2 <!DOCTYPE refentry PUBLIC
"-//OASIS/DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
5 <refentry id=
"firewall-settings">
7 <title>firewall-settings
</title>
8 <productname>network
</productname>
12 <contrib>Developer
</contrib>
13 <firstname>Michael
</firstname>
14 <surname>Tremer
</surname>
15 <email>michael.tremer@ipfire.org
</email>
21 <refentrytitle>firewall-settings
</refentrytitle>
22 <manvolnum>8</manvolnum>
26 <refname>firewall-settings
</refname>
27 <refpurpose>Firewall Configuration Control Program
</refpurpose>
32 <command>firewall-settings
</command>
36 <command>firewall-settings
<replaceable>KEY=VALUE
</replaceable></command>
41 <title>Description
</title>
44 The
<command>firewall-settings
</command> command may be used to set
45 global firewall settingsuration options.
48 Please have a look at the individual man pages for more options.
53 <title>Commands
</title>
56 If no additional argument is given, running the command will
57 dump a list of all settingsuration variables and their current values.
61 You may set a new value by adding the variable name and the new
62 value to the command line.
67 <title>Variables
</title>
72 <varname>CONNTRACK_MAX_CONNECTIONS
</varname> =
<replaceable>16384</replaceable>
77 Limits the max. number of simultaneous connections.
80 Modify this if you want to handle a larger number of concurrent
81 connections. Every connection will use approx.
16 kBytes of memory.
88 <varname>CONNTRACK_UDP_TIMEOUT
</varname> =
<replaceable>60</replaceable>
93 Defines the timeout (in seconds) the kernel will wait until
94 a half-assured UDP connection is fully established.
101 <varname>FIREWALL_ACCEPT_ICMP_REDIRECTS
</varname> = [true|
<emphasis>false
</emphasis>]
106 Enable if you want to accept ICMP redirect messages.
113 <varname>FIREWALL_CLAMP_PATH_MTU
</varname> = [true|
<emphasis>false
</emphasis>]
118 If Path MTU Discovery does not work well, enable this option.
119 It sets the MSS value of a packet so that the remote site would
120 never send a packet bigger than the MSS value.
123 No ICMP packets are needed to make this work, so use this on
124 networks with broken ICMP filtering.
131 <varname>FIREWALL_DEFAULT_TTL
</varname> =
<replaceable>64</replaceable>
136 Here you can change the default TTL used for sending packets.
139 The given value must be between
10 and
255.
140 Don't mess with this unless you know what you are doing.
147 <varname>FIREWALL_LOG_BAD_TCP_FLAGS
</varname> = [
<emphasis>true
</emphasis>|false]
152 Enable this to log TCP packets with bad flags or options.
159 <varname>FIREWALL_LOG_INVALID_ICMP
</varname> = [
<emphasis>true
</emphasis>|false]
164 Enable this to log INVALID ICMP packets.
171 <varname>FIREWALL_LOG_INVALID_TCP
</varname> = [
<emphasis>true
</emphasis>|false]
176 Enable this to log INVALID TCP packets.
183 <varname>FIREWALL_LOG_INVALID_UDP
</varname> = [
<emphasis>true
</emphasis>|false]
188 Enable this to log INVALID UDP packets.
195 <varname>FIREWALL_LOG_MARTIANS
</varname> = [true|
<emphasis>false
</emphasis>]
200 Enable this to log packets with impossible addresses.
207 <varname>FIREWALL_LOG_STEALTH_SCANS
</varname> = [
<emphasis>true
</emphasis>|false]
212 Enable this to log all stealth scans.
219 <varname>FIREWALL_PMTU_DISCOVERY
</varname> = [
<emphasis>true
</emphasis>|false]
224 Enables Path MTU Discovery.
225 Disable it when you are experiencing problems.
232 <varname>FIREWALL_RP_FILTER
</varname> = [
<emphasis>true
</emphasis>|false]
237 Enable to drop connection from non-routable IPs,
238 e.g. prevent source routing.
245 <varname>FIREWALL_SYN_COOKIES
</varname> = [
<emphasis>true
</emphasis>|false]
250 Enable for SYN-flood protection.
257 <varname>FIREWALL_USE_ECN
</varname> = [true|
<emphasis>false
</emphasis>]
262 Enables the ECN (Explicit Congestion Notification) TCP flag.
265 Some routers on the Internet still do not support ECN properly,
266 so this is not enabled by default.
267 When this setting is disabled, ECN is only advertised
276 <title>See Also
</title>
280 <refentrytitle>firewall
</refentrytitle>
281 <manvolnum>8</manvolnum>