This is the manual for GNU Gatekeeper 5.0.
A manual for your version is in your GnuGk download archive.
A PDF version can be found in the download section.

Chapters: Contents · Introduction · Installation · Getting started · Basic Config · Routed Mode & Proxy · Routing · RAS Config · Authentication · Accounting · Neighbors · Per Endpoint Config · Advanced Config · Monitoring · Advanced Topics

Download GnuGk    Join the community    Get support

The GNU Gatekeeper Manual Chapter 4

4. Basic Gatekeeper Configuration

The behavior of the gatekeeper is determined by the command line options and configuration file. Some command line options may override a setting from the configuration file. For example, the option -l overrides the setting TimeToLive in the configuration file.

4.1 Command Line Options

Almost every option has a short and a long format, e.g., -c is the same as --config.


-h --help

Show all available options and quit the program.

-c --config filename

Specify the configuration file to use.


Strict configuration check (don't start with config errors)

-s --section section

Specify which main section to use in the configuration file. The default is [Gatekeeper::Main].

-l --timetolive n

Specify the time-to-live timer (in seconds) for endpoint registration. Overrides the setting TimeToLive in the configuration file. See there for detailed explanations.

-b --bandwidth n

Specify the total bandwidth available for the gatekeeper in units of 100 bits per second. Without this option, bandwidth management is disabled.

-e --externalip x.x.x.x

Specify the external IP, overrides [Gatekeeper::Main] ExternalIP=

--pid filename

Specify the pid file. Only valid for Unix version.

-u --user name

Run the gatekeeper process as this user. Only valid for Unix version.

--core n

Enable writing core dump files when the application crashes. A core dump file will not exceed n bytes in size. A special constant "unlimited" may be used to not enforce any particular limit. Only valid on Linux.


Lock GnuGk into memory to prevent it being swaped out. Only valid on Linux.

Gatekeeper Mode

The options in this subsection override the settings in the [RoutedMode] section of the configuration file.

-d --direct

Use direct endpoint call signaling.

-r --routed

Use gatekeeper routed call signaling.

-rr --h245routed

Use gatekeeper routed call signaling and H.245 control channel.

Debug Information

-o --output filename

Write trace log to the specified file.

-t --trace

Set trace verbosity. Each additional -t adds additional verbosity to the output. For example, use -ttttt to set the trace level to 5.

4.2 Configuration File

The GNU Gatekeeper configuration file is a standard text file. The basic format is:

[Section String]
Key Name=Value String

Comments are marked with a hash (#) or a semicolon (;) at the beginning of a line.

The file complete.ini contains all available sections for GnuGk. In most cases it doesn't make sense to use them all at once. The file is just meant as a collection of examples for many settings.

The configuration file can be changed at run time. Once you modify the configuration file, you may issue the reload command via the status port, or send the HUP signal to the gatekeeper process:

kill -HUP `cat /var/run/`

4.3 Database Configuration

All GnuGk modules that use a database (eg. [SQLAuth], [SQLAcct] etc.) support a common set of configuration parameters that is described here. You have to repeat all settings for each module, even if they are the same. But you are also free to use differend database drivers and options for each module.

  • Driver=MySQL | PostgreSQL | Firebird | ODBC | SQLite
    Default: N/A

    Database driver to use. Currently, MySQL, PostgreSQL, Firebird, ODBC and SQLite drivers are implemented. The MySQL driver can also be used for MariaDB and other MySQL forks. Not all of these driver are always available. When GnuGk is compiled, only those drivers are included where the necessary database libraries and header files are available. When you start GnuGk, you can see in the version string which drivers are included in your executable. At runtime, GnuGk will load the shared library (DLL) for the database you have configured.

    GnuGk supports version 3 of SQLite.

    Make sure your database is configured to support password-based authentication - Microsoft SQL Server must use "Mixed Mode" for this feature to function properly.

  • Library=c:/Program Files/Mysql/libmysql.dll
    Default: N/A

    If the shared library or DLL is not found automatically, you can set a different filename here or provide an absolute path to the library.

