]>
Commit | Line | Data |
---|---|---|
ef953be2 MT |
1 | <?xml version="1.0"?> |
2 | <!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN" | |
3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
4 | ||
2b0ff832 | 5 | <refentry id="firewall-settings"> |
ef953be2 | 6 | <refentryinfo> |
2b0ff832 | 7 | <title>firewall-settings</title> |
ef953be2 MT |
8 | <productname>network</productname> |
9 | ||
10 | <authorgroup> | |
11 | <author> | |
12 | <contrib>Developer</contrib> | |
13 | <firstname>Michael</firstname> | |
14 | <surname>Tremer</surname> | |
15 | <email>michael.tremer@ipfire.org</email> | |
16 | </author> | |
17 | </authorgroup> | |
18 | </refentryinfo> | |
19 | ||
20 | <refmeta> | |
2b0ff832 | 21 | <refentrytitle>firewall-settings</refentrytitle> |
ef953be2 MT |
22 | <manvolnum>8</manvolnum> |
23 | </refmeta> | |
24 | ||
25 | <refnamediv> | |
2b0ff832 | 26 | <refname>firewall-settings</refname> |
ef953be2 MT |
27 | <refpurpose>Firewall Configuration Control Program</refpurpose> |
28 | </refnamediv> | |
29 | ||
30 | <refsynopsisdiv> | |
31 | <cmdsynopsis> | |
2b0ff832 | 32 | <command>firewall-settings</command> |
ef953be2 MT |
33 | </cmdsynopsis> |
34 | ||
35 | <cmdsynopsis> | |
2b0ff832 | 36 | <command>firewall-settings <replaceable>KEY=VALUE</replaceable></command> |
ef953be2 MT |
37 | </cmdsynopsis> |
38 | </refsynopsisdiv> | |
39 | ||
40 | <refsect1> | |
41 | <title>Description</title> | |
42 | ||
43 | <para> | |
2b0ff832 MT |
44 | The <command>firewall-settings</command> command may be used to set |
45 | global firewall settingsuration options. | |
ef953be2 MT |
46 | </para> |
47 | <para> | |
48 | Please have a look at the individual man pages for more options. | |
49 | </para> | |
50 | </refsect1> | |
51 | ||
52 | <refsect1> | |
53 | <title>Commands</title> | |
54 | ||
55 | <para> | |
56 | If no additional argument is given, running the command will | |
2b0ff832 | 57 | dump a list of all settingsuration variables and their current values. |
ef953be2 MT |
58 | </para> |
59 | ||
60 | <para> | |
61 | You may set a new value by adding the variable name and the new | |
62 | value to the command line. | |
63 | </para> | |
64 | </refsect1> | |
65 | ||
66 | <refsect1> | |
67 | <title>Variables</title> | |
68 | ||
69 | <variablelist> | |
70 | <varlistentry> | |
71 | <term> | |
72 | <varname>CONNTRACK_MAX_CONNECTIONS</varname> = <replaceable>16384</replaceable> | |
73 | </term> | |
74 | ||
75 | <listitem> | |
76 | <para> | |
77 | Limits the max. number of simultaneous connections. | |
78 | </para> | |
79 | <para> | |
80 | Modify this if you want to handle a larger number of concurrent | |
81 | connections. Every connection will use approx. 16 kBytes of memory. | |
82 | </para> | |
83 | </listitem> | |
84 | </varlistentry> | |
85 | ||
86 | <varlistentry> | |
87 | <term> | |
88 | <varname>CONNTRACK_UDP_TIMEOUT</varname> = <replaceable>60</replaceable> | |
89 | </term> | |
90 | ||
91 | <listitem> | |
92 | <para> | |
93 | Defines the timeout (in seconds) the kernel will wait until | |
94 | a half-assured UDP connection is fully established. | |
95 | </para> | |
96 | </listitem> | |
97 | </varlistentry> | |
98 | ||
99 | <varlistentry> | |
100 | <term> | |
101 | <varname>FIREWALL_ACCEPT_ICMP_REDIRECTS</varname> = [true|<emphasis>false</emphasis>] | |
102 | </term> | |
103 | ||
104 | <listitem> | |
105 | <para> | |
106 | Enable if you want to accept ICMP redirect messages. | |
107 | </para> | |
108 | </listitem> | |
109 | </varlistentry> | |
110 | ||
111 | <varlistentry> | |
112 | <term> | |
113 | <varname>FIREWALL_CLAMP_PATH_MTU</varname> = [true|<emphasis>false</emphasis>] | |
114 | </term> | |
115 | ||
116 | <listitem> | |
117 | <para> | |
118 | If Path MTU Discovery does not work well, enable this option. | |
119 | It sets the MSS value of a packet so that the remote site would | |
120 | never send a packet bigger than the MSS value. | |
121 | </para> | |
122 | <para> | |
123 | No ICMP packets are needed to make this work, so use this on | |
124 | networks with broken ICMP filtering. | |
125 | </para> | |
126 | </listitem> | |
127 | </varlistentry> | |
128 | ||
129 | <varlistentry> | |
130 | <term> | |
131 | <varname>FIREWALL_DEFAULT_TTL</varname> = <replaceable>64</replaceable> | |
132 | </term> | |
133 | ||
