holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Finish shorewall.conf manpage

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4955 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-11-20 22:08:15 +00:00
parent 0651406b1f
commit 20d0d2215a
1 changed files with 86 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
manpages/shorewall.conf.xml
View File

@ -100,6 +100,35 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">BLACKLIST_DISPOSITION=</emphasis>{<emphasis
role="bold">DROP</emphasis>|<emphasis
role="bold">REJECT</emphasis>}</term>
<listitem>
<para>This parameter determines the disposition of packets from
blacklisted hosts. It may have the value DROP if the packets are to
be dropped or REJECT if the packets are to be replied with an ICMP
port unreachable reply or a TCP RST (tcp only). If you do not assign
a value or if you assign an empty value then DROP is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">BLACKLIST_LOGLEVEL=</emphasis>[<emphasis>log-level</emphasis>]</term>
<listitem>
<para>This parameter determines if packets from blacklisted hosts
are logged and it determines the syslog level that they are to be
logged at. Its value is a syslog level (Example:
BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
assign an empty value then packets from blacklisted hosts are not
logged.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">BRIDGING=</emphasis>{<emphasis <term><emphasis role="bold">BRIDGING=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -110,6 +139,32 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">CLAMPMSS={</emphasis><emphasis
role="bold">Yes</emphasis>|<emphasis
role="bold">No</emphasis>|<emphasis>value</emphasis>}</term>
<listitem>
<para>This parameter enables the TCP Clamp MSS to PMTU feature of
Netfilter and is usually required when your internet connection is
through PPPoE or PPTP. If set to <emphasis
role="bold">Yes</emphasis> or <emphasis role="bold">yes</emphasis>,
the feature is enabled. If left blank or set to <emphasis
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
the feature is not enabled.</para>
<note>
<para>This option requires CONFIG_IP_NF_TARGET_TCPMSS in your
kernel. </para>
</note>
<para> You may also set CLAMPMSS to a numeric
<emphasis>value</emphasis> (e.g., CLAMPMSS=1400). This will set the
MSS field in TCP SYN packets going through the firewall to the
<emphasis>value</emphasis> that you specify.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">CLEAR_TC=</emphasis>{<emphasis <term><emphasis role="bold">CLEAR_TC=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -163,6 +218,23 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">DELAYBLACKLISTLOAD=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Users with a large static black list (shorewall-blacklist(5))
may want to set the DELAYBLACKLISTLOAD option to Yes. When
DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections before
loading the blacklist rules. While this may allow connections from
blacklisted hosts to slip by during construction of the blacklist,
it can substantially reduce the time that all new connections are
disabled during <emphasis role="bold">shorewall</emphasis>
[<emphasis role="bold">re</emphasis>]<emphasis
role="bold">start</emphasis>.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DETECT_DNAT_ADDRS=</emphasis>{<emphasis <term><emphasis role="bold">DETECT_DNAT_ADDRS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -706,6 +778,20 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">ROUTE_FILTER=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>If this parameter is given the value <emphasis
role="bold">Yes</emphasis> or <emphasis role="bold">yes</emphasis>
then route filtering (anti-spoofing) is enabled on all network
interfaces which are brought up while Shorewall is in the started
state. The default value is <emphasis
role="bold">no</emphasis>.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">SHOREWALL_SHELL=</emphasis><emphasis>pathname</emphasis></term> role="bold">SHOREWALL_SHELL=</emphasis><emphasis>pathname</emphasis></term>