  • Host=DNS[:PORT] | IP[:PORT]
    Default: localhost

    SQL server host address. Can be in the form of DNS[:PORT] or IP[:PORT]. Like or or The ODBC driver will ignore this setting.

  • Database=billing
    Default: N/A

    The database name to connect to.

    To connect to an ODBC data source from a Windows server, create the data source though Control Panel / Administrative Tools / Data Sources (ODBC) and add a System DSN. Use the name of the System DSN in GnuGk's Database= setting.

    To connect to an ODBC data source from a Unix server, use a DSN definition configured in unixODBC. Some unixODBC drivers seem to ignore the Username and Passwort set in the GnuGk config. For those, you should use a DSN of the form DSN=GnuGk;UID=admin;PWD=secret;. Even in this case, GnuGk's Usename= and Password= settings must always be present. Depending on your unixODBX configuration, you might have to export ODBCINI=/etc/unixODBC/odbc.ini and export ODBCSYSINI=/etc/unixODBC before starting GnuGk.

  • Username=gnugk

    The username used to connect to the database.

  • Password=secret

    The password used to connect to the database. If the password is not specified, a database connection attempt without any password will be made. If EncryptAllPasswords is enabled, or a KeyFilled variable is defined in this section, the password to connect to the database is in an encrypted form and should be created using the addpasswd utility.

  • MinPoolSize=5
    Default: 1

    Define the number of active SQL connections. This allows for better performance under heavy load, because more than 1 concurrent query can be executed at the same time. Setting MinPoolSize=1 will simulate the old behavior, when access to the SQL database was serialized (one query at time). Don't let the name fool you, this is the exact number of connections.

  • ConnectTimeout=5
    Default: 10

    Timeout for database connects in seconds.

    Currently only used by the MySQL driver; the other drivers use library defaults.

  • ReadTimeout=10
    Default: 60

    Timeout for database reads in seconds.

    Currently only used by the MySQL driver; the other drivers use library defaults.

Placeholders in queries

Many SQL modules provide a set of placeholders that you can use in your queries, like %{CallId} in SqlAcct.

Placeholders allways start with the percent sign. Beware that you must escape the percent sign if you need it for something else in your queries (eg. in a LIKE). One way to do so is to use CHAR(37), eg. concat(alias,CHAR(37)) instead of concat(alias,'%').

Stored Procedures

Stored procedures work very well when using MySQL.

When using ODBC, you can not call stored procedures which use parameters using the "CALL ProcedureName" syntax, but you can call them with "EXEC ProcedureName".

When using stored procedures for accounting, make sure they return at least one dummy row, so GnuGk won't drop the call.

4.4 LUA Scripting

Some GnuGk modules allow executing dynamic scripts written in LUA, eg. [Routing::Lua] or [LuaAuth].

LUA is a simple scripting language which is also used by other networking tools like Wireshark, FreeSWITCH or nmap. For details on the LUA language, please see

Depending on the module, you'll get some variables to see details eg. about the incoming call and your script can set certain output variables to define what GnuGk should do with the call. You'll find more details in the documentation for each module.

All LUA modules have a common LUA library called "gnugk" that allows access to GnuGk functionality.

  • gnugk.trace(level, "message") - write to the GnuGk trace file
  • gnugk.get_config_string("section", "switch", "default") - read a string from the GnuGk config
  • gnugk.get_config_integer("section", "switch", default) - read an integer from the GnuGk config

4.5 Regular Expressions

In a few places in the configuration file, GnuGk allows regular expressions. The syntax for these regular expressions is "extended POSIX 1003.2 regular expressions". On Unix systems you can usually get a manual page explaining the syntax with "man 7 regex" or see it online at

4.6 Section [Gatekeeper::Main]

  • Name=GnuGk
    Default: GnuGk

    Gatekeeper identifier of this gatekeeper. The gatekeeper will only respond to GRQs for this ID and will use it in a number of messages to its endpoints.

  • EnableIPv6=1
    Default: 0

    If GnuGk has been compiled with IPv6 support, you can use this switch to turn it on.

