############################################################################### # /etc/shorewall-lite/shorewall.conf V3.0 - Change the following variables to # match your setup # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # This file should be placed in /etc/shorewall-lite # # (c) 2006 - Tom Eastep (teastep@shorewall.net) # ############################################################################### # V E R B O S I T Y ############################################################################### # # Shorewall has traditionally been very noisy. You may now set the default # level of verbosity here. # # Values are: # # 0 -- Silent. You may make it more verbose using the -v option # 1 -- Major progress messages displayed # 2 -- All progress messages displayed (old default behavior) # # If not specified, then 2 is assumed VERBOSITY=1 ############################################################################### # L O G G I N G ############################################################################### # # General note about log levels. Log levels are a method of describing # to syslog (8) the importance of a message and a number of parameters # in this file have log levels as their value. # # These levels are defined by syslog and are used to determine the destination # of the messages through entries in /etc/syslog.conf (5). The syslog # documentation refers to these as "priorities"; Netfilter calls them "levels" # and Shorewall also uses that term. # # Valid levels are: # # 7 debug # 6 info # 5 notice # 4 warning # 3 err # 2 crit # 1 alert # 0 emerg # # For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall # log messages are generated by NetFilter and are logged using facility # 'kern' and the level that you specifify. If you are unsure of the level # to choose, 6 (info) is a safe bet. You may specify levels by name or by # number. # # If you have built your kernel with ULOG target support, you may also # specify a log level of ULOG (must be all caps). Rather than log its # messages to syslogd, Shorewall will direct netfilter to log the messages # via the ULOG target which will send them to a process called 'ulogd'. # ulogd is available with most Linux distributions (although it probably isn't # installed by default). Ulogd is also available from # http://www.gnumonks.org/projects/ulogd and can be configured to log all # Shorewall message to their own log file ############################################################################### # # LOG FILE LOCATION # # This variable tells the /sbin/shorewall program where to look for Shorewall # log messages. If not set or set to an empty string (e.g., LOGFILE="") then # /var/log/messages is assumed. # # WARNING: The LOGFILE variable simply tells the 'shorewall' program where to # look for Shorewall messages.It does NOT control the destination for # these messages. For information about how to do that, see # # http://www.shorewall.net/shorewall_logging.html # LOGFILE=/var/log/messages # # LOG FORMAT # # Shell 'printf' Formatting template for the --log-prefix value in log messages # generated by Shorewall to identify Shorewall log messages. The supplied # template is expected to accept either two or three arguments; the first is # the chain name, the second (optional) is the logging rule number within that # chain and the third is the ACTION specifying the disposition of the packet # being logged. You must use the %d formatting type for the rule number; if # your template does not contain %d then the rule number will not be included. # # If you want to integrate Shorewall with fireparse, then set LOGFORMAT as: # # LOGFORMAT="fp=%s:%d a=%s " # # If not specified or specified as empty (LOGFORMAT="") then the value # "Shorewall:%s:%s:" is assumed. # # CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up # to but not including the first '%') to find log messages in the 'show log', # 'status' and 'hits' commands. This part should not be omitted (the # LOGFORMAT should not begin with "%") and the leading part should be # sufficiently unique for /sbin/shorewall to identify Shorewall messages. # LOGFORMAT="Shorewall:%s:%s:" ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### # # IPTABLES # # Full path to iptables executable Shorewall uses to build the firewall. If # not specified or if specified with an empty value (e.g., IPTABLES="") then # the iptables executable located via the PATH setting below is used. # IPTABLES= # # PATH - Change this if you want to change the order in which Shorewall # searches directories for executable files. # PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin # # SHELL # # The firewall script is normally interpreted by /bin/sh. If you wish to change # the shell used to interpret that script, specify the shell here. # SHOREWALL_SHELL=/bin/sh # SUBSYSTEM LOCK FILE # # Set this to the name of the lock file expected by your init scripts. For # RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't # use lock files, set this to "". # SUBSYSLOCK=/var/lock/subsys/shorewall #LAST LINE -- DO NOT REMOVE