Finish shorewall.conf manpage

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4955 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2006-11-20 22:08:15 +00:00 · 2006-11-20 22:08:15 +00:00 · 20d0d2215a
commit 20d0d2215a
parent 0651406b1f
1 changed files with 86 additions and 0 deletions
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@ -100,6 +100,35 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">BLACKLIST_DISPOSITION=</emphasis>{<emphasis
+        role="bold">DROP</emphasis>|<emphasis
+        role="bold">REJECT</emphasis>}</term>
+
+        <listitem>
+          <para>This parameter determines the disposition of packets from
+          blacklisted hosts. It may have the value DROP if the packets are to
+          be dropped or REJECT if the packets are to be replied with an ICMP
+          port unreachable reply or a TCP RST (tcp only). If you do not assign
+          a value or if you assign an empty value then DROP is assumed.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">BLACKLIST_LOGLEVEL=</emphasis>[<emphasis>log-level</emphasis>]</term>
+
+        <listitem>
+          <para>This parameter determines if packets from blacklisted hosts
+          are logged and it determines the syslog level that they are to be
+          logged at. Its value is a syslog level (Example:
+          BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
+          assign an empty value then packets from blacklisted hosts are not
+          logged.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">BRIDGING=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -110,6 +139,32 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">CLAMPMSS={</emphasis><emphasis
+        role="bold">Yes</emphasis>|<emphasis
+        role="bold">No</emphasis>|<emphasis>value</emphasis>}</term>
+
+        <listitem>
+          <para>This parameter enables the TCP Clamp MSS to PMTU feature of
+          Netfilter and is usually required when your internet connection is
+          through PPPoE or PPTP. If set to <emphasis
+          role="bold">Yes</emphasis> or <emphasis role="bold">yes</emphasis>,
+          the feature is enabled. If left blank or set to <emphasis
+          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
+          the feature is not enabled.</para>
+
+          <note>
+            <para>This option requires CONFIG_IP_NF_TARGET_TCPMSS in your
+            kernel. </para>
+          </note>
+
+          <para> You may also set CLAMPMSS to a numeric
+          <emphasis>value</emphasis> (e.g., CLAMPMSS=1400). This will set the
+          MSS field in TCP SYN packets going through the firewall to the
+          <emphasis>value</emphasis> that you specify.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">CLEAR_TC=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -163,6 +218,23 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">DELAYBLACKLISTLOAD=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Users with a large static black list (shorewall-blacklist(5))
+          may want to set the DELAYBLACKLISTLOAD option to Yes. When
+          DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections before
+          loading the blacklist rules. While this may allow connections from
+          blacklisted hosts to slip by during construction of the blacklist,
+          it can substantially reduce the time that all new connections are
+          disabled during <emphasis role="bold">shorewall</emphasis>
+          [<emphasis role="bold">re</emphasis>]<emphasis
+          role="bold">start</emphasis>.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">DETECT_DNAT_ADDRS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -706,6 +778,20 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">ROUTE_FILTER=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>If this parameter is given the value <emphasis
+          role="bold">Yes</emphasis> or <emphasis role="bold">yes</emphasis>
+          then route filtering (anti-spoofing) is enabled on all network
+          interfaces which are brought up while Shorewall is in the started
+          state. The default value is <emphasis
+          role="bold">no</emphasis>.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">SHOREWALL_SHELL=</emphasis><emphasis>pathname</emphasis></term>