holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity
5.1.4
shorewall_code/docs/ECN.xml
Tom Eastep 6c88eb6916 Add an ECN action to shorewall-mangle(8) 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2016-02-26 09:33:16 -08:00

129 lines
3.8 KiB
XML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article id="ECN">
<!--$Id$-->
<articleinfo>
<title>ECN</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<year>2005</year>
<year>2016</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<warning>
<para>2006-01-17. The ECN Netfilter target in some 2.6 Linux Kernels is
broken. Symptoms are that you will be unable to establish a TCP connection
to hosts defined in the /etc/shorewall/ecn file.</para>
</warning>
<section id="ecn">
<title>Explicit Congestion Notification (ECN)</title>
<para>Explicit Congestion Notification (ECN) is described in RFC 3168 and
is a proposed Internet standard. Unfortunately, not all sites support ECN
and when a TCP connection offering ECN is sent to sites that don't support
it, the result is often that the connection request is ignored.</para>
<para>To allow ECN to be used, Shorewall allows you to enable ECN on your
Linux systems then disable it in your firewall when the destination
matches a list that you create (the /etc/shorewall/ecn file).</para>
<para>You enable ECN by</para>
<programlisting>echo 1 &gt; /proc/sys/net/ipv4/tcp_ecn</programlisting>
<para>You must arrange for that command to be executed at system boot.
Most distributions have a method for doing that -- on RedHat, you make an
entry in /etc/sysctl.conf.</para>
<programlisting>net.ipv4.tcp_ecn = 1</programlisting>
<para>Entries in /etc/shorewall/ecn have two columns as follows:</para>
<variablelist>
<varlistentry>
<term>INTERFACE</term>
<listitem>
<para>The name of an interface on your system</para>
</listitem>
</varlistentry>
<varlistentry>
<term>HOST(S)</term>
<listitem>
<para>An address (host or subnet) of a system or group of systems
accessed through the interface in the first column. You may include
a comma-separated list of such addresses in this column.</para>
</listitem>
</varlistentry>
</variablelist>
<example id="Example1">
<title>Your external interface is eth0 and you want to disable ECN for
tcp connections to 192.0.2.0/24:</title>
<para><table id="Table1">
<title>/etc/shorewall/ecn</title>
<tgroup cols="2">
<thead>
<row>
<entry align="center">INTERFACE</entry>
<entry align="center">HOST(S)</entry>
</row>
</thead>
<tbody>
<row>
<entry>eth0</entry>
<entry>192.0.2.0/24</entry>
</row>
</tbody>
</tgroup>
</table></para>
</example>
<para>Beginning with Shorewall 5.0.6, you may also specify clearing of the
ECN flags through use of the ECN action in <ulink
url="manpages/shorewall-ecn.html">shorewall-mangle(8)</ulink>.</para>
</section>
<lot/>
</article>
View Git Blame Copy Permalink