134 | <listitem> | |
135 | <para> | |
136 | Here you can change the default TTL used for sending packets. | |
137 | </para> | |
138 | <para> | |
139 | The given value must be between 10 and 255. | |
140 | Don't mess with this unless you know what you are doing. | |
141 | </para> | |
142 | </listitem> | |
143 | </varlistentry> | |
144 | ||
4320067c MT |
145 | <varlistentry> |
146 | <term> | |
147 | <varname>FIREWALL_LOG_BAD_TCP_FLAGS</varname> = [<emphasis>true</emphasis>|false] | |
148 | </term> | |
149 | ||
150 | <listitem> | |
151 | <para> | |
152 | Enable this to log TCP packets with bad flags or options. | |
153 | </para> | |
154 | </listitem> | |
155 | </varlistentry> | |
156 | ||
157 | <varlistentry> | |
158 | <term> | |
159 | <varname>FIREWALL_LOG_INVALID_ICMP</varname> = [<emphasis>true</emphasis>|false] | |
160 | </term> | |
161 | ||
162 | <listitem> | |
163 | <para> | |
164 | Enable this to log INVALID ICMP packets. | |
165 | </para> | |
166 | </listitem> | |
167 | </varlistentry> | |
168 | ||
169 | <varlistentry> | |
170 | <term> | |
171 | <varname>FIREWALL_LOG_INVALID_TCP</varname> = [<emphasis>true</emphasis>|false] | |
172 | </term> | |
173 | ||
174 | <listitem> | |
175 | <para> | |
176 | Enable this to log INVALID TCP packets. | |
177 | </para> | |
178 | </listitem> | |
179 | </varlistentry> | |
180 | ||
181 | <varlistentry> | |
182 | <term> | |
183 | <varname>FIREWALL_LOG_INVALID_UDP</varname> = [<emphasis>true</emphasis>|false] | |
184 | </term> | |
185 | ||
186 | <listitem> | |
187 | <para> | |
188 | Enable this to log INVALID UDP packets. | |
189 | </para> | |
190 | </listitem> | |
191 | </varlistentry> | |
192 | ||
ef953be2 MT |
193 | <varlistentry> |
194 | <term> | |
195 | <varname>FIREWALL_LOG_MARTIANS</varname> = [true|<emphasis>false</emphasis>] | |
196 | </term> | |
197 | ||
198 | <listitem> | |
199 | <para> | |
200 | Enable this to log packets with impossible addresses. | |
201 | </para> | |
202 | </listitem> | |
203 | </varlistentry> | |
204 | ||
4320067c MT |
205 | <varlistentry> |
206 | <term> | |
207 | <varname>FIREWALL_LOG_STEALTH_SCANS</varname> = [<emphasis>true</emphasis>|false] | |
208 | </term> | |
209 | ||
210 | <listitem> | |
211 | <para> | |
212 | Enable this to log all stealth scans. | |
213 | </para> | |
214 | </listitem> | |
215 | </varlistentry> | |
216 | ||
ef953be2 MT |
217 | <varlistentry> |
218 | <term> | |
b3a66a5c | 219 | <varname>FIREWALL_PMTU_DISCOVERY</varname> = [true|<emphasis>false</emphasis>] |
ef953be2 MT |
220 | </term> |
221 | ||
222 | <listitem> | |
223 | <para> | |
224 | Enables Path MTU Discovery. | |
ef953be2 MT |
225 | </para> |
226 | </listitem> | |
227 | </varlistentry> | |
228 | ||
229 | <varlistentry> | |
230 | <term> | |
231 | <varname>FIREWALL_RP_FILTER</varname> = [<emphasis>true</emphasis>|false] | |
232 | </term> | |
233 | ||
234 | <listitem> | |
235 | <para> | |
236 | Enable to drop connection from non-routable IPs, | |
237 | e.g. prevent source routing. | |
238 | </para> | |
239 | </listitem> | |
240 | </varlistentry> | |
241 | ||
242 | <varlistentry> | |
243 | <term> | |
244 | <varname>FIREWALL_SYN_COOKIES</varname> = [<emphasis>true</emphasis>|false] | |
245 | </term> | |
246 | ||
247 | <listitem> | |
248 | <para> | |
249 | Enable for SYN-flood protection. | |
250 | </para> | |
251 | </listitem> | |
252 | </varlistentry> | |
253 | ||
254 | <varlistentry> | |
255 | <term> | |
d7a8bf5e | 256 | <varname>FIREWALL_USE_ECN</varname> = [<emphasis>true</emphasis>|false] |
ef953be2 MT |
257 | </term> |
258 | ||
259 | <listitem> | |
260 | <para> | |
261 | Enables the ECN (Explicit Congestion Notification) TCP flag. | |
262 | </para> | |
263 | <para> | |
264 | Some routers on the Internet still do not support ECN properly, | |
265 | so this is not enabled by default. | |
266 | When this setting is disabled, ECN is only advertised | |
267 | when asked for. | |
268 | </para> | |
269 | </listitem> | |
270 | </varlistentry> | |
271 | </variablelist> | |
272 | </refsect1> | |
273 | ||
274 | <refsect1> | |
275 | <title>See Also</title> | |
276 | ||
277 | <para> | |
278 | <citerefentry> | |
279 | <refentrytitle>firewall</refentrytitle> | |
280 | <manvolnum>8</manvolnum> | |
281 | </citerefentry> | |
282 | </para> | |
283 | </refsect1> | |
284 | </refentry> |