    Make sure you assign regular IPv6 addresses to your server. GnuGk won't use any link-local addresses (fe80::/10).

  • Home=
    Default: listen to all IPs

    The gatekeeper will listen for requests on this IP address. If not set, the gatekeeper will listen on all IPs of your host. Multiple Home addresses can be used and must be separated with a semicolon (;) or comma (,).

  • NetworkInterfaces=,
    Default: N/A

    Specify the network interfaces of the gatekeeper. By default the gatekeeper will automatically detect the interfaces of your host, so this setting is not usually required, but is available if automatic detection fails. If you are using GnuGk behind a NAT box then you should use the ExternalIP setting (described below) which will automatically configure GnuGk to operate as if it was on the NAT box. The ExternalIP setting will take precedence and will override this value.

    NOTE: If this setting is changed, you must restart the gatekeeper. A reload from the status port will not cause this value to be re-read.

  • Bind=
    Default: N/A

    Specify the IP address for default routing. Use this to specify which default IP address to use in a multihomed virtual environment where there may be many virtual interfaces on one host.

  • EndpointIDSuffix=_tgdz646438
    Default: _endp

    The gatekeeper will assign a unique identifier to each registered endpoint. This option can be used to specify a suffix to append to the endpoint identifier. This option useful for security to make it harder for an attacker to guess endpoint IDs and should be set to a value that can't easily be guessed.

    This setting doesn't change when the config is reloaded, you must do a full restart!

  • TimeToLive=300
    Default: -1

    An endpoint's registration with a gatekeeper may have a limited life span. The gatekeeper specifies the registration duration for an endpoint by including a timeToLive field in the RCF message. After the specified length of time, the registration is considered expired. The endpoint must periodically send a RRQ having the keepAlive bit set prior to the expiration time. Such a message may include a minimum amount of information as described in H.225.0 and is known as a lightweight RRQ.

    The endpoint may request a shorter timeToLive in the RRQ message to the gatekeeper.

    To avoid an overload of RRQ messages, the gatekeeper automatically resets this timer to 60 seconds if you specify a lower value.

    After the expiration time, the gatekeeper will make two attempts using IRQ messages to determine if the endpoint is still alive. If the endpoint responds with an IRR, the registration will be extended. If not, the gatekeeper will send a URQ with reason ttlExpired to the endpoint. The endpoint must then re-register with the gatekeeper using a full RRQ message.

    To disable this feature, set it to -1.

  • EnableTTLRestrictions=0
    Default: 1

    The default TimeToLive (TTL) configured via the "TimeToLive" parameter does not apply to endpoints which use the H.460.17 and H.460.18 protocols to traverse a firewall. In order to keep the firewall pinhole open the TimeToLive for those endpoints defaults to 19 seconds. The "TimeToLive" parameter would allow you to change this to as low as 5 seconds, and as high as 30 seconds.

    If you know for sure that there is no need for a keep-alive, you can disable these restrictions by setting this switch to 0. If TTL restrictions are disabled, the TimeToLive becomes a global setting for all endpoints, including H.460.17 and H.460.18.

  • CompareAliasType=0
    Default: 1

    By default, a H323ID of '1234' won't match E164 number '1234' when comparing aliases. This parameter allows you to ignore the alias type when performing comparisons.

  • CompareAliasCase=0
    Default: 1

    By default, alias 'jan' won't match alias 'Jan'. If set to false, the comparison will not be case sensitive.

  • TraceLevel=2
    Default: 0

    Set trace level (same as -t on the command line).

  • TotalBandwidth=100000
    Default: -1

    Total bandwidth available for all endpoints in units of 100 bits per second (eg. 5120 means 512 kbps). By default this feature is off (-1).

    NOTE: At this time, the GnuGk only checks calls to and from registered endpoints.

  • MinimumBandwidthPerCall=1280
    Default: -1

    Raise bandwidth requests from endpoints to at least this value in units of 100 bits per second. The value includes both directions, so a 384 kbps call would have a value of 7680. Setting a minimum is useful when endpoints don't report correct values (eg. Netmeeting). If set to zero or less, no minimum is enforced (default).

