]>
Commit | Line | Data |
---|---|---|
39cfece8 | 1 | = firewall-settings(8) |
66fe74f9 | 2 | |
39cfece8 | 3 | == NAME |
66fe74f9 MT |
4 | firewall-settings - Global firewall settings |
5 | ||
39cfece8 | 6 | == SYNOPSIS |
66fe74f9 | 7 | [verse] |
39cfece8 MT |
8 | `firewall settings` |
9 | `firewall settings` KEY=VALUE ... | |
66fe74f9 | 10 | |
39cfece8 | 11 | == DESCRIPTION |
66fe74f9 MT |
12 | This command is used to set global firewall settings. |
13 | Please have a look at the individual man pages for more options. | |
14 | ||
39cfece8 | 15 | == COMMANDS |
66fe74f9 MT |
16 | If no argument is given, the configuration will be dumped to the console. |
17 | ||
18 | You may set a new value by adding the variable name and the new value to | |
19 | the command line. | |
20 | ||
39cfece8 MT |
21 | == SETTINGS |
22 | ||
66fe74f9 MT |
23 | === CONNTRACK_MAX_CONNECTIONS = 16384 |
24 | Limits the max. number of simultaneous connections. | |
25 | ||
26 | Modify this if you want to handle a larger number of concurrent | |
27 | connections. Every connection will use approx. 16 kBytes of memory. | |
28 | ||
29 | === CONNTRACK_UDP_TIMEOUT = 60 | |
30 | Defines the timeout (in seconds) the kernel will wait until | |
31 | a half-assured UDP connection is fully established. | |
32 | ||
33 | === FIREWALL_ACCEPT_ICMP_REDIRECTS = [true|false] | |
34 | Enable if you want to accept ICMP redirect messages. | |
35 | ||
36 | === FIREWALL_CLAMP_PATH_MTU = [true|false] | |
37 | If Path MTU Discovery does not work well, enable this option. | |
38 | ||
39 | It sets the MSS value of a packet so that the remote site would | |
40 | never send a packet bigger than the MSS value. | |
41 | ||
42 | No ICMP packets are needed to make this work, so use this on | |
43 | networks with broken ICMP filtering. | |
44 | ||
45 | === FIREWALL_DEFAULT_TTL = 64 | |
46 | Here you can change the default TTL used for sending packets. | |
47 | ||
48 | The given value must be between 10 and 255. | |
49 | Don't mess with this unless you know what you are doing. | |
50 | ||
51 | === FIREWALL_LOG_BAD_TCP_FLAGS = [true|false] | |
52 | Enable this to log TCP packets with bad flags or options. | |
53 | ||
54 | === FIREWALL_LOG_INVALID_ICMP = [true|false] | |
55 | Enable this to log INVALID ICMP packets. | |
56 | ||
57 | === FIREWALL_LOG_INVALID_TCP = [true|false] | |
58 | Enable this to log INVALID TCP packets. | |
59 | ||
60 | === FIREWALL_LOG_INVALID_UDP = [true|false] | |
61 | Enable this to log INVALID UDP packets. | |
62 | ||
63 | === FIREWALL_LOG_MARTIANS = [true|false] | |
64 | Enable this to log packets with impossible addresses. | |
65 | ||
66 | === FIREWALL_LOG_STEALTH_SCANS = [true|false] | |
67 | Enable this to log all stealth scans. | |
68 | ||
69 | === FIREWALL_PMTU_DISCOVERY = [true|false] | |
70 | Enables Path MTU Discovery. | |
71 | ||
72 | === FIREWALL_RP_FILTER = [true|false] | |
73 | Enable to drop connection from non-routable IPs, | |
74 | e.g. prevent source routing. | |
75 | ||
76 | === FIREWALL_SYN_COOKIES = [true|false] | |
77 | Enable for SYN-flood protection. | |
78 | ||
79 | === FIREWALL_USE_ECN = [true|false] | |
80 | Enables the ECN (Explicit Congestion Notification) TCP flag. | |
81 | ||
82 | Some routers on the Internet still do not support ECN properly. | |
83 | When this setting is disabled, ECN is only advertised | |
84 | when asked for. | |
85 | ||
39cfece8 | 86 | == AUTHORS |
66fe74f9 MT |
87 | Michael Tremer |
88 | ||
39cfece8 | 89 | == SEE ALSO |
66fe74f9 | 90 | link:firewall[8] |