projects / network.git / blame
| Commit | Line | Data |
|---|---|---|
| 39cfece8 | 1 | = firewall-settings(8) |
| 66fe74f9 | 2 | |
| 39cfece8 | 3 | == NAME |
| 66fe74f9 MT |
4 | firewall-settings - Global firewall settings |
| 5 | ||
| 39cfece8 | 6 | == SYNOPSIS |
| 66fe74f9 | 7 | [verse] |
| 39cfece8 MT |
8 | `firewall settings` |
| 9 | `firewall settings` KEY=VALUE ... | |
| 66fe74f9 | 10 | |
| 39cfece8 | 11 | == DESCRIPTION |
| 66fe74f9 MT |
12 | This command is used to set global firewall settings. |
| 13 | Please have a look at the individual man pages for more options. | |
| 14 | ||
| 39cfece8 | 15 | == COMMANDS |
| 66fe74f9 MT |
16 | If no argument is given, the configuration will be dumped to the console. |
| 17 | ||
| 18 | You may set a new value by adding the variable name and the new value to | |
| 19 | the command line. | |
| 20 | ||
| 39cfece8 MT |
21 | == SETTINGS |
| 22 | ||
| 66fe74f9 MT |
23 | === CONNTRACK_MAX_CONNECTIONS = 16384 |
| 24 | Limits the max. number of simultaneous connections. | |
| 25 | ||
| 26 | Modify this if you want to handle a larger number of concurrent | |
| 27 | connections. Every connection will use approx. 16 kBytes of memory. | |
| 28 | ||
| 29 | === CONNTRACK_UDP_TIMEOUT = 60 | |
| 30 | Defines the timeout (in seconds) the kernel will wait until | |
| 31 | a half-assured UDP connection is fully established. | |
| 32 | ||
| 33 | === FIREWALL_ACCEPT_ICMP_REDIRECTS = [true|false] | |
| 34 | Enable if you want to accept ICMP redirect messages. | |
| 35 | ||
| 36 | === FIREWALL_CLAMP_PATH_MTU = [true|false] | |
| 37 | If Path MTU Discovery does not work well, enable this option. | |
| 38 | ||
| 39 | It sets the MSS value of a packet so that the remote site would | |
| 40 | never send a packet bigger than the MSS value. | |
| 41 | ||
| 42 | No ICMP packets are needed to make this work, so use this on | |
| 43 | networks with broken ICMP filtering. | |
| 44 | ||
| 45 | === FIREWALL_DEFAULT_TTL = 64 | |
| 46 | Here you can change the default TTL used for sending packets. | |
| 47 | ||
| 48 | The given value must be between 10 and 255. | |
| 49 | Don't mess with this unless you know what you are doing. | |
| 50 | ||
| 51 | === FIREWALL_LOG_BAD_TCP_FLAGS = [true|false] | |
| 52 | Enable this to log TCP packets with bad flags or options. | |
| 53 | ||
| 54 | === FIREWALL_LOG_INVALID_ICMP = [true|false] | |
| 55 | Enable this to log INVALID ICMP packets. | |
| 56 | ||
| 57 | === FIREWALL_LOG_INVALID_TCP = [true|false] | |
| 58 | Enable this to log INVALID TCP packets. | |
| 59 | ||
| 60 | === FIREWALL_LOG_INVALID_UDP = [true|false] | |
| 61 | Enable this to log INVALID UDP packets. | |
| 62 | ||
| 63 | === FIREWALL_LOG_MARTIANS = [true|false] | |
| 64 | Enable this to log packets with impossible addresses. | |
| 65 | ||
| 66 | === FIREWALL_LOG_STEALTH_SCANS = [true|false] | |
| 67 | Enable this to log all stealth scans. | |
| 68 | ||
| 69 | === FIREWALL_PMTU_DISCOVERY = [true|false] | |
| 70 | Enables Path MTU Discovery. | |
| 71 | ||
| 72 | === FIREWALL_RP_FILTER = [true|false] | |
| 73 | Enable to drop connection from non-routable IPs, | |
| 74 | e.g. prevent source routing. | |
| 75 | ||
| 76 | === FIREWALL_SYN_COOKIES = [true|false] | |
| 77 | Enable for SYN-flood protection. | |
| 78 | ||
| 79 | === FIREWALL_USE_ECN = [true|false] | |
| 80 | Enables the ECN (Explicit Congestion Notification) TCP flag. | |
| 81 | ||
| 82 | Some routers on the Internet still do not support ECN properly. | |
| 83 | When this setting is disabled, ECN is only advertised | |
| 84 | when asked for. | |
| 85 | ||
| 39cfece8 | 86 | == AUTHORS |
| 66fe74f9 MT |
87 | Michael Tremer |
| 88 | ||
| 39cfece8 | 89 | == SEE ALSO |
| 66fe74f9 | 90 | link:firewall[8] |