From 0a0ab0d4ae16af0d4aa57af99a07f664328dabc5 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 20 Nov 2006 23:38:35 +0000 Subject: [PATCH] More cleanup of shorewall.conf(5) git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4956 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- manpages/shorewall.conf.xml | 269 +++++++++++++++++++++++++++++++----- 1 file changed, 235 insertions(+), 34 deletions(-) diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index f78976fee..7c721befd 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -37,8 +37,91 @@ - ADD_IP_ALIASES={Yes|No} + ACCEPT_DEFAULT={action|macro|none} + + + + + + + + DROP_DEFAULT={action|macro|none} + + + + + + + + REJECT_DEFAULT={action|macro|none} + + + + + + + + QUEUE_DEFAULT={action|macro|none} + + + In earlier Shorewall versions, a "default action" for DROP and + REJECT policies was specified in the file + /usr/share/shorewall/actions.std. + + To allow for default rules to be applied when USE_ACTIONS=No, + the DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT and QUEUE_DEFAULT + options have been added. + + DROP_DEFAULT describes the rules to be applied before a + connection request is dropped by a DROP policy; REJECT_DEFAULT + describes the rules to be applied if a connection request is + rejected by a REJECT policy. The other two are similar for ACCEPT + and QUEUE policies. + + The value applied to these may be: + + + a) The name of an action. + + b) The name of a macro + + c) None or none + + + The default values are: + + + DROP_DEFAULT="Drop" + + REJECT_DEFAULT="Reject" + + ACCEPT_DEFAULT="none" + + QUEUE_DEFAULT="none" + + + If USE_ACTIONS=Yes, then these values refer to action.Drop and + action.Reject respectively. If USE_ACTIONS=No, then these values + refer to macro.Drop and macro.Reject. + + If you set the value of either option to "None" then no + default action will be used and the default action or macro must be + specified in shorewall-policy(5). + + + + + ADD_IP_ALIASES=[Yes|No] This parameter determines whether Shorewall automatically adds @@ -54,7 +137,7 @@ (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes is assumed. - Addresses added by ADD_IP_ALIASES=Yes are deleted and + Addresses added by ADD_IP_ALIASES=Yes are deleted and re-added during shorewall restart. As a consequence, connections using those addresses may be severed. @@ -62,8 +145,8 @@ - ADD_SNAT_ALIASES={Yes|No} + ADD_SNAT_ALIASES=[Yes|No] This parameter determines whether Shorewall automatically adds @@ -84,8 +167,8 @@ - ADMINISABSENTMINDED={Yes|No} + ADMINISABSENTMINDED=[Yes|No] The value of this variable affects Shorewall's stopped state. @@ -102,9 +185,9 @@ BLACKLIST_DISPOSITION={BLACKLIST_DISPOSITION=[DROP|REJECT} + role="bold">REJECT] This parameter determines the disposition of packets from @@ -140,9 +223,9 @@ - CLAMPMSS={CLAMPMSS=[Yes|No|value} + role="bold">No|value] This parameter enables the TCP Clamp MSS to PMTU feature of @@ -155,10 +238,10 @@ This option requires CONFIG_IP_NF_TARGET_TCPMSS in your - kernel. + kernel. - You may also set CLAMPMSS to a numeric + You may also set CLAMPMSS to a numeric value (e.g., CLAMPMSS=1400). This will set the MSS field in TCP SYN packets going through the firewall to the value that you specify. @@ -166,8 +249,8 @@ - CLEAR_TC={Yes|No} + CLEAR_TC=[Yes|No] If this option is set to “No” then Shorewall won't clear the @@ -236,8 +319,8 @@ - DETECT_DNAT_ADDRS={Yes|No} + DETECT_DNAT_ADDRS=[Yes|No] If set to “Yes” or “yes”, Shorewall will detect the first IP @@ -345,10 +428,10 @@ - IP_FORWARDING={IP_FORWARDING=[On|Off|Keep} + role="bold">Keep] This parameter determines whether Shorewall enables or @@ -390,6 +473,16 @@ + + IPSECFILE={zones|ipsec} + + + This should be set to zones + for all new Shorewall installations. IPSECFILE=ipsec is only used + for compatibility with pre-Shorewall-3.0 configurations. + + + IPTABLES=pathname @@ -397,8 +490,8 @@ This parameter names the iptables executable to be used by