From e92625e42b11c870683a7a12958082ab843d2dc2 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 21 Nov 2006 01:39:02 +0000 Subject: [PATCH] More tweaks for shorewall.conf(8) git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4961 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- manpages/shorewall.conf.xml | 102 +++++++++++++++++------------------- 1 file changed, 47 insertions(+), 55 deletions(-) diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index 5e700365b..c397467bd 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -302,9 +302,7 @@ - CONFIG_PATH=directory[:directory]... + CONFIG_PATH=[directory[:directory]...] Specifies where configuration files other than shorewall.conf @@ -359,12 +357,14 @@ role="bold">Yes|No] - If set to “Yes” or “yes”, Shorewall will detect the first IP + If set to Yes or yes, Shorewall will detect the first IP address of the interface to the source zone and will include this address in DNAT rules as the original destination IP address. If set - to “No” or “no”, Shorewall will not detect this address and any - destination IP address will match the DNAT rule. If not specified or - empty, “DETECT_DNAT_ADDRS=Yes” is assumed. + to No or no, Shorewall will not detect this address + and any destination IP address will match the DNAT rule. If not + specified or empty, “DETECT_DNAT_ADDRS=Yes” is assumed. @@ -373,9 +373,10 @@ role="bold">Yes|No} - When set to Yes or yes, enables dynamic zones. - DYNAMIC_ZONES=Yes is not allowed in configurations that will run - under Shorewall Lite. + When set to Yes or yes, enables dynamic zones. DYNAMIC_ZONES=Yes + is not allowed in configurations that will run under Shorewall + Lite. @@ -523,7 +524,7 @@ IPTABLES=pathname + role="bold">IPTABLES=[pathname] This parameter names the iptables executable to be used by @@ -534,23 +535,25 @@ - LOG_MARTIANS={Yes|No} + LOG_MARTIANS=[Yes|No] - If set to Yes or yes, sets + If set to Yes or yes, sets /proc/sys/net/ipv4/conf/all/log_martians and - /proc/sys/net/ipv4/conf/default/log_martians to 1. Default is which - sets both of the above to zero. If you do not enable martian logging - for all interfaces, you may still enable it for individual - interfaces using the logmartians interface option in + /proc/sys/net/ipv4/conf/default/log_martians to 1. Default is + No which sets both of the above to + zero. If you do not enable martian logging for all interfaces, you + may still enable it for individual interfaces using the logmartians interface option in shorewall-interfaces(5). LOGALLNEW=log-level + role="bold">LOGALLNEW=[log-level] When set to a log level, this option causes Shorewall to @@ -591,7 +594,7 @@ LOGFILE=pathname + role="bold">LOGFILE=[pathname] This parameter tells the /sbin/shorewall program where to look @@ -605,9 +608,9 @@ - LOGFORMAT="formatstring" + LOGFORMAT=["formattemplate"] The value of this variable generate the --log-prefix setting @@ -628,7 +631,7 @@ LOGBURST=burst + role="bold">LOGBURST=[burst] @@ -637,10 +640,9 @@ LOGRATE=rate/{LOGRATE=[rate/{minute|second} + role="bold">second}] These parameters set the match rate and initial burst size for @@ -694,9 +696,9 @@ - MACLIST_TABLE={mangle|filter} + MACLIST_TABLE=[filter|mangle] Normally, MAC verification occurs in the filter table (INPUT @@ -713,7 +715,7 @@ MACLIST_TTL=number + role="bold">MACLIST_TTL=[number] The performance of configurations with a large numbers of @@ -776,9 +778,9 @@ - MODULE_SUFFIX="suffix - ..." + MODULE_SUFFIX=["extension ..."] The value of this option determines the possible file @@ -812,26 +814,14 @@ that programs will wait for exclusive access to the Shorewall lock file. After the number of seconds corresponding to the value of this variable, programs will assume that the last program to hold the - lock died without releasing the lock. + lock died without releasing the lock. If not set or set to the empty value, a value of 60 (60 seconds) is assumed. An appropriate value for this parameter would be twice the length of time that it takes your firewall system to process a - "shorewall restart" command. - - - - - NAT_BEFORE_RULES=[Yes|No] - - - If set to “No” or “no”, port forwarding rules can override the - contents of the /etc/shorewall/nat file. If set to “Yes” or “yes”, - port forwarding rules cannot override one-to-one NAT. If not set or - set to an empty value, “Yes” is assumed. + shorewall restart command. @@ -991,7 +981,7 @@ SAVE_IPSETS={Yes|No] + role="bold">Yes|No} If SAVE_IPSETS=Yes, then the current contents of your ipsets @@ -1004,7 +994,7 @@ SHOREWALL_SHELL=pathname + role="bold">SHOREWALL_SHELL=[pathname] This option is used to specify the shell program to be used to @@ -1017,7 +1007,7 @@ SMURF_LOG_LEVEL=log-level + role="bold">SMURF_LOG_LEVEL=[log-level] Specifies the logging level for smurf packets (see the @@ -1032,7 +1022,9 @@ Determines if Shorewall is allowed to start. As released from - shorewall.net, this option is set to No. When set to Yes or yes, + shorewall.net, this option is set to No. When set to Yes or yes, Shorewall may be started. Used as a guard against Shorewall being accidentally started before it has been configured. @@ -1040,7 +1032,7 @@ SUBSYSLOCK=pathname + role="bold">SUBSYSLOCK=[pathname] This parameter should be set to the name of a file that the @@ -1083,7 +1075,7 @@ Normally, Shorewall tries to protect users from themselves by preventing PREROUTING and OUTPUT tcrules from being applied to packets that have been marked by the 'track' option in - /etc/shorewall/providers. + shorewall-providers(5). If you know what you are doing, you can set TC_EXPERT=Yes and Shorewall will not include these cautionary checks. @@ -1134,7 +1126,7 @@ VERBOSITY=number + role="bold">VERBOSITY=[number] Shorewall has traditionally been very noisy (produced lots of