forked from extern/shorewall_code
More cleanup of shorewall.conf(5)
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4956 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
20d0d2215a
commit
0a0ab0d4ae
@ -37,8 +37,91 @@
|
|||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">ADD_IP_ALIASES=</emphasis>{<emphasis
|
<term><emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
role="bold">ACCEPT_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis>macro</emphasis>|<emphasis
|
||||||
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para></para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis
|
||||||
|
role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis>macro</emphasis>|<emphasis
|
||||||
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para></para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis
|
||||||
|
role="bold">REJECT_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis>macro</emphasis>|<emphasis
|
||||||
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para></para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis
|
||||||
|
role="bold">QUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis>macro</emphasis>|<emphasis
|
||||||
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>In earlier Shorewall versions, a "default action" for DROP and
|
||||||
|
REJECT policies was specified in the file
|
||||||
|
/usr/share/shorewall/actions.std.</para>
|
||||||
|
|
||||||
|
<para>To allow for default rules to be applied when USE_ACTIONS=No,
|
||||||
|
the DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT and QUEUE_DEFAULT
|
||||||
|
options have been added.</para>
|
||||||
|
|
||||||
|
<para>DROP_DEFAULT describes the rules to be applied before a
|
||||||
|
connection request is dropped by a DROP policy; REJECT_DEFAULT
|
||||||
|
describes the rules to be applied if a connection request is
|
||||||
|
rejected by a REJECT policy. The other two are similar for ACCEPT
|
||||||
|
and QUEUE policies.</para>
|
||||||
|
|
||||||
|
<para>The value applied to these may be:</para>
|
||||||
|
|
||||||
|
<simplelist>
|
||||||
|
<member>a) The name of an action.</member>
|
||||||
|
|
||||||
|
<member>b) The name of a macro</member>
|
||||||
|
|
||||||
|
<member>c) <emphasis role="bold">None</emphasis> or <emphasis
|
||||||
|
role="bold">none</emphasis></member>
|
||||||
|
</simplelist>
|
||||||
|
|
||||||
|
<para>The default values are:</para>
|
||||||
|
|
||||||
|
<simplelist>
|
||||||
|
<member>DROP_DEFAULT="Drop"</member>
|
||||||
|
|
||||||
|
<member>REJECT_DEFAULT="Reject"</member>
|
||||||
|
|
||||||
|
<member>ACCEPT_DEFAULT="none"</member>
|
||||||
|
|
||||||
|
<member>QUEUE_DEFAULT="none"</member>
|
||||||
|
</simplelist>
|
||||||
|
|
||||||
|
<para>If USE_ACTIONS=Yes, then these values refer to action.Drop and
|
||||||
|
action.Reject respectively. If USE_ACTIONS=No, then these values
|
||||||
|
refer to macro.Drop and macro.Reject.</para>
|
||||||
|
|
||||||
|
<para>If you set the value of either option to "None" then no
|
||||||
|
default action will be used and the default action or macro must be
|
||||||
|
specified in shorewall-policy(5).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">ADD_IP_ALIASES=</emphasis>[<emphasis
|
||||||
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>This parameter determines whether Shorewall automatically adds
|
<para>This parameter determines whether Shorewall automatically adds
|
||||||
@ -54,7 +137,7 @@
|
|||||||
(ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes is assumed.</para>
|
(ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes is assumed.</para>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para> Addresses added by ADD_IP_ALIASES=Yes are deleted and
|
<para>Addresses added by ADD_IP_ALIASES=Yes are deleted and
|
||||||
re-added during shorewall restart. As a consequence, connections
|
re-added during shorewall restart. As a consequence, connections
|
||||||
using those addresses may be severed.</para>
|
using those addresses may be severed.</para>
|
||||||
</warning>
|
</warning>
|
||||||
@ -62,8 +145,8 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">ADD_SNAT_ALIASES=</emphasis>{<emphasis
|
<term><emphasis role="bold">ADD_SNAT_ALIASES=</emphasis>[<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>This parameter determines whether Shorewall automatically adds
|
<para>This parameter determines whether Shorewall automatically adds
|
||||||
@ -84,8 +167,8 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">ADMINISABSENTMINDED=</emphasis>{<emphasis
|
<term><emphasis role="bold">ADMINISABSENTMINDED=</emphasis>[<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The value of this variable affects Shorewall's stopped state.
