|
|
This is the manual for GNU Gatekeeper 2.3.2.
A manual for your version is in your GnuGk download archive.
Chapters:
Contents ·
Introduction ·
Installation ·
Getting started ·
Basic Config ·
Routed Mode & Proxy ·
Routing ·
RAS Config ·
Authentication ·
Accounting ·
Neighbors ·
Per Endpoint Config ·
Advanced Config ·
Monitoring
The behavior of the
gatekeeper
is determined by the command line
options and configuration file. Some command line options may override
a setting from the configuration file.
For example, the option -l overrides the setting TimeToLive
in the configuration file.
Almost every option has a short and a long format, e.g.,
-c is the same as --config.
Basic
-h --helpShow all available options and quit the program.
-c --config filenameSpecify the configuration file to use.
-s --section sectionSpecify which main section to use in the configuration file. The default is [Gatekeeper::Main].
-i --interface IPSpecify the IP address that the gatekeeper listens to.
By default, the gatekeeper will automatically determine which IP address(es) it should use. This
option will override the auto provisioning.
-l --timetolive nSpecify the time-to-live timer (in seconds) for endpoint registration.
Overrides the setting TimeToLive in the configuration file.
See
there for detailed explanations.
-b --bandwidth nSpecify the total bandwidth available for the gatekeeper.
Without this option, bandwidth management
is disabled.
--pid filenameSpecify the pid file. Only valid for Unix version.
-u --user nameRun the gatekeeper process as this user. Only valid for Unix version.
--core nEnable writing core dump files when the application crashes. A core
dump file will not exceed n bytes in size. A special constant "unlimited"
may be used to not enforce any particular limit. Only valid for Unix version.
Gatekeeper Mode
The options in this subsection override the settings in the
[RoutedMode] section of the configuration file.
-d --directUse direct endpoint call signaling.
-r --routedUse gatekeeper routed call signaling.
-rr --h245routedUse gatekeeper routed call signaling and H.245 control channel.
Debug Information
-o --output filenameWrite trace log to the specified file.
-t --traceSet trace verbosity. Each additional -t adds additional verbosity to the output.
For example, use -ttttt to set the trace level to 5.
The
GNU Gatekeeper
configuration file is a standard text file. The basic format is:
[Section String]
Key Name=Value String
Comments are marked with a hash (#) or a semicolon (;)
at the beginning of a line.
The file
complete.ini
contains all available sections for GnuGk.
In most cases it doesn't make sense to use them all at once.
The file is just meant as a collection of examples for many settings.
The configuration file can be changed at run time.
Once you modify the configuration file, you may issue the reload command
via the status port, or send the HUP signal to the gatekeeper process:
kill -HUP `cat /var/run/gnugk.pid`
Fortytwo=42
Default: N/A
This setting is used to test for the presence of the config file. If it
is not found, a warning is issued.
Make sure it's in all your config files.
Name=GnuGk
Default: OpenH323GK
Gatekeeper identifier of this gatekeeper. The gatekeeper will only respond to
GRQs for this ID and will use it in a number of messages to its endpoints.
Home=192.168.1.1
Default: 0.0.0.0
The gatekeeper will listen for requests on this IP address.
If set to 0.0.0.0 the gatekeeper will listen on all interfaces of your host.
Multiple Home addresses can be used
and must be separated with a semicolon (;) or comma (,).
NetworkInterfaces=192.168.1.1/24,10.0.0.1/0
Default: N/A
Specify the network interfaces of the gatekeeper. By default the gatekeeper
will automatically detect the interfaces of your host, so this setting is not
usually required, but is available if automatic detection fails.
If you are using GnuGk behind a NAT box then you should use the ExternalIP
setting (described below) which will automatically configure GnuGk to operate as if it was
on the NAT box. The ExternalIP setting will take precedence and will override this value.
NOTE: If this setting is changed, you must restart the gatekeeper. A reload from the status port
will not cause this value to be re-read.
Bind=192.168.1.1
Default: 0.0.0.0
Specify the IP address for default routing. If there is only one interface then
this setting is ignored. Use this to specify which default IP address to use in a multihomed
virtual environment where there may be many virtual interfaces on one host.
EndpointIDSuffix=_gk1
Default: _endp
The gatekeeper will assign a unique identifier to each registered endpoint.
This option can be used to specify a suffix to append to the endpoint identifier. This is only useful when using more than one gatekeeper.
This setting doesn't change when the config is reloaded!