    NOTE: At this time, the GnuGk only checks calls to and from registered endpoints.

  • MaximumBandwidthPerCall=100000
    Default: -1

    Set maximum bandwidth allowed for a single call in units of 100 bits per second. If set to zero or less, no maximum is enforced (default).

    NOTE: At this time, the GnuGk only checks calls to and from registered endpoints.

  • RedirectGK=Endpoints > 100 | Calls > 50
    Default: N/A

    This option allow you to redirect endpoints to alternate gatekeepers if the gatekeeper becomes overloaded. In the example above, the gatekeeper will reject a RRQ if the number of registered endpoints would exceed 100, or reject an ARQ if concurrent calls exceed 50.

    Furthermore, you may explicitly redirect all endpoints by setting this option to temporary or permanent. The gatekeeper will send a RAS rejection message with a list of alternate gatekeepers defined in AlternateGKs. Note that a permanent redirection means that the redirected endpoints will not register with this gatekeeper again. NOTE: The redirect capability will only function with H.323 version 4 compliant endpoints.

  • AlternateGKs=;1719;false;120;GnuGk
    Default: N/A

    If the endpoint loses connectivity with GnuGk it should automatically try to register with the alternate gatekeeper specified here.

    NOTE: Depending on the endpoint, it may not attempt to re-establish a connection to its original gatekeeper. Support for "Assigned Gatekeepers" was added in H.323v6. See for additional information.

    The primary gatekeeper includes a field in the RCF to inform endpoints which alternate IP and gatekeeper identifier to use.

    The alternate gatekeeper needs to be aware of all registrations on the primary gatekeeper or else it would reject calls. Our gatekeeper can forward every RRQ to an alternate IP address.

    The AlternateGKs config option specifies the fields contained in the primary gatekeeper's RCF. The first and second fields of this string define where (IP, port) to forward to. The third tells endpoints whether they need to register with the alternate gatekeeper before placing calls. They usually don't because we forward their RRQs, so they are automatically known to the alternate gatekeeper. The fourth field specifies the priority for this gatekeeper. Lower is better; usually the primary gatekeeper is considered to have priority 1. The last field specifies the alternate gatekeeper's identifier.

    You may specify multiple alternate gatekeepers as a comma separated list.

    This global definition can be overriden by a per IP specification in [RasSrv::AlternateGatekeeper].

  • SendTo=
    Default: N/A

    Although this information is contained in AlternateGKs, you must still specify which address to forward RRQs to. This might differ from AlternateGK's address due to multihomed systems, so it's a separate config option.

    You can specify multiple gatekeepers in a comma separated list.

  • SkipForwards=,
    Default: N/A

    To avoid circular forwarding, you shouldn't forward RRQs you get from the other gatekeeper (this statement is true for both primary and alternate gatekeeper). Two mechanisms are used to identify whether a request should be forwarded. The first one looks for a flag in the RRQ. Since few endpoints implement this, we can increase the overall reliability of the system by specifying it here.

    Specify the other gatekeeper's IP in this list.

  • StatusPort=7000
    Default: 7000

    Status port to monitor the gatekeeper. Set to 0 to switch the port off. See this section for details.

    The GNU Gatekeeper will listen to the status port on all IPs it is listening for call signaling. You should protect those ports in your firewall and set access control rules in the [GkStatus::Auth] section for those you can't close completely in your firewall.

  • StatusTraceLevel=2
    Default: 2

    Default output trace level for new status interface clients. See this section for details.

  • MaxStatusClients=5
    Default: 20

    Specifies the maximum number of concurrent connections on the status port. To disable any connections to the status port, set this switch to 0.

  • SshStatusPort=1
    Default: 0

    Use the SSH protocol for the status port. User passwords can be set in the [GkStatus::Auth] section.

    Example connection command:

    ssh -p 7000 gnugk@

  • StatusEventBacklog=20
    Default: 0

    Set the number of status port events that are saved for later display in a ring buffer.

  • StatusEventBacklogRegex=^[RA]RJ
    Default: .