|
<para>The value of this variable affects Shorewall's stopped state.
|
||||||
@ -102,9 +185,9 @@
|
|||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis
|
||||||
role="bold">BLACKLIST_DISPOSITION=</emphasis>{<emphasis
|
role="bold">BLACKLIST_DISPOSITION=</emphasis>[<emphasis
|
||||||
role="bold">DROP</emphasis>|<emphasis
|
role="bold">DROP</emphasis>|<emphasis
|
||||||
role="bold">REJECT</emphasis>}</term>
|
role="bold">REJECT</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>This parameter determines the disposition of packets from
|
<para>This parameter determines the disposition of packets from
|
||||||
@ -140,9 +223,9 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">CLAMPMSS={</emphasis><emphasis
|
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis
|
role="bold">Yes</emphasis>|<emphasis
|
||||||
role="bold">No</emphasis>|<emphasis>value</emphasis>}</term>
|
role="bold">No</emphasis>|<emphasis>value</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>This parameter enables the TCP Clamp MSS to PMTU feature of
|
<para>This parameter enables the TCP Clamp MSS to PMTU feature of
|
||||||
@ -155,10 +238,10 @@
|
|||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>This option requires CONFIG_IP_NF_TARGET_TCPMSS in your
|
<para>This option requires CONFIG_IP_NF_TARGET_TCPMSS in your
|
||||||
kernel. </para>
|
kernel.</para>
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
<para> You may also set CLAMPMSS to a numeric
|
<para>You may also set CLAMPMSS to a numeric
|
||||||
<emphasis>value</emphasis> (e.g., CLAMPMSS=1400). This will set the
|
<emphasis>value</emphasis> (e.g., CLAMPMSS=1400). This will set the
|
||||||
MSS field in TCP SYN packets going through the firewall to the
|
MSS field in TCP SYN packets going through the firewall to the
|
||||||
<emphasis>value</emphasis> that you specify.</para>
|
<emphasis>value</emphasis> that you specify.</para>
|
||||||
@ -166,8 +249,8 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">CLEAR_TC=</emphasis>{<emphasis
|
<term><emphasis role="bold">CLEAR_TC=</emphasis>[<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If this option is set to “No” then Shorewall won't clear the
|
<para>If this option is set to “No” then Shorewall won't clear the
|
||||||
@ -236,8 +319,8 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">DETECT_DNAT_ADDRS=</emphasis>{<emphasis
|
<term><emphasis role="bold">DETECT_DNAT_ADDRS=</emphasis>[<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If set to “Yes” or “yes”, Shorewall will detect the first IP
|
<para>If set to “Yes” or “yes”, Shorewall will detect the first IP
|
||||||
@ -345,10 +428,10 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">IP_FORWARDING=</emphasis>{<emphasis
|
<term><emphasis role="bold">IP_FORWARDING=</emphasis>[<emphasis
|
||||||
role="bold">On</emphasis>|<emphasis
|
role="bold">On</emphasis>|<emphasis
|
||||||
role="bold">Off</emphasis>|<emphasis
|
role="bold">Off</emphasis>|<emphasis
|
||||||
role="bold">Keep</emphasis>}</term>
|
role="bold">Keep</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>This parameter determines whether Shorewall enables or
|
<para>This parameter determines whether Shorewall enables or
|
||||||
@ -390,6 +473,16 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>IPSECFILE={zones|ipsec}</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>This should be set to <emphasis role="bold">zones</emphasis>
|
||||||
|
for all new Shorewall installations. IPSECFILE=ipsec is only used
|
||||||
|
for compatibility with pre-Shorewall-3.0 configurations.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis
|
||||||
role="bold">IPTABLES=</emphasis><emphasis>pathname</emphasis></term>
|
role="bold">IPTABLES=</emphasis><emphasis>pathname</emphasis></term>
|
||||||
@ -397,8 +490,8 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>This parameter names the iptables executable to be used by
|
<para>This parameter names the iptables executable to be used by
|
||||||
Shorewall. If not specified or if specified as a null value, then
|
Shorewall. If not specified or if specified as a null value, then
|
||||||
the iptables executable located using the PATH option is used.