-
TimeToLive=300
Default: -1
An endpoint's registration with a gatekeeper may have a limited life span.
The gatekeeper specifies the registration duration for an endpoint
by including a timeToLive field in the RCF message.
After the specified length of time, the registration is considered expired.
The endpoint must periodically send a RRQ having the keepAlive
bit set prior to the expiration time. Such a message may include a
minimum amount of information as described in H.225.0 and is known as a lightweight RRQ.
The endpoint may request a shorter timeToLive in the RRQ message
to the gatekeeper.
To avoid an overload of RRQ messages,
the gatekeeper automatically resets this timer
to 60 seconds if you specify a lower value.
After the expiration time,
the gatekeeper will make two attempts using IRQ messages to determine
if the endpoint is still alive. If the endpoint responds with an IRR,
the registration will be extended. If not, the gatekeeper will send
a URQ with reason ttlExpired to the endpoint.
The endpoint must then re-register with the gatekeeper using a full RRQ message.
To disable this feature, set it to -1.
CompareAliasType=0
Default: 1
By default, a H323ID of '1234' won't match E164 number '1234' when comparing aliases. This parameter allows you
to ignore the alias type when performing comparisons.
CompareAliasCase=0
Default: 1
By default, alias 'jan' won't match alias 'Jan'. If set to false, the comparison will not be case sensitive.
TraceLevel=2
Default: 0
Set trace level (same as -t on the command line).
This setting doesn't change when the config is reloaded!
TotalBandwidth=100000
Default: -1
Total bandwidth available to be given to endpoints.
By default this feature is off.
NOTE: At this time, the GnuGk only checks calls from registered endpoints and
many endpoints supply incorrect bandwidth values.
RedirectGK=Endpoints > 100 | Calls > 50
Default: N/A
This option allow you to redirect endpoints to alternate gatekeepers
if the gatekeeper becomes overloaded.
In the example above, the gatekeeper will
reject a RRQ if the number of registered endpoints would exceed 100,
or reject an ARQ if concurrent calls exceed 50.
Furthermore, you may explicitly redirect all endpoints by
setting this option to temporary or permanent.
The gatekeeper will send a RAS rejection message with a list of
alternate gatekeepers defined in AlternateGKs.
Note that a permanent redirection means that the redirected endpoints
will not register with this gatekeeper again.
NOTE: The redirect capability will only function with H.323 version 4
compliant endpoints.
AlternateGKs=1.2.3.4:1719:false:120:GnuGk
Default: N/A
If the endpoint loses connectivity with GnuGk it should automatically try
to register with the alternate gatekeeper specified here.
NOTE: Depending on the endpoint, it may not attempt to re-establish a
connection to its original gatekeeper. Support for "Assigned Gatekeepers" was added
in H.323v6. See
http://www.packetizer.com/ipmc/h323/whatsnew_v6.html for additional information.
The primary gatekeeper includes a field in the RCF to inform endpoints which alternate
IP and gatekeeper identifier to use.
The alternate gatekeeper needs to be aware of all
registrations on the primary gatekeeper or else it would reject calls.
Our gatekeeper can forward every RRQ to an alternate IP address.
The AlternateGKs config option specifies the fields contained in
the primary gatekeeper's RCF. The first and second fields of this string define
where (IP, port) to forward to.
The third tells endpoints whether they need to register with the alternate gatekeeper
before placing calls. They usually don't because we forward their RRQs, so they
are automatically known to the alternate gatekeeper.
The fourth field specifies the priority for this gatekeeper.
Lower is better; usually the primary gatekeeper is considered to have priority 1.
The last field specifies the alternate gatekeeper's identifier.
You may specify multiple alternate gatekeepers as a comma separated list.
SendTo=1.2.3.4:1719
Default: N/A
Although this information is contained in AlternateGKs, you must still
specify which address to forward RRQs to. This might differ from AlternateGK's
address due to multihomed systems, so it's a separate config option.
You can specify multiple gatekeepers in a comma separated list.
SkipForwards=1.2.3.4,5.6.7.8
Default: N/A
To avoid circular forwarding, you shouldn't forward RRQs you get from the
other gatekeeper (this statement is true for both primary and alternate gatekeeper).
Two mechanisms are used to identify whether a request should be forwarded.
The first one looks for a flag in the RRQ. Since few endpoints implement this,
we can increase the overall reliability of the system by specifying it here.
Specify the other gatekeeper's IP in this list.