    Define a regular expression to restrict which status port events are saved in the backlog. By default all events are saved.

  • TimestampFormat=ISO8601
    Default: Cisco

    This setting configures the default format of timestamp strings generated by the gatekeeper. This option affects [SQLAcct], [RadAcct], [FileAcct] and other modules, but not [CallTable]. You can further customize timestamp formatting per module by configuring the TimestampFormat setting in the module-specific configuration portion of the config file.

    There are four predefined formats:

    • RFC822 - a default format used by the gatekeeper (example: Wed, 10 Nov 2004 16:02:01 +0100)
    • ISO8601 - standard ISO format (example: 2004-11-10 T 16:02:01 +0100)
    • Cisco - format used by Cisco equipment (example: 16:02:01.534 CET Wed Nov 10 2004)
    • MySQL - simple format that MySQL can understand (example: 2004-11-10 16:02:01)

    If none of the predefined options is suitable, you can build your own format string using rules from the strftime C function (see man strftime or search MSDN for strftime). In general, the format string consists of regular character and format codes, preceded by a percent sign. Example: "%Y-%m-%d and percent %%" will result in "2004-11-10 and percent %". Some common format codes:

    • %a - abbreviated weekday name
    • %A - full weekday name
    • %b - abbreviated month name
    • %B - full month name
    • %d - day of month as decimal number
    • %H - hour in 24-hour format
    • %I - hour in 12-hour format
    • %m - month as decimal number
    • %M - minute as decimal number
    • %S - second as decimal number
    • %y - year without century
    • %Y - year with century
    • %u - microseconds as decimal number (this is a GnuGk extension)
    • %z - time zone abbreviation (+0100)
    • %Z - time zone name
    • %% - percent sign

  • EncryptAllPasswords=1
    Default: 0

    Enable encryption of all passwords in the config (SQL passwords, RADIUS passwords, [Password] passwords, [GkStatus::Auth] passwords). If enabled, all passwords must be encrypted using the addpasswd utility. Otherwise only [Password] and [GkStatus::Auth] passwords are encrypted (old behavior).

  • KeyFilled=0
    Default: N/A

    Define a global padding byte to be used during password encryption/decryption. It can be overridden by setting KeyFilled within a particular config section. Usually, you do not need to change this option.

Most users will never need to change any of the following values. They are mainly used for testing or very sophisticated applications.

  • UseBroadcastListener=0
    Default: 1

    Defines whether to listen to broadcast RAS requests. This requires binding to all interfaces on a machine, so if you want to run multiple gatekeepers on the same machine you should turn this off.

  • UnicastRasPort=1719
    Default: 1719

    The RAS channel TSAP identifier for unicast, aka "the normal RAS UDP port".

  • UseMulticastListener=0
    Default: 1

    Enable or disable gatekeeper discovery using IPv4 multicast. By default it is enabled.

  • MulticastPort=1718
    Default: 1718

    The RAS channel TSAP identifier for IPv4 multicast.

  • MulticastGroup=

    The IPv4 multicast group for the RAS channel.

  • EndpointSignalPort=1720
    Default: 1720

    Default port for call signaling channel of endpoints. Used when searching for endpoints in the registration table when the actual call signaling port is unknown.

  • ListenQueueLength=1024
    Default: 1024

    Queue length for incoming TCP connection.

  • StatusSendBufferSize=16384
    Default: 16384

    Set the TCP send buffer size for status port connections.

  • StatusReceiveBufferSize=16384
    Default: 16384

    Set the TCP receive buffer size for status port connections.

    Default: N/A

    When using GnuGk behind a NAT you can set the external IP address that you wish the gatekeeper to masquerade as. This will allow external endpoints and other gatekeepers to contact the NATed gatekeeper. To work you must enable proxy-mode and port forward the required ports to the gatekeeper IP or put the gatekeeper in the NAT box DMZ. This is different than the bind setting, which specifies a physical IP address on the GnuGk box.