|
the iptables executable located using the PATH option is
|
||||||
</para>
|
used.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -535,10 +628,10 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">MACLIST_DISPOSITION=</emphasis>{<emphasis
|
<term><emphasis role="bold">MACLIST_DISPOSITION=</emphasis>[<emphasis
|
||||||
role="bold">ACCEPT</emphasis>|<emphasis
|
role="bold">ACCEPT</emphasis>|<emphasis
|
||||||
role="bold">DROP</emphasis>|<emphasis
|
role="bold">DROP</emphasis>|<emphasis
|
||||||
role="bold">REJECT</emphasis>}</term>
|
role="bold">REJECT</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Determines the disposition of connections requests that fail
|
<para>Determines the disposition of connections requests that fail
|
||||||
@ -610,10 +703,24 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">MAPOLDACTIONS=</emphasis>[<emphasis
|
||||||
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Previously, Shorewall included a large number of standard
|
||||||
|
actions (AllowPing, AllowFTP, ...). These have been replaced with
|
||||||
|
parameterized macros. For compatibility, Shorewall can map the old
|
||||||
|
names into invocations of the new macros if you set
|
||||||
|
MAPOLDACTIONS=Yes. If this option is not set or is set to the empty
|
||||||
|
value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis
|
||||||
role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>{<emphasis
|
role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If your kernel has a FORWARD chain in the mangle table, you
|
<para>If your kernel has a FORWARD chain in the mangle table, you
|
||||||
@ -659,8 +766,8 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">NAT_BEFORE_RULES=</emphasis>{<emphasis
|
<term><emphasis role="bold">NAT_BEFORE_RULES=</emphasis>[<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If set to “No” or “no”, port forwarding rules can override the
|
<para>If set to “No” or “no”, port forwarding rules can override the
|
||||||
@ -670,6 +777,37 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">OPTIMIZE=</emphasis>[<emphasis
|
||||||
|
role="bold">0</emphasis>|<emphasis role="bold">1</emphasis>]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Traditionally, Shorewall has created rules for the complete
|
||||||
|
matrix of Networks defined by the zones, interfaces and hosts files.
|
||||||
|
Any traffic that didn't correspond to an element of that matrix was
|
||||||
|
rejected in one of the built-in changes. When the matrix is sparse,
|
||||||
|
this results in lots of largely useless rules.</para>
|
||||||
|
|
||||||
|
<para>These extra rules can be eliminated by setting
|
||||||
|
OPTIMIZE=1.</para>
|
||||||
|
|
||||||
|
<para>The OPTIMIZE setting also controls the suppression of
|
||||||
|
redundant wildcard rules (those specifying "all" in the SOURCE or
|
||||||
|
DEST column). A wildcard rule is considered to be redundant when it
|
||||||
|
has the same ACTION and Log Level as the applicable policy.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>PATH=<emphasis role="bold">pathname</emphasis>[<emphasis
|
||||||
|
role="bold">:</emphasis><emphasis>pathname</emphasis>]...</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Determines the order in which Shorewall searches directories
|
||||||
|
for executable files.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">PKTTYPE=</emphasis>{<emphasis
|
<term><emphasis role="bold">PKTTYPE=</emphasis>{<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
@ -745,8 +883,8 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">RFC1918_STRICT=</emphasis>{<emphasis
|
<term><emphasis role="bold">RFC1918_STRICT=</emphasis>[<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Traditionally, the RETURN target in the 'rfc1918' file has
|
<para>Traditionally, the RETURN target in the 'rfc1918' file has
|
||||||
@ -779,8 +917,8 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">ROUTE_FILTER=</emphasis>{<emphasis
|
<term><emphasis role="bold">ROUTE_FILTER=</emphasis>[<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If this parameter is given the value <emphasis
