--- /dev/null
+firewall-settings(8)
+====================
+
+NAME
+----
+firewall-settings - Global firewall settings
+
+SYNOPSIS
+--------
+[verse]
+'firewall settings'
+'firewall settings' KEY=VALUE ...
+
+DESCRIPTION
+-----------
+This command is used to set global firewall settings.
+Please have a look at the individual man pages for more options.
+
+COMMANDS
+--------
+If no argument is given, the configuration will be dumped to the console.
+
+You may set a new value by adding the variable name and the new value to
+the command line.
+
+SETTINGS
+--------
+=== CONNTRACK_MAX_CONNECTIONS = 16384
+Limits the max. number of simultaneous connections.
+
+Modify this if you want to handle a larger number of concurrent
+connections. Every connection will use approx. 16 kBytes of memory.
+
+=== CONNTRACK_UDP_TIMEOUT = 60
+Defines the timeout (in seconds) the kernel will wait until
+a half-assured UDP connection is fully established.
+
+=== FIREWALL_ACCEPT_ICMP_REDIRECTS = [true|false]
+Enable if you want to accept ICMP redirect messages.
+
+=== FIREWALL_CLAMP_PATH_MTU = [true|false]
+If Path MTU Discovery does not work well, enable this option.
+
+It sets the MSS value of a packet so that the remote site would
+never send a packet bigger than the MSS value.
+
+No ICMP packets are needed to make this work, so use this on
+networks with broken ICMP filtering.
+
+=== FIREWALL_DEFAULT_TTL = 64
+Here you can change the default TTL used for sending packets.
+
+The given value must be between 10 and 255.
+Don't mess with this unless you know what you are doing.
+
+=== FIREWALL_LOG_BAD_TCP_FLAGS = [true|false]
+Enable this to log TCP packets with bad flags or options.
+
+=== FIREWALL_LOG_INVALID_ICMP = [true|false]
+Enable this to log INVALID ICMP packets.
+
+=== FIREWALL_LOG_INVALID_TCP = [true|false]
+Enable this to log INVALID TCP packets.
+
+=== FIREWALL_LOG_INVALID_UDP = [true|false]
+Enable this to log INVALID UDP packets.
+
+=== FIREWALL_LOG_MARTIANS = [true|false]
+Enable this to log packets with impossible addresses.
+
+=== FIREWALL_LOG_STEALTH_SCANS = [true|false]
+Enable this to log all stealth scans.
+
+=== FIREWALL_PMTU_DISCOVERY = [true|false]
+Enables Path MTU Discovery.
+
+=== FIREWALL_RP_FILTER = [true|false]
+Enable to drop connection from non-routable IPs,
+e.g. prevent source routing.
+
+=== FIREWALL_SYN_COOKIES = [true|false]
+Enable for SYN-flood protection.
+
+=== FIREWALL_USE_ECN = [true|false]
+Enables the ECN (Explicit Congestion Notification) TCP flag.
+
+Some routers on the Internet still do not support ECN properly.
+When this setting is disabled, ECN is only advertised
+when asked for.
+
+AUTHORS
+-------
+Michael Tremer
+
+SEE ALSO
+--------
+link:firewall[8]
+++ /dev/null
-<?xml version="1.0"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
-<refentry id="firewall-settings">
- <refentryinfo>
- <title>firewall-settings</title>
- <productname>network</productname>
-
- <authorgroup>
- <author>
- <contrib>Developer</contrib>
- <firstname>Michael</firstname>
- <surname>Tremer</surname>
- <email>michael.tremer@ipfire.org</email>
- </author>
- </authorgroup>
- </refentryinfo>
-
- <refmeta>
- <refentrytitle>firewall-settings</refentrytitle>
- <manvolnum>8</manvolnum>
- </refmeta>
-
- <refnamediv>
- <refname>firewall-settings</refname>
- <refpurpose>Firewall Configuration Control Program</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis>
- <command>firewall-settings</command>
- </cmdsynopsis>
-
- <cmdsynopsis>
- <command>firewall-settings <replaceable>KEY=VALUE</replaceable></command>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1>
- <title>Description</title>
-
- <para>
- The <command>firewall-settings</command> command may be used to set
- global firewall settingsuration options.
- </para>
- <para>
- Please have a look at the individual man pages for more options.
