref | unsignedInt | 4294967295 | Localpref of network (highest wins) |
name | string | - | Name |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
Loopback addresses define local IP addresses
Table H.34. loopback: Attributes
Attribute | Type | Default | Description |
comment | string | - | Comment |
ip | List of IPAddr | Not optional | One or more local network addresses |
localpref | unsignedInt | 4294967295 | Localpref of network (highest wins) |
name | string | - | Name |
source | string | - | Source of data, used in automated config management |
table | (unsignedByte 0-99) routetable | 0 | Routing table number |
Constant quality monitoring (graphs and data) have a number of settings. Most of the graphing settings can be overridden when a graph is collected so these define the defaults in many cases.
Table H.35. cqm: Attributes
Attribute | Type | Default | Description |
ave | Colour | #08f | Colour for average latency |
axis | Colour | black | Axis colour |
background | Colour | white | Background colour |
bottom | unsignedByte | 11 | Pixels space at bottom of graph |
dateformat | string | %Y-%m-%d | Date format |
dayformat | string | %a | Day format |
fail | Colour | red | Colour for failed (dropped) seconds |
fail-level | unsignedInt | 1 | Fail level not expected on low usage |
fail-level1 | unsignedByte | 3 | Loss level 1 |
fail-level2 | unsignedByte | 50 | Loss level 2 |
fail-score | unsignedByte | 200 | Score for fail and low usage |
fail-score1 | unsignedByte | 100 | Score for on/above level 1 |
fail-score2 | unsignedByte | 200 | Score for on/above level 2 |
fail-usage | unsignedInt | 128000 | Usage below which fail is not expected |
fblogo | Colour | #bd1220 | Colour for logo |
graticule | Colour | grey | Graticule colour |
heading | string | - | Heading of graph |
hourformat | string | %H | Hour format |
key | unsignedByte | 90 | Pixels space for key |
label-ave | string | Av | Label for average latency |
label-fail | string | %Fail | Label for seconds (%) failed |
label-latency | string | Latency | Label for latency |
label-max | string | Max | Label for maximum latency |
label-min | string | Min | Label for minimum latency |
label-off | string | Off | Label for off line seconds |
label-period | string | Period | Label for period |
label-poll | string | Polls | Label for polls |
label-rej | string | %Reject | Label for rejected seconds |
label-rx | string | Rx | Label for Rx traffic level |
label-score | string | Score | Label for score |
label-sent | string | Sent | Label for seconds polled |
label-time | string | Time | Label for time |
label-traffic | string | Traffic (bit/s) | Label for traffic level |
label-tx | string | Tx | Label for Tx traffic level |
latency-level | unsignedInt | 100000000 | Latency level not expected on low usage |
latency-level1 | unsignedInt | 100000000 | Latency level 1 (ns) |
latency-level2 | unsignedInt | 500000000 | Latency level 2 (ns) |
latency-score | unsignedByte | 200 | Score for high latency and low usage |
latency-score1 | unsignedByte | 10 | Score for on/above level 1 |
latency-score2 | unsignedByte | 20 | Score for on/above level 2 |
latency-usage | unsignedInt | 128000 | Usage below which latency is not expected |
left | unsignedByte | 0 | Pixels space left of main graph |
log | NMTOKEN | Not logging | Log events |
max | Colour | green | Colour for maximum latency |
min | Colour | #008 | Colour for minimum latency |
ms-max | positiveInteger | 500 | ms max height |
off | Colour | #c8f | Colour for off line seconds |
outside | Colour | transparent | Colour for outer border |
rej | Colour | #f8c | Colour for off line seconds |
right | unsignedByte | 50 | Pixels space right of main graph |
rx | Colour | #800 | Colour for Rx traffic level |
secret | Secret | - | Secret for MD5 coded URLs |
sent | Colour | #ff8 | Colour for polled seconds |
subheading | string | - | Subheading of graph |
text | Colour | black | Colour for text |
text1 | string | - | Text line 1 |
text2 | string | - | Text line 2 |
text3 | string | - | Text line 3 |
text4 | string | - | Text line 4 |
timeformat | string | %Y-%m-%d %H:%M:%S | Time format |
top | unsignedByte | 4 | Pixels space at top of graph |
tx | Colour | #080 | Colour for Tx traffic level |