    You may specify an IP address or a fully-qualified domain name (FQDN). If you use a FQDN and ExternalIsDynamic is set to false, it will be resolved to an IP address on startup or configuration reload. If ExternalIsDynamic is set to true, the name will be stored and resolved when needed.

    If you set this switch to "AWSPublicIP", GnuGk will fetch the public / elastic IP from AWS meta data. Same with "AzurePublicIP" and "AlibabaPublicIP" for Azure and Alibaba Cloud.

  • ExternalIsDynamic=1
    Default: 0

    Configures the GnuGk to support an external dynamic address. If enabled, GnuGk will ensure that the Dynamic DNS (DDNS) service receives keep-alive messages to maintain your DDNS name lease. You must also configure the ExternalIP setting with a DNS address maintained by a DDNS service such as or

    Default: N/A

    If the GnuGk receives a request for an address in the format, this option will strip the domain from the address if it matches the DefaultDomain setting and will then process the request using just the "user" field. This is useful when receiving interdomain calls placed via SRV routing policy where the full URI is received. It can also be used in conjunction with the [RasSrv::RewriteAlias] section to convert the received URI into an E.164 number for further processing and routing.

  • Authenticators=H.235.1,CAT
    Default: H.235.1,MD5,CAT

    Selects the specific authenticators to use when authenticating endpoints. The default options are: H.235.1 (HMAC SHA1 / old H235AnnexD), MD5 (Digest Authentication) and CAT (Cisco Access Tokens ie RADIUS). Setting a value of NONE will disable authenticators. The order indicates the priority of the authentication mechanism. If this setting is omitted, all authenticators are loaded by default. If you are using plugin authenticators, then you may want to disable the default authenticators to provide optimum security. Note: H.235.1 requires OpenSSL support compiled into GnuGk.

  • DisconnectCallsOnShutdown=0
    Default: 1

    GnuGk will disconnect all ongoing calls when it shuts down and will send an unregistration request to all endpoints. To override this default, set this parameter to "0". This switch is intended mainly for gatekeepers running in direct mode; in routed mode and proxy mode calls will still get disrupted when the gatekeeper shuts down.

  • MaxASNArraySize=400
    Default: 128

    Sets the maximum number of elements in an ASN encoded array, eg. the max. number of aliases in a list. Versions of PTLib through v2.10.1 default to 128 elements. Beware of hitting the limits of other vendors if you increase this setting.

  • MaxSocketQueue=10000
    Default: 100

    Limit how many bytes to queue for a socket before it is considered dead and will be closed. This probably is only an issue with H.460.17.

  • TTLExpireDropCall=0
    Default: 1

    Set whether to drop a registration on TTL expiry even if there appears to be a current call for the endpoint. By default it will force the drop of the call before unregistering the endpoint. A situation may occur if there are bandwidth congestion, RRQ packets are being lost but an active call (likely causing the congestion) is still in progress. By enabling this switch the registration remains current until a RRQ is received or the apparent call either times out or is dropped.

  • MinH323Version=7
    Default: 2

    Set the minimum H.225 and H.245 protocol identifiers for gatekeeper generated messages. Usually it is not necessary to set this switch and it is best to leave the version low for interoperability with older endpoints. Use this switch if you are dealing with endpoints that eg. won't enable features when they receive messages with a low version number.

  • RASDiffServ=46
    Default: 0
    Set the DiffServ class (DSCP) for RAS messages. (On most Windows versions, setting the the DSCP this way won't work.)

4.7 Section [GkStatus::Auth]

Defines a number of rules regarding who is allowed to connect to the status port. Access to the status port provides full control over your gatekeeper. Ensure that this is set correctly. The status port is active on all IPs GnuGk listens to. You should block as many status ports in your firewall as your setup allows. If you rely on password rules to secure the status port, you should add additional IP based rules ('explicit' or 'regex') to limit the IP range where logins are allowed from.

  • rule=allow
    Default: forbid

    Possible values are

    • forbid - disallow any connection.
    • allow - allow any connection
    • explicit - reads the parameter ip=value where ip is the IP address of the client, value is 1,0 or allow,forbid or yes,no. If ip is not listed the parameter default is used.
    • regex - the IP of the client is matched against the given regular expression.