- </para>
- </refsect1>
-
- <refsect1>
- <title>Commands</title>
-
- <para>
- If no additional argument is given, running the command will
- dump a list of all settingsuration variables and their current values.
- </para>
-
- <para>
- You may set a new value by adding the variable name and the new
- value to the command line.
- </para>
- </refsect1>
-
- <refsect1>
- <title>Variables</title>
-
- <variablelist>
- <varlistentry>
- <term>
- <varname>CONNTRACK_MAX_CONNECTIONS</varname> = <replaceable>16384</replaceable>
- </term>
-
- <listitem>
- <para>
- Limits the max. number of simultaneous connections.
- </para>
- <para>
- Modify this if you want to handle a larger number of concurrent
- connections. Every connection will use approx. 16 kBytes of memory.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <varname>CONNTRACK_UDP_TIMEOUT</varname> = <replaceable>60</replaceable>
- </term>
-
- <listitem>
- <para>
- Defines the timeout (in seconds) the kernel will wait until
- a half-assured UDP connection is fully established.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <varname>FIREWALL_ACCEPT_ICMP_REDIRECTS</varname> = [true|<emphasis>false</emphasis>]
- </term>
-
- <listitem>
- <para>
- Enable if you want to accept ICMP redirect messages.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <varname>FIREWALL_CLAMP_PATH_MTU</varname> = [true|<emphasis>false</emphasis>]
- </term>
-
- <listitem>
- <para>
- If Path MTU Discovery does not work well, enable this option.
- It sets the MSS value of a packet so that the remote site would
- never send a packet bigger than the MSS value.
- </para>
- <para>
- No ICMP packets are needed to make this work, so use this on
- networks with broken ICMP filtering.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <varname>FIREWALL_DEFAULT_TTL</varname> = <replaceable>64</replaceable>
- </term>
-
- <listitem>
- <para>
- Here you can change the default TTL used for sending packets.
- </para>
- <para>
- The given value must be between 10 and 255.
- Don't mess with this unless you know what you are doing.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <varname>FIREWALL_LOG_BAD_TCP_FLAGS</varname> = [<emphasis>true</emphasis>|false]
- </term>
-
- <listitem>
- <para>
- Enable this to log TCP packets with bad flags or options.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <varname>FIREWALL_LOG_INVALID_ICMP</varname> = [<emphasis>true</emphasis>|false]
- </term>
-
- <listitem>
- <para>
- Enable this to log INVALID ICMP packets.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <varname>FIREWALL_LOG_INVALID_TCP</varname> = [<emphasis>true</emphasis>|false]
- </term>
-
- <listitem>
- <para>
- Enable this to log INVALID TCP packets.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <varname>FIREWALL_LOG_INVALID_UDP</varname> = [<emphasis>true</emphasis>|false]
- </term>
-
- <listitem>
- <para>
- Enable this to log INVALID UDP packets.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <varname>FIREWALL_LOG_MARTIANS</varname> = [true|<emphasis>false</emphasis>]
- </term>
-
- <listitem>
- <para>
- Enable this to log packets with impossible addresses.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <varname>FIREWALL_LOG_STEALTH_SCANS</varname> = [<emphasis>true</emphasis>|false]
- </term>
-
- <listitem>
- <para>
- Enable this to log all stealth scans.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <varname>FIREWALL_PMTU_DISCOVERY</varname> = [true|<emphasis>false</emphasis>]
- </term>
-
- <listitem>
- <para>
- Enables Path MTU Discovery.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <varname>FIREWALL_RP_FILTER</varname> = [<emphasis>true</emphasis>|false]
- </term>
-
- <listitem>
- <para>
- Enable to drop connection from non-routable IPs,
- e.g. prevent source routing.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <varname>FIREWALL_SYN_COOKIES</varname> = [<emphasis>true</emphasis>|false]
- </term>
-
- <listitem>
- <para>
- Enable for SYN-flood protection.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <varname>FIREWALL_USE_ECN</varname> = [<emphasis>true</emphasis>|false]
- </term>
-
- <listitem>
- <para>
- Enables the ECN (Explicit Congestion Notification) TCP flag.
- </para>
- <para>
- Some routers on the Internet still do not support ECN properly,
- so this is not enabled by default.
- When this setting is disabled, ECN is only advertised
- when asked for.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1>
- <title>See Also</title>
-
- <para>
- <citerefentry>
- <refentrytitle>firewall</refentrytitle>
- <manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-</refentry>