[people/ms/network.git] / man / firewall-settings.txt

firewall-settings(8)
====================

NAME
----
firewall-settings - Global firewall settings

SYNOPSIS
--------
[verse]
'firewall settings'
'firewall settings' KEY=VALUE ...

DESCRIPTION
-----------
This command is used to set global firewall settings.
Please have a look at the individual man pages for more options.

COMMANDS
--------
If no argument is given, the configuration will be dumped to the console.

You may set a new value by adding the variable name and the new value to
the command line.

SETTINGS
--------
=== CONNTRACK_MAX_CONNECTIONS = 16384
Limits the max. number of simultaneous connections.

Modify this if you want to handle a larger number of concurrent
connections. Every connection will use approx. 16 kBytes of memory.

=== CONNTRACK_UDP_TIMEOUT = 60
Defines the timeout (in seconds) the kernel will wait until
a half-assured UDP connection is fully established.

=== FIREWALL_ACCEPT_ICMP_REDIRECTS = [true|false]
Enable if you want to accept ICMP redirect messages.

=== FIREWALL_CLAMP_PATH_MTU = [true|false]
If Path MTU Discovery does not work well, enable this option.

It sets the MSS value of a packet so that the remote site would
never send a packet bigger than the MSS value.

No ICMP packets are needed to make this work, so use this on
networks with broken ICMP filtering.

=== FIREWALL_DEFAULT_TTL = 64
Here you can change the default TTL used for sending packets.

The given value must be between 10 and 255.
Don't mess with this unless you know what you are doing.

=== FIREWALL_LOG_BAD_TCP_FLAGS = [true|false]
Enable this to log TCP packets with bad flags or options.

=== FIREWALL_LOG_INVALID_ICMP = [true|false]
Enable this to log INVALID ICMP packets.

=== FIREWALL_LOG_INVALID_TCP = [true|false]
Enable this to log INVALID TCP packets.

=== FIREWALL_LOG_INVALID_UDP = [true|false]
Enable this to log INVALID UDP packets.

=== FIREWALL_LOG_MARTIANS = [true|false]
Enable this to log packets with impossible addresses.

=== FIREWALL_LOG_STEALTH_SCANS = [true|false]
Enable this to log all stealth scans.

=== FIREWALL_PMTU_DISCOVERY = [true|false]
Enables Path MTU Discovery.

=== FIREWALL_RP_FILTER = [true|false]
Enable to drop connection from non-routable IPs,
e.g. prevent source routing.

=== FIREWALL_SYN_COOKIES = [true|false]
Enable for SYN-flood protection.

=== FIREWALL_USE_ECN = [true|false]
Enables the ECN (Explicit Congestion Notification) TCP flag.

Some routers on the Internet still do not support ECN properly.
When this setting is disabled, ECN is only advertised
when asked for.

AUTHORS
-------
Michael Tremer

SEE ALSO
--------
link:firewall[8]
Commit	Line	Data
66fe74f9 MT	1	firewall-settings(8)
	2	====================
	3
	4	NAME
	5	----
	6	firewall-settings - Global firewall settings
	7
	8	SYNOPSIS
	9	--------
	10	[verse]
	11	'firewall settings'
	12	'firewall settings' KEY=VALUE ...
	13
	14	DESCRIPTION
	15	-----------
	16	This command is used to set global firewall settings.
	17	Please have a look at the individual man pages for more options.
	18
	19	COMMANDS
	20	--------
	21	If no argument is given, the configuration will be dumped to the console.
	22
	23	You may set a new value by adding the variable name and the new value to
	24	the command line.
	25
	26	SETTINGS
	27	--------
	28	=== CONNTRACK_MAX_CONNECTIONS = 16384
	29	Limits the max. number of simultaneous connections.
	30
	31	Modify this if you want to handle a larger number of concurrent
	32	connections. Every connection will use approx. 16 kBytes of memory.
	33
	34	=== CONNTRACK_UDP_TIMEOUT = 60
	35	Defines the timeout (in seconds) the kernel will wait until
	36	a half-assured UDP connection is fully established.
	37
	38	=== FIREWALL_ACCEPT_ICMP_REDIRECTS = [true\|false]
	39	Enable if you want to accept ICMP redirect messages.
	40
	41	=== FIREWALL_CLAMP_PATH_MTU = [true\|false]
	42	If Path MTU Discovery does not work well, enable this option.
	43
	44	It sets the MSS value of a packet so that the remote site would
	45	never send a packet bigger than the MSS value.
	46
	47	No ICMP packets are needed to make this work, so use this on
	48	networks with broken ICMP filtering.
	49
	50	=== FIREWALL_DEFAULT_TTL = 64
	51	Here you can change the default TTL used for sending packets.
	52
	53	The given value must be between 10 and 255.
	54	Don't mess with this unless you know what you are doing.
	55
	56	=== FIREWALL_LOG_BAD_TCP_FLAGS = [true\|false]
	57	Enable this to log TCP packets with bad flags or options.
	58
	59	=== FIREWALL_LOG_INVALID_ICMP = [true\|false]
	60	Enable this to log INVALID ICMP packets.
	61
	62	=== FIREWALL_LOG_INVALID_TCP = [true\|false]
	63	Enable this to log INVALID TCP packets.
	64
65	=== FIREWALL_LOG_INVALID_UDP = [true\|false]
66	Enable this to log INVALID UDP packets.
67
68	=== FIREWALL_LOG_MARTIANS = [true\|false]
69	Enable this to log packets with impossible addresses.
70
71	=== FIREWALL_LOG_STEALTH_SCANS = [true\|false]
72	Enable this to log all stealth scans.
73
74	=== FIREWALL_PMTU_DISCOVERY = [true\|false]
75	Enables Path MTU Discovery.
76
77	=== FIREWALL_RP_FILTER = [true\|false]
78	Enable to drop connection from non-routable IPs,
79	e.g. prevent source routing.
80
81	=== FIREWALL_SYN_COOKIES = [true\|false]
82	Enable for SYN-flood protection.
83
84	=== FIREWALL_USE_ECN = [true\|false]
85	Enables the ECN (Explicit Congestion Notification) TCP flag.
86
87	Some routers on the Internet still do not support ECN properly.
88	When this setting is disabled, ECN is only advertised
89	when asked for.
90
91	AUTHORS
92	-------
93	Michael Tremer
94
95	SEE ALSO
96	--------
97	link:firewall[8]