Yet more shorewall.conf(5) updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4960 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2006-11-21 00:47:55 +00:00 · 2006-11-21 00:47:55 +00:00 · b3ca84822b
commit b3ca84822b
parent 1a74bdd8d7
1 changed files with 65 additions and 6 deletions
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@ -33,6 +33,42 @@
  <refsect1>
    <title>OPTIONS</title>

+    <para>Many options have as their value a <emphasis>log-level</emphasis>.
+    Log levels are a method of describing to syslog (8) the importance of a
+    message and a number of parameters in this file have log levels as their
+    value.</para>
+
+    <para> These levels are defined by syslog and are used to determine the
+    destination of the messages through entries in /etc/syslog.conf (5). The
+    syslog documentation refers to these as "priorities"; Netfilter calls them
+    "levels" and Shorewall also uses that term.</para>
+
+    <para>Valid levels are:</para>
+
+    <programlisting>       7       debug
+       6       info
+       5       notice
+       4       warning
+       3       err
+       2       crit
+       1       alert
+       0       emerg</programlisting>
+
+    <para>For most Shorewall logging, a level of 6 (info) is appropriate.
+    Shorewall log messages are generated by NetFilter and are logged using
+    facility 'kern' and the level that you specifify. If you are unsure of the
+    level to choose, 6 (info) is a safe bet. You may specify levels by name or
+    by number.</para>
+
+    <para>If you have built your kernel with ULOG target support, you may also
+    specify a log level of ULOG (must be all caps). Rather than log its
+    messages to syslogd, Shorewall will direct netfilter to log the messages
+    via the ULOG target which will send them to a process called 'ulogd'.
+    ulogd is available with most Linux distributions (although it probably
+    isn't installed by default). Ulogd is also available from
+    http://www.gnumonks.org/projects/ulogd and can be configured to log all
+    Shorewall message to their own log file</para>
+
    <para>The following options may be set in shorewall.conf.</para>

    <variablelist>
@ -474,7 +510,9 @@
      </varlistentry>

      <varlistentry>
-        <term>IPSECFILE={zones|ipsec}</term>
+        <term><emphasis role="bold">IPSECFILE=</emphasis>{<emphasis
+        role="bold">zones</emphasis>|<emphasis
+        role="bold">ipsec</emphasis>}</term>

        <listitem>
          <para>This should be set to <emphasis role="bold">zones</emphasis>
@ -751,8 +789,8 @@

      <varlistentry>
        <term><emphasis
-        role="bold">MODULESDIR=</emphasis><emphasis>pathname</emphasis>[<emphasis
-        role="bold">:</emphasis><emphasis>pathname</emphasis>]...</term>
+        role="bold">MODULESDIR=</emphasis>[<emphasis>pathname</emphasis>[<emphasis
+        role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>

        <listitem>
          <para>This parameter specifies the directory/directories where your
@ -765,6 +803,26 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">MUTEX_TIMEOUT=</emphasis>[<emphasis>seconds</emphasis>]</term>
+
+        <listitem>
+          <para>The value of this variable determines the number of seconds
+          that programs will wait for exclusive access to the Shorewall lock
+          file. After the number of seconds corresponding to the value of this
+          variable, programs will assume that the last program to hold the
+          lock died without releasing the lock. </para>
+
+          <para>If not set or set to the empty value, a value of 60 (60
+          seconds) is assumed.</para>
+
+          <para>An appropriate value for this parameter would be twice the
+          length of time that it takes your firewall system to process a
+          "shorewall restart" command. </para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">NAT_BEFORE_RULES=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@ -799,7 +857,8 @@
      </varlistentry>

      <varlistentry>
-        <term>PATH=<emphasis role="bold">pathname</emphasis>[<emphasis
+        <term><emphasis
+        role="bold">PATH=</emphasis><emphasis>pathname</emphasis>[<emphasis
        role="bold">:</emphasis><emphasis>pathname</emphasis>]...</term>

        <listitem>
@ -872,7 +931,7 @@

      <varlistentry>
        <term><emphasis
-        role="bold">RFC1918_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
+        role="bold">RFC1918_LOG_LEVEL=</emphasis>[<emphasis>log-level</emphasis>]</term>

        <listitem>
          <para>This parameter determines the level at which packets logged
@ -1051,7 +1110,7 @@

      <varlistentry>
        <term><emphasis
-        role="bold">TCP_FLAGS_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
+        role="bold">TCP_FLAGS_LOG_LEVEL=</emphasis>[<emphasis>log-level</emphasis>]</term>

        <listitem>
          <para>Determines the syslog level for logging packets that fail the