|
<para>If this parameter is given the value <emphasis
|
||||||
@ -792,6 +930,19 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
|
||||||
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>If SAVE_IPSETS=Yes, then the current contents of your ipsets
|
||||||
|
will be saved by the <emphasis role="bold">shorewall save</emphasis>
|
||||||
|
command. Regardless of the setting of SAVE_IPSETS, if saved ipset
|
||||||
|
contents are available then they will be restored by <emphasis
|
||||||
|
role="bold">shorewall restore</emphasis>.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis
|
||||||
role="bold">SHOREWALL_SHELL=</emphasis><emphasis>pathname</emphasis></term>
|
role="bold">SHOREWALL_SHELL=</emphasis><emphasis>pathname</emphasis></term>
|
||||||
@ -842,12 +993,50 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">TC_ENABLED=</emphasis>[<emphasis
|
||||||
|
role="bold">Yes</emphasis>|<emphasis
|
||||||
|
role="bold">No</emphasis>|<emphasis
|
||||||
|
role="bold">Internal</emphasis>]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>If you say <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||||
|
role="bold">yes</emphasis> here, Shorewall will use a script that
|
||||||
|
you supply to configure traffic shaping. The script must be named
|
||||||
|
'tcstart' and must be placed in a directory on your
|
||||||
|
CONFIG_PATH.</para>
|
||||||
|
|
||||||
|
<para>If you say <emphasis role="bold">No</emphasis> or <emphasis
|
||||||
|
role="bold">no</emphasis> then traffic shaping is not
|
||||||
|
enabled.</para>
|
||||||
|
|
||||||
|
<para>If you set TC_ENABLED=Internal or internal or leave the option
|
||||||
|
empty then Shorewall will use its builtin traffic shaper
|
||||||
|
(tc4shorewall written by Arne Bernin.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">TC_EXPERT=</emphasis>{<emphasis
|
||||||
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Normally, Shorewall tries to protect users from themselves by
|
||||||
|
preventing PREROUTING and OUTPUT tcrules from being applied to
|
||||||
|
packets that have been marked by the 'track' option in
|
||||||
|
/etc/shorewall/providers.</para>
|
||||||
|
|
||||||
|
<para>If you know what you are doing, you can set TC_EXPERT=Yes and
|
||||||
|
Shorewall will not include these cautionary checks.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis
|
||||||
role="bold">TCP_FLAGS_DISPOSITION=</emphasis>{<emphasis
|
role="bold">TCP_FLAGS_DISPOSITION=</emphasis>[<emphasis
|
||||||
role="bold">ACCEPT</emphasis>|<emphasis
|
role="bold">ACCEPT</emphasis>|<emphasis
|
||||||
role="bold">DROP</emphasis>|<emphasis
|
role="bold">DROP</emphasis>|<emphasis
|
||||||
role="bold">REJECT</emphasis>}</term>
|
role="bold">REJECT</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Determines the disposition of TCP packets that fail the checks
|
<para>Determines the disposition of TCP packets that fail the checks
|
||||||
@ -872,12 +1061,24 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">USE_ACTIONS=</emphasis>{<emphasis
|
||||||
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>While Shorewall Actions can be very useful, they also require
|
||||||
|
a sizable amount of code to implement. By setting USE_ACTIONS=No,
|
||||||
|
embedded Shorewall installations can omit the large library
|
||||||
|
/usr/share/shorewall/lib.actions.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis
|
||||||
role="bold">VERBOSITY=</emphasis><emphasis>number</emphasis></term>
|
role="bold">VERBOSITY=</emphasis><emphasis>number</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para> Shorewall has traditionally been very noisy (produced lots of
|
<para>Shorewall has traditionally been very noisy (produced lots of
|
||||||
output). You may set the default level of verbosity using the
|
output). You may set the default level of verbosity using the
|
||||||
VERBOSITY OPTION.</para>
|
VERBOSITY OPTION.</para>
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user