Shorewall. If not specified or if specified as a null value, then - the iptables executable located using the PATH option is used. - + the iptables executable located using the PATH option is + used. @@ -535,10 +628,10 @@ - MACLIST_DISPOSITION={MACLIST_DISPOSITION=[ACCEPT|DROP|REJECT} + role="bold">REJECT] Determines the disposition of connections requests that fail @@ -610,10 +703,24 @@ + + MAPOLDACTIONS=[Yes|No] + + + Previously, Shorewall included a large number of standard + actions (AllowPing, AllowFTP, ...). These have been replaced with + parameterized macros. For compatibility, Shorewall can map the old + names into invocations of the new macros if you set + MAPOLDACTIONS=Yes. If this option is not set or is set to the empty + value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed + + + MARK_IN_FORWARD_CHAIN={Yes|No} + role="bold">MARK_IN_FORWARD_CHAIN=[Yes|No] If your kernel has a FORWARD chain in the mangle table, you @@ -659,8 +766,8 @@ - NAT_BEFORE_RULES={Yes|No} + NAT_BEFORE_RULES=[Yes|No] If set to “No” or “no”, port forwarding rules can override the @@ -670,6 +777,37 @@ + + OPTIMIZE=[0|1] + + + Traditionally, Shorewall has created rules for the complete + matrix of Networks defined by the zones, interfaces and hosts files. + Any traffic that didn't correspond to an element of that matrix was + rejected in one of the built-in changes. When the matrix is sparse, + this results in lots of largely useless rules. + + These extra rules can be eliminated by setting + OPTIMIZE=1. + + The OPTIMIZE setting also controls the suppression of + redundant wildcard rules (those specifying "all" in the SOURCE or + DEST column). A wildcard rule is considered to be redundant when it + has the same ACTION and Log Level as the applicable policy. + + + + + PATH=pathname[:pathname]... + + + Determines the order in which Shorewall searches directories + for executable files. + + + PKTTYPE={Yes|No} @@ -745,8 +883,8 @@ - RFC1918_STRICT={Yes|No} + RFC1918_STRICT=[Yes|No] Traditionally, the RETURN target in the 'rfc1918' file has @@ -779,8 +917,8 @@ - ROUTE_FILTER={Yes|No} + ROUTE_FILTER=[Yes|No] If this parameter is given the value + + SAVE_IPSETS={Yes|No] + + + If SAVE_IPSETS=Yes, then the current contents of your ipsets + will be saved by the shorewall save + command. Regardless of the setting of SAVE_IPSETS, if saved ipset + contents are available then they will be restored by shorewall restore. + + + SHOREWALL_SHELL=pathname @@ -842,12 +993,50 @@ + + TC_ENABLED=[Yes|No|Internal] + + + If you say Yes or yes here, Shorewall will use a script that + you supply to configure traffic shaping. The script must be named + 'tcstart' and must be placed in a directory on your + CONFIG_PATH. + + If you say No or no then traffic shaping is not + enabled. + + If you set TC_ENABLED=Internal or internal or leave the option + empty then Shorewall will use its builtin traffic shaper + (tc4shorewall written by Arne Bernin. + + + + + TC_EXPERT={Yes|No} + + + Normally, Shorewall tries to protect users from themselves by + preventing PREROUTING and OUTPUT tcrules from being applied to + packets that have been marked by the 'track' option in + /etc/shorewall/providers. + + If you know what you are doing, you can set TC_EXPERT=Yes and + Shorewall will not include these cautionary checks. + + + TCP_FLAGS_DISPOSITION={TCP_FLAGS_DISPOSITION=[ACCEPT|DROP|REJECT} + role="bold">REJECT] Determines the disposition of TCP packets that fail the checks @@ -872,12 +1061,24 @@ + + USE_ACTIONS={Yes|No} + + + While Shorewall Actions can be very useful, they also require + a sizable amount of code to implement. By setting USE_ACTIONS=No, + embedded Shorewall installations can omit the large library + /usr/share/shorewall/lib.actions. + + + VERBOSITY=number - Shorewall has traditionally been very noisy (produced lots of + Shorewall has traditionally been very noisy (produced lots of output). You may set the default level of verbosity using the VERBOSITY OPTION.