Yet more shorewall.conf(5) updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4960 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-11-21 00:47:55 +00:00
parent 1a74bdd8d7
commit b3ca84822b

View File

@ -33,6 +33,42 @@
<refsect1> <refsect1>
<title>OPTIONS</title> <title>OPTIONS</title>
<para>Many options have as their value a <emphasis>log-level</emphasis>.
Log levels are a method of describing to syslog (8) the importance of a
message and a number of parameters in this file have log levels as their
value.</para>
<para> These levels are defined by syslog and are used to determine the
destination of the messages through entries in /etc/syslog.conf (5). The
syslog documentation refers to these as "priorities"; Netfilter calls them
"levels" and Shorewall also uses that term.</para>
<para>Valid levels are:</para>
<programlisting> 7 debug
6 info
5 notice
4 warning
3 err
2 crit
1 alert
0 emerg</programlisting>
<para>For most Shorewall logging, a level of 6 (info) is appropriate.
Shorewall log messages are generated by NetFilter and are logged using
facility 'kern' and the level that you specifify. If you are unsure of the
level to choose, 6 (info) is a safe bet. You may specify levels by name or
by number.</para>
<para>If you have built your kernel with ULOG target support, you may also
specify a log level of ULOG (must be all caps). Rather than log its
messages to syslogd, Shorewall will direct netfilter to log the messages
via the ULOG target which will send them to a process called 'ulogd'.
ulogd is available with most Linux distributions (although it probably
isn't installed by default). Ulogd is also available from
http://www.gnumonks.org/projects/ulogd and can be configured to log all
Shorewall message to their own log file</para>
<para>The following options may be set in shorewall.conf.</para> <para>The following options may be set in shorewall.conf.</para>
<variablelist> <variablelist>
@ -474,7 +510,9 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>IPSECFILE={zones|ipsec}</term> <term><emphasis role="bold">IPSECFILE=</emphasis>{<emphasis
role="bold">zones</emphasis>|<emphasis
role="bold">ipsec</emphasis>}</term>
<listitem> <listitem>
<para>This should be set to <emphasis role="bold">zones</emphasis> <para>This should be set to <emphasis role="bold">zones</emphasis>
@ -751,8 +789,8 @@
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">MODULESDIR=</emphasis><emphasis>pathname</emphasis>[<emphasis role="bold">MODULESDIR=</emphasis>[<emphasis>pathname</emphasis>[<emphasis
role="bold">:</emphasis><emphasis>pathname</emphasis>]...</term> role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>
<listitem> <listitem>
<para>This parameter specifies the directory/directories where your <para>This parameter specifies the directory/directories where your
@ -765,6 +803,26 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">MUTEX_TIMEOUT=</emphasis>[<emphasis>seconds</emphasis>]</term>
<listitem>
<para>The value of this variable determines the number of seconds
that programs will wait for exclusive access to the Shorewall lock
file. After the number of seconds corresponding to the value of this
variable, programs will assume that the last program to hold the
lock died without releasing the lock. </para>
<para>If not set or set to the empty value, a value of 60 (60
seconds) is assumed.</para>
<para>An appropriate value for this parameter would be twice the
length of time that it takes your firewall system to process a
"shorewall restart" command. </para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">NAT_BEFORE_RULES=</emphasis>[<emphasis <term><emphasis role="bold">NAT_BEFORE_RULES=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@ -799,7 +857,8 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>PATH=<emphasis role="bold">pathname</emphasis>[<emphasis <term><emphasis
role="bold">PATH=</emphasis><emphasis>pathname</emphasis>[<emphasis
role="bold">:</emphasis><emphasis>pathname</emphasis>]...</term> role="bold">:</emphasis><emphasis>pathname</emphasis>]...</term>
<listitem> <listitem>
@ -872,7 +931,7 @@
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">RFC1918_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term> role="bold">RFC1918_LOG_LEVEL=</emphasis>[<emphasis>log-level</emphasis>]</term>
<listitem> <listitem>
<para>This parameter determines the level at which packets logged <para>This parameter determines the level at which packets logged
@ -1051,7 +1110,7 @@
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">TCP_FLAGS_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term> role="bold">TCP_FLAGS_LOG_LEVEL=</emphasis>[<emphasis>log-level</emphasis>]</term>
<listitem> <listitem>
<para>Determines the syslog level for logging packets that fail the <para>Determines the syslog level for logging packets that fail the