man/firewall-settings.txt

   1 = firewall-settings(8)
   2
   3 == NAME
   4 firewall-settings - Global firewall settings
   5
   6 == SYNOPSIS
   7 [verse]
   8 `firewall settings`
   9 `firewall settings` KEY=VALUE ...
  10
  11 == DESCRIPTION
  12 This command is used to set global firewall settings.
  13 Please have a look at the individual man pages for more options.
  14
  15 == COMMANDS
  16 If no argument is given, the configuration will be dumped to the console.
  17
  18 You may set a new value by adding the variable name and the new value to
  19 the command line.
  20
  21 == SETTINGS
  22
  23 === CONNTRACK_MAX_CONNECTIONS = 16384
  24 Limits the max. number of simultaneous connections.
  25
  26 Modify this if you want to handle a larger number of concurrent
  27 connections. Every connection will use approx. 16 kBytes of memory.
  28
  29 === CONNTRACK_UDP_TIMEOUT = 60
  30 Defines the timeout (in seconds) the kernel will wait until
  31 a half-assured UDP connection is fully established.
  32
  33 === FIREWALL_ACCEPT_ICMP_REDIRECTS = [true|false]
  34 Enable if you want to accept ICMP redirect messages.
  35
  36 === FIREWALL_CLAMP_PATH_MTU = [true|false]
  37 If Path MTU Discovery does not work well, enable this option.
  38
  39 It sets the MSS value of a packet so that the remote site would
  40 never send a packet bigger than the MSS value.
  41
  42 No ICMP packets are needed to make this work, so use this on
  43 networks with broken ICMP filtering.
  44
  45 === FIREWALL_DEFAULT_TTL = 64
  46 Here you can change the default TTL used for sending packets.
  47
  48 The given value must be between 10 and 255.
  49 Don't mess with this unless you know what you are doing.
  50
  51 === FIREWALL_LOG_BAD_TCP_FLAGS = [true|false]
  52 Enable this to log TCP packets with bad flags or options.
  53
  54 === FIREWALL_LOG_INVALID_ICMP = [true|false]
  55 Enable this to log INVALID ICMP packets.
  56
  57 === FIREWALL_LOG_INVALID_TCP = [true|false]
  58 Enable this to log INVALID TCP packets.
  59
  60 === FIREWALL_LOG_INVALID_UDP = [true|false]
  61 Enable this to log INVALID UDP packets.
  62
  63 === FIREWALL_LOG_MARTIANS = [true|false]
  64 Enable this to log packets with impossible addresses.
  65
  66 === FIREWALL_LOG_STEALTH_SCANS = [true|false]
  67 Enable this to log all stealth scans.
  68
  69 === FIREWALL_PMTU_DISCOVERY = [true|false]
  70 Enables Path MTU Discovery.
  71
  72 === FIREWALL_RP_FILTER = [true|false]
  73 Enable to drop connection from non-routable IPs,
  74 e.g. prevent source routing.
  75
  76 === FIREWALL_SYN_COOKIES = [true|false]
  77 Enable for SYN-flood protection.
  78
  79 === FIREWALL_USE_ECN = [true|false]
  80 Enables the ECN (Explicit Congestion Notification) TCP flag.
  81
  82 Some routers on the Internet still do not support ECN properly.
  83 When this setting is disabled, ECN is only advertised
  84 when asked for.
  85
  86 == AUTHORS
  87 Michael Tremer
  88
  89 == SEE ALSO
  90 link:firewall[8]