      To allow client from and


    • password - the user must provide an appropriate username and password to login. The format of username/password is the same as [SimplePasswordAuth] section. Starting with GnuGk 4.0 you can also store only a PBKDF2 hash of the password in the config. This is much safer.



    These rules may be combined with "|" (to specify a logical "OR") or "&" (for logical "AND"). For example,

    • rule=explicit | regex
      The IP of the client must match explicit or regex rule.
    • rule=regex & password
      The IP of the client must match regex rule, and the user has to login by username and password.

    Using the SSH protocol for the status port implies that all users are authenticated by password, but you can impose additional IP rules eg. "regex & password".

  • default=allow
    Default: forbid

    Only used when rule=explicit.

  • DSAKey=/etc/ssh/ssh_host_dsa_key
    Default: ssh_host_dsa_key (in current working directory)

    Path for the file containing the DSA host key. (only used for SSH)

    For SSH access, you must a DSA key or RSA key configured, or both.

    To generate a DSA key (press Enter twice to not set a passphrase)

    ssh-keygen -t dsa -b 1024 -f ssh_host_dsa_key

  • RSAKey=/etc/ssh/ssh_host_rsa_key
    Default: ssh_host_rsa_key (in current working directory)

    Path for the file containing the RSA host key. (only used for SSH)

    For SSH access, you must a DSA key or RSA key configured, or both.

    To generate a RSA key (press Enter twice to not set a passphrase)

    ssh-keygen -t rsa -b 2048 -f ssh_host_rsa_key

  • Shutdown=forbid
    Default: allow

    To allow the gatekeeper to be shutdown via status port.

  • DelayReject=5
    Default: 0

    Time (in seconds) to wait before rejecting an invalid username/password. Useful to insert a delay in brute-force attacks.

  • WorkerThreadIdleTimeout=7200
    Default: 3600

    Default timeout in seconds after which idle worker threads are deleted from thread pool.

    Don't set this value too low when using a PTLib version with a memory leak when deleting AutoDelete threads, eg. 2.10.9.

4.8 Section [GkStatus::Filtering]

See Status Port Filtering.

4.9 Section [LogFile]

This section defines log file related parameters. Currently, it allows users to specify log file rotation options.

  • LogToSyslog=1
    Default: 0

    Send trace output to the syslog (Unix only).

  • Filename=/var/log/gk_trace.log
    Default: N/A

    Set the output filename for the log file (same as -o on the command line). On Windows, backslashes in the file name have to be escaped.

    This setting doesn't change when the config is reloaded!

    The following placeholders will be replaced:

    • %{gkip} - IP address of the gatekeeper
    • %{external-ip} - external IP, if configured

  • Rotate=Hourly | Daily | Weekly | Monthly
    Default: N/A

    If set, the log file will be rotated based on this setting. Hourly rotation enables rotation once per hour, daily - once per day, weekly - once per week and monthly - once per month. An exact rotation moment is determined by a combination of RotateDay and RotateTime variables. During rotation, an existing file is renamed to CURRENT_FILENAME.YYYYMMDD-HHMMSS, where YYYYMMDD-HHMMSS is replaced with the current timestamp, and new lines are logged to an empty file. To disable rotation, do not configure the Rotate parameter or set it to 0.

  • DeleteOnRotation=1
    Default: 0

    Delete the old logfile when rotating instead of renaming it. All data from the previous rotation period is lost, but there is less chance that your disk will overflow.

    Example 1 - rotate every hour (00:45, 01:45, ..., 23:45):


    Example 2 - rotate every day at 23:00 (11PM):


    Example 3 - rotate every Sunday at 00:59:


    Example 4 - rotate on the last day of each month:


Next Previous Contents

Chapters: Contents · Introduction · Installation · Getting started · Basic Config · Routed Mode & Proxy · Routing · RAS Config · Authentication · Accounting · Neighbors · Per Endpoint Config · Advanced Config · Monitoring · Advanced Topics

Last updated: 17. Aug 2018