StatusPort=7000
Default: 7000
Status port to monitor the gatekeeper.
See
this section for details.
StatusTraceLevel=2
Default: 2
Default output trace level for new status interface clients.
See
this section for details.
TimestampFormat=ISO8601
Default: Cisco
This setting configures the default format of timestamp strings generated by the gatekeeper.
This option affects
[SqlAcct],
[RadAcct],
[FileAcct]
and other modules, but not
[CallTable].
You can further customize timestamp formatting per module by configuring the
TimestampFormat setting in the module-specific configuration portion of the config file.
There are four predefined formats:
RFC822 - a default format used by the gatekeeper (example: Wed, 10 Nov 2004 16:02:01 +0100)ISO8601 - standard ISO format (example: 2004-11-10 T 16:02:01 +0100)Cisco - format used by Cisco equipment (example: 16:02:01.534 CET Wed Nov 10 2004)MySQL - simple format that MySQL can understand (example: 2004-11-10 16:02:01)
If none of the predefined options is suitable, you can build your own format string using
rules from the strftime C function (see man strftime or search MSDN for strftime).
In general, the format string consists of regular character and format codes, preceded
by a percent sign. Example: "%Y-%m-%d and percent %%" will result in "2004-11-10 and percent %".
Some common format codes:
%a - abbreviated weekday name%A - full weekday name%b - abbreviated month name%B - full month name%d - day of month as decimal number%H - hour in 24-hour format%I - hour in 12-hour format%m - month as decimal number%M - minute as decimal number%S - second as decimal number%y - year without century%Y - year with century%u - microseconds as decimal number (this is a GnuGk extension)%z - time zone abbreviation (+0100)%Z - time zone name%% - percent sign
EncryptAllPasswords=1
Default: 0
Enable encryption of all passwords in the config (SQL passwords, RADIUS
passwords, [Password] passwords, [GkStatus::Auth] passwords). If enabled,
all passwords must be encrypted using the addpasswd utility. Otherwise
only [Password] and [GkStatus::Auth] passwords are encrypted (old behavior).
KeyFilled=0
Default: N/A
Define a global padding byte to be used during password encryption/decryption.
It can be overridden by setting KeyFilled within a particular config section.
Usually, you do not need to change this option.
Most users will never need to change any of the following values.
They are mainly used for testing or very sophisticated applications.
UseBroadcastListener=0
Default: 1
Defines whether to listen to broadcast RAS requests. This requires
binding to all interfaces on a machine, so if you want to run multiple
gatekeepers on the same machine you should turn this off.
UnicastRasPort=1719
Default: 1719
The RAS channel TSAP identifier for unicast.
UseMulticastListener=0
Default: 1
Enable or disable gatekeeper discovery using multicast. By default it is enabled.
MulticastPort=1718
Default: 1718
The RAS channel TSAP identifier for multicast.
MulticastGroup=224.0.1.41
Default: 224.0.1.41
The multicast group for the RAS channel.
EndpointSignalPort=1720
Default: 1720
Default port for call signaling channel of endpoints.
ListenQueueLength=1024
Default: 1024
Queue length for incoming TCP connection.
SignalReadTimeout=1000
Default: 1000
Time in milliseconds for read timeout on call signaling channels (Q931).
StatusReadTimeout=3000
Default: 3000
Time in milliseconds for read timeout on status channel.
StatusWriteTimeout=5000
Default: 5000
Time in milliseconds for write timeout on status channel.
ExternalIP=myip.no-ip.com
Default: N/A
When using GnuGk behind a NAT you can set the external IP address
that you wish the gatekeeper to masquerade as. This will allow external endpoints
and other gatekeepers to contact the NATed gatekeeper. To work you must port
forward the required ports to the gatekeeper IP or put the gatekeeper in the NAT box
DMZ. This is different than the bind setting, which specifies a physical IP
address on the GnuGk box.
You may specify an IP address or a fully-qualified domain name (FQDN). If
you use a FQDN and ExternalIsDynamic is set to false, it will be
resolved to an IP address on startup or configuration reload. If
ExternalIsDynamic is set to true, the name will be stored and
resolved when needed.
ExternalIsDynamic=1
Default: 0
Configures the GnuGk to support an external dynamic address. If enabled,
GnuGk will ensure that the Dynamic DNS (DDNS) service receives keep-alive
messages to maintain your DDNS name lease. You must also configure the
ExternalIP setting with a DNS address maintained by a DDNS service
such as www.dyndns.com or www.no-ip.com.
