]>
Commit | Line | Data |
---|---|---|
66fe74f9 MT |
1 | firewall-settings(8) |
2 | ==================== | |
3 | ||
4 | NAME | |
5 | ---- | |
6 | firewall-settings - Global firewall settings | |
7 | ||
8 | SYNOPSIS | |
9 | -------- | |
10 | [verse] | |
11 | 'firewall settings' | |
12 | 'firewall settings' KEY=VALUE ... | |
13 | ||
14 | DESCRIPTION | |
15 | ----------- | |
16 | This command is used to set global firewall settings. | |
17 | Please have a look at the individual man pages for more options. | |
18 | ||
19 | COMMANDS | |
20 | -------- | |
21 | If no argument is given, the configuration will be dumped to the console. | |
22 | ||
23 | You may set a new value by adding the variable name and the new value to | |
24 | the command line. | |
25 | ||
26 | SETTINGS | |
27 | -------- | |
28 | === CONNTRACK_MAX_CONNECTIONS = 16384 | |
29 | Limits the max. number of simultaneous connections. | |
30 | ||
31 | Modify this if you want to handle a larger number of concurrent | |
32 | connections. Every connection will use approx. 16 kBytes of memory. | |
33 | ||
34 | === CONNTRACK_UDP_TIMEOUT = 60 | |
35 | Defines the timeout (in seconds) the kernel will wait until | |
36 | a half-assured UDP connection is fully established. | |
37 | ||
38 | === FIREWALL_ACCEPT_ICMP_REDIRECTS = [true|false] | |
39 | Enable if you want to accept ICMP redirect messages. | |
40 | ||
41 | === FIREWALL_CLAMP_PATH_MTU = [true|false] | |
42 | If Path MTU Discovery does not work well, enable this option. | |
43 | ||
44 | It sets the MSS value of a packet so that the remote site would | |
45 | never send a packet bigger than the MSS value. | |
46 | ||
47 | No ICMP packets are needed to make this work, so use this on | |
48 | networks with broken ICMP filtering. | |
49 | ||
50 | === FIREWALL_DEFAULT_TTL = 64 | |
51 | Here you can change the default TTL used for sending packets. | |
52 | ||
53 | The given value must be between 10 and 255. | |
54 | Don't mess with this unless you know what you are doing. | |
55 | ||
56 | === FIREWALL_LOG_BAD_TCP_FLAGS = [true|false] | |
57 | Enable this to log TCP packets with bad flags or options. | |
58 | ||
59 | === FIREWALL_LOG_INVALID_ICMP = [true|false] | |
60 | Enable this to log INVALID ICMP packets. | |
61 | ||
62 | === FIREWALL_LOG_INVALID_TCP = [true|false] | |
63 | Enable this to log INVALID TCP packets. | |
64 | ||
65 | === FIREWALL_LOG_INVALID_UDP = [true|false] | |
66 | Enable this to log INVALID UDP packets. | |
67 | ||
68 | === FIREWALL_LOG_MARTIANS = [true|false] | |
69 | Enable this to log packets with impossible addresses. | |
70 | ||
71 | === FIREWALL_LOG_STEALTH_SCANS = [true|false] | |
72 | Enable this to log all stealth scans. | |
73 | ||
74 | === FIREWALL_PMTU_DISCOVERY = [true|false] | |
75 | Enables Path MTU Discovery. | |
76 | ||
77 | === FIREWALL_RP_FILTER = [true|false] | |
78 | Enable to drop connection from non-routable IPs, | |
79 | e.g. prevent source routing. | |
80 | ||
81 | === FIREWALL_SYN_COOKIES = [true|false] | |
82 | Enable for SYN-flood protection. | |
83 | ||
84 | === FIREWALL_USE_ECN = [true|false] | |
85 | Enables the ECN (Explicit Congestion Notification) TCP flag. | |
86 | ||
87 | Some routers on the Internet still do not support ECN properly. | |
88 | When this setting is disabled, ECN is only advertised | |
89 | when asked for. | |
90 | ||
91 | AUTHORS | |
92 | ------- | |
93 | Michael Tremer | |
94 | ||
95 | SEE ALSO | |
96 | -------- | |
97 | link:firewall[8] |