forked from extern/shorewall_code
Finish shorewall.conf manpage
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4955 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
0651406b1f
commit
20d0d2215a
@ -100,6 +100,35 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">BLACKLIST_DISPOSITION=</emphasis>{<emphasis
|
||||
role="bold">DROP</emphasis>|<emphasis
|
||||
role="bold">REJECT</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>This parameter determines the disposition of packets from
|
||||
blacklisted hosts. It may have the value DROP if the packets are to
|
||||
be dropped or REJECT if the packets are to be replied with an ICMP
|
||||
port unreachable reply or a TCP RST (tcp only). If you do not assign
|
||||
a value or if you assign an empty value then DROP is assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">BLACKLIST_LOGLEVEL=</emphasis>[<emphasis>log-level</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This parameter determines if packets from blacklisted hosts
|
||||
are logged and it determines the syslog level that they are to be
|
||||
logged at. Its value is a syslog level (Example:
|
||||
BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
|
||||
assign an empty value then packets from blacklisted hosts are not
|
||||
logged.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">BRIDGING=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
@ -110,6 +139,32 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CLAMPMSS={</emphasis><emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis
|
||||
role="bold">No</emphasis>|<emphasis>value</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>This parameter enables the TCP Clamp MSS to PMTU feature of
|
||||
Netfilter and is usually required when your internet connection is
|
||||
through PPPoE or PPTP. If set to <emphasis
|
||||
role="bold">Yes</emphasis> or <emphasis role="bold">yes</emphasis>,
|
||||
the feature is enabled. If left blank or set to <emphasis
|
||||
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
|
||||
the feature is not enabled.</para>
|
||||
|
||||
<note>
|
||||
<para>This option requires CONFIG_IP_NF_TARGET_TCPMSS in your
|
||||
kernel. </para>
|
||||
</note>
|
||||
|
||||
<para> You may also set CLAMPMSS to a numeric
|
||||
<emphasis>value</emphasis> (e.g., CLAMPMSS=1400). This will set the
|
||||
MSS field in TCP SYN packets going through the firewall to the
|
||||
<emphasis>value</emphasis> that you specify.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CLEAR_TC=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
@ -163,6 +218,23 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DELAYBLACKLISTLOAD=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Users with a large static black list (shorewall-blacklist(5))
|
||||
may want to set the DELAYBLACKLISTLOAD option to Yes. When
|
||||
DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections before
|
||||
loading the blacklist rules. While this may allow connections from
|
||||
blacklisted hosts to slip by during construction of the blacklist,
|
||||
it can substantially reduce the time that all new connections are
|
||||
disabled during <emphasis role="bold">shorewall</emphasis>
|
||||
[<emphasis role="bold">re</emphasis>]<emphasis
|
||||
role="bold">start</emphasis>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DETECT_DNAT_ADDRS=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
@ -706,6 +778,20 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ROUTE_FILTER=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>If this parameter is given the value <emphasis
|
||||
role="bold">Yes</emphasis> or <emphasis role="bold">yes</emphasis>
|
||||
then route filtering (anti-spoofing) is enabled on all network
|
||||
interfaces which are brought up while Shorewall is in the started
|
||||
state. The default value is <emphasis
|
||||
role="bold">no</emphasis>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">SHOREWALL_SHELL=</emphasis><emphasis>pathname</emphasis></term>
|
||||
|
Loading…
Reference in New Issue
Block a user