diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index 7c721befd..5e700365b 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -33,6 +33,42 @@ OPTIONS + Many options have as their value a log-level. + Log levels are a method of describing to syslog (8) the importance of a + message and a number of parameters in this file have log levels as their + value. + + These levels are defined by syslog and are used to determine the + destination of the messages through entries in /etc/syslog.conf (5). The + syslog documentation refers to these as "priorities"; Netfilter calls them + "levels" and Shorewall also uses that term. + + Valid levels are: + + 7 debug + 6 info + 5 notice + 4 warning + 3 err + 2 crit + 1 alert + 0 emerg + + For most Shorewall logging, a level of 6 (info) is appropriate. + Shorewall log messages are generated by NetFilter and are logged using + facility 'kern' and the level that you specifify. If you are unsure of the + level to choose, 6 (info) is a safe bet. You may specify levels by name or + by number. + + If you have built your kernel with ULOG target support, you may also + specify a log level of ULOG (must be all caps). Rather than log its + messages to syslogd, Shorewall will direct netfilter to log the messages + via the ULOG target which will send them to a process called 'ulogd'. + ulogd is available with most Linux distributions (although it probably + isn't installed by default). Ulogd is also available from + http://www.gnumonks.org/projects/ulogd and can be configured to log all + Shorewall message to their own log file + The following options may be set in shorewall.conf. @@ -474,7 +510,9 @@ - IPSECFILE={zones|ipsec} + IPSECFILE={zones|ipsec} This should be set to zones @@ -751,8 +789,8 @@ MODULESDIR=pathname[:pathname]... + role="bold">MODULESDIR=[pathname[:pathname]...] This parameter specifies the directory/directories where your @@ -765,6 +803,26 @@ + + MUTEX_TIMEOUT=[seconds] + + + The value of this variable determines the number of seconds + that programs will wait for exclusive access to the Shorewall lock + file. After the number of seconds corresponding to the value of this + variable, programs will assume that the last program to hold the + lock died without releasing the lock. + + If not set or set to the empty value, a value of 60 (60 + seconds) is assumed. + + An appropriate value for this parameter would be twice the + length of time that it takes your firewall system to process a + "shorewall restart" command. + + + NAT_BEFORE_RULES=[Yes|No] @@ -799,7 +857,8 @@ - PATH=pathname[PATH=pathname[:pathname]... @@ -872,7 +931,7 @@ RFC1918_LOG_LEVEL=log-level + role="bold">RFC1918_LOG_LEVEL=[log-level] This parameter determines the level at which packets logged @@ -1051,7 +1110,7 @@ TCP_FLAGS_LOG_LEVEL=log-level + role="bold">TCP_FLAGS_LOG_LEVEL=[log-level] Determines the syslog level for logging packets that fail the