DefaultDomain=gnugk.org,gnugk.de
Default: N/A
If the GnuGk receives a request for an address in the format
user@domain.com, this option will strip the domain from the address
if it matches the DefaultDomain setting and will then process the
request using just the "user" field. This is useful when receiving
interdomain calls placed via SRV routing policy where the full URI is
received. It can also be used in conjunction with the
[RasSrv::RewriteAlias] section to convert the received URI into a E164
number for further processing and routing.
Authenticators=H.235.1,CAT
Default: N/A
Selects the specific authenticators to use when authenticating endpoints.
The default options are: H.235.1 (HMAC SHA1 / old H235AnnexD), MD5 (Digest Authentication) and CAT (Cisco Access Tokens ie RADIUS).
If this setting is omitted, all authenticators are loaded by default.
If you are using plugin authenticators, then you may want to disable the default authenticators to provide optimum security.
Note: H.235.1 requires OpenSSL support compiled into GnuGk.
This switch is only available if GnuGk is compiled with H323Plus.
DisconnectCallsOnShutdown=0
Default: 1
GnuGk will disconnect all ongoing calls when it shuts down and
will send an unregistration request to all endpoints.
To override this default, set this parameter to "0".
This switch is intended mainly for gatekeepers running in direct mode;
in routed mode and proxy mode calls will still get disrupted when the gatekeeper shuts down.
Defines a number of rules regarding who is allowed to connect to the status port.
Access to the status port provides full control over your gatekeeper. Ensure that this is set correctly.
rule=allow
Default: forbid
Possible values are
forbid - disallow any connection.allow - allow any connectionexplicit - reads the parameter ip=value
where ip is the IP address of the client,
value is 1,0 or allow,forbid or yes,no.
If ip is not listed the parameter default is used.regex - the IP of the client is matched against the given regular expression.
- Example:
To allow client from 195.71.129.0/24 and 195.71.131.0/24:
regex=^195\.71\.(129|131)\.[0-9]+$
password - the user must provide an appropriate username and password to login. The format of username/password is the same as
[SimplePasswordAuth] section.
These rules may be combined with "|" (to specify a logical "OR") or "&" (for logical "AND"). For example,
rule=explicit | regex
The IP of the client must match explicit or regex rule.
rule=regex & password
The IP of the client must match regex rule, and the user has to login by username and password.
default=allow
Default: forbid
Only used when rule=explicit.
Shutdown=forbid
Default: allow
To allow the gatekeeper to be shutdown via status port.
DelayReject=5
Default: 0
Time (in seconds) to wait before rejecting an invalid username/password. Useful to insert
a delay in brute-force attacks.
See
Status Port Filtering.
This section defines log file related parameters. Currently, it allows
users to specify log file rotation options.
Filename=/var/log/gk_trace.log
Default: N/A
Set the output filename for the log file (same as -o on the command line).
This setting doesn't change when the config is reloaded!
Rotate=Hourly | Daily | Weekly | Monthly
Default: N/A
If set, the log file will be rotated based on this setting. Hourly rotation
enables rotation once per hour, daily - once per day, weekly - once per week
and monthly - once per month. An exact rotation moment is determined by a combination
of RotateDay and RotateTime variables. During rotation, an existing
file is renamed to CURRENT_FILENAME.YYYYMMDD-HHMMSS, where YYYYMMDD-HHMMSS
is replaced with the current timestamp, and new lines are logged to an empty
file. To disable rotation, do not configure the Rotate parameter or set it to 0.
- Example 1 - rotate every hour (00:45, 01:45, ..., 23:45):
[LogFile]
Rotate=Hourly
RotateTime=45
- Example 2 - rotate every day at 23:00 (11PM):
[LogFile]
Rotate=Daily
RotateTime=23:00
- Example 3 - rotate every Sunday at 00:59:
[LogFile]
Rotate=Weekly
RotateDay=Sun
RotateTime=00:59
- Example 4 - rotate on the last day of each month:
[LogFile]
Rotate=Monthly
RotateDay=31
RotateTime=23:00
Next
Previous
Contents
�
Chapters:
Contents ·
Introduction ·
Installation ·
Getting started ·
Basic Config ·
Routed Mode & Proxy ·
Routing ·
RAS Config ·
Authentication ·
Accounting ·
Neighbors ·
Per Endpoint Config ·
Advanced Config ·
Monitoring
|
