shorewall_code/Shorewall-lite/manpages/shorewall-lite.conf.xml

196 lines
7.2 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-lite.conf</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>shorewall-lite.conf</refname>
<refpurpose>Shorewall Lite global configuration file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall-lite/shorewall-lite.conf</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file sets options that apply to Shorewall Lite as a
whole.</para>
<para>The file consists of Shell comments (lines beginning with '#'),
blank lines and assignment statements
(<emphasis>variable</emphasis>=<emphasis>value</emphasis>). Each
variable's setting is preceded by comments that describe the variable and
it's effect.</para>
<para>Any option not specified in this file gets its value from the
shorewall.conf file used during compilation of
/var/lib/shorewall-lite/firewall. Those settings may be found in the file
/var/lib/shorewall-lite/firewall.conf.</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<para>The following options may be set in shorewall.conf.</para>
<variablelist>
<varlistentry>
<term><emphasis
role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>This parameter names the iptables executable to be used by
Shorewall. If not specified or if specified as a null value, then
the iptables executable located using the PATH option is
used.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>This parameter tells the /sbin/shorewall program where to look
for Shorewall messages when processing the <emphasis
role="bold">dump</emphasis>, <emphasis
role="bold">logwatch</emphasis>, <emphasis role="bold">show
log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
If not assigned or if assigned an empty value, /var/log/messages is
assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">LOGFORMAT=</emphasis>[<emphasis
role="bold">"</emphasis><emphasis>formattemplate</emphasis><emphasis
role="bold">"</emphasis>]</term>
<listitem>
<para>The value of this variable generate the --log-prefix setting
for Shorewall logging rules. It contains a “printf” formatting
template which accepts three arguments (the chain name, logging rule
number (optional) and the disposition). To use LOGFORMAT with
fireparse, set it as:</para>
<programlisting> LOGFORMAT="fp=%s:%d a=%s "</programlisting>
<para>If the LOGFORMAT value contains the substring “%d” then the
logging rule number is calculated and formatted in that position; if
that substring is not included then the rule number is not included.
If not supplied or supplied as empty (LOGFORMAT="") then
“Shorewall:%s:%s:” is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold"><emphasis
role="bold">PATH=</emphasis><emphasis>pathname</emphasis>[<emphasis
role="bold">:</emphasis><emphasis>pathname</emphasis>]...</emphasis></term>
<listitem>
<para>Determines the order in which Shorewall searches directories
for executable files.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">RESTOREFILE=</emphasis>[<emphasis>filename</emphasis>]</term>
<listitem>
<para>Specifies the simple name of a file in /var/lib/shorewall to
be used as the default restore script in the <emphasis
role="bold">shorewall save</emphasis>, <emphasis
role="bold">shorewall restore</emphasis>, <emphasis
role="bold">shorewall forget </emphasis>and <emphasis
role="bold">shorewall -f start</emphasis> commands.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">SHOREWALL_SHELL=</emphasis>[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>This option is used to specify the shell program to be used to
run the Shorewall compiler and to interpret the compiled script. If
not specified or specified as a null value, /bin/sh is assumed.
Using a light-weight shell such as ash or dash can significantly
improve performance.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">SUBSYSLOCK=</emphasis>[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>This parameter should be set to the name of a file that the
firewall should create if it starts successfully and remove when it
stops. Creating and removing this file allows Shorewall to work with
your distribution's initscripts. For RedHat, this should be set to
/var/lock/subsys/shorewall. For Debian, the value is
/var/state/shorewall and in LEAF it is /var/run/shorwall.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>VERBOSITY=[<emphasis role="bold">number</emphasis>]</term>
<listitem>
<para>Shorewall has traditionally been very noisy (produced lots of
output). You may set the default level of verbosity using the
VERBOSITY OPTION.</para>
<para>Values are:</para>
<simplelist>
<member>0 - Silent. You may make it more verbose using the -v
option</member>
<member>1 - Major progress messages displayed</member>
<member>2 - All progress messages displayed (old default
behavior)</member>
</simplelist>
<para>If not specified, then 2 is assumed.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall-lite/shorewall.conf</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://www.shorewall.net/Documentation_Index.html">http://www.shorewall.net/Documentation_Index.html</ulink></para>
<para>shorewall-lite(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>