]> git.ipfire.org Git - people/ms/network.git/blob - man/firewall-settings.xml
projects / people / ms / network.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
hooks: Add HOOK_UNIQUE which stops us from creating multiple instances
[people/ms/network.git] / man / firewall-settings.xml
1 <?xml version="1.0"?>
2 <!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4
5 <refentry id="firewall-settings">
6 <refentryinfo>
7 <title>firewall-settings</title>
8 <productname>network</productname>
9
10 <authorgroup>
11 <author>
12 <contrib>Developer</contrib>
13 <firstname>Michael</firstname>
14 <surname>Tremer</surname>
15 <email>michael.tremer@ipfire.org</email>
16 </author>
17 </authorgroup>
18 </refentryinfo>
19
20 <refmeta>
21 <refentrytitle>firewall-settings</refentrytitle>
22 <manvolnum>8</manvolnum>
23 </refmeta>
24
25 <refnamediv>
26 <refname>firewall-settings</refname>
27 <refpurpose>Firewall Configuration Control Program</refpurpose>
28 </refnamediv>
29
30 <refsynopsisdiv>
31 <cmdsynopsis>
32 <command>firewall-settings</command>
33 </cmdsynopsis>
34
35 <cmdsynopsis>
36 <command>firewall-settings <replaceable>KEY=VALUE</replaceable></command>
37 </cmdsynopsis>
38 </refsynopsisdiv>
39
40 <refsect1>
41 <title>Description</title>
42
43 <para>
44 The <command>firewall-settings</command> command may be used to set
45 global firewall settingsuration options.
46 </para>
47 <para>
48 Please have a look at the individual man pages for more options.
49 </para>
50 </refsect1>
51
52 <refsect1>
53 <title>Commands</title>
54
55 <para>
56 If no additional argument is given, running the command will
57 dump a list of all settingsuration variables and their current values.
58 </para>
59
60 <para>
61 You may set a new value by adding the variable name and the new
62 value to the command line.
63 </para>
64 </refsect1>
65
66 <refsect1>
67 <title>Variables</title>
68
69 <variablelist>
70 <varlistentry>
71 <term>
72 <varname>CONNTRACK_MAX_CONNECTIONS</varname> = <replaceable>16384</replaceable>
73 </term>
74
75 <listitem>
76 <para>
77 Limits the max. number of simultaneous connections.
78 </para>
79 <para>
80 Modify this if you want to handle a larger number of concurrent
81 connections. Every connection will use approx. 16 kBytes of memory.
82 </para>
83 </listitem>
84 </varlistentry>
85
86 <varlistentry>
87 <term>
88 <varname>CONNTRACK_UDP_TIMEOUT</varname> = <replaceable>60</replaceable>
89 </term>
90
91 <listitem>
92 <para>
93 Defines the timeout (in seconds) the kernel will wait until
94 a half-assured UDP connection is fully established.
95 </para>
96 </listitem>
97 </varlistentry>
98
99 <varlistentry>
100 <term>
101 <varname>FIREWALL_ACCEPT_ICMP_REDIRECTS</varname> = [true|<emphasis>false</emphasis>]
102 </term>
103
104 <listitem>
105 <para>
106 Enable if you want to accept ICMP redirect messages.
107 </para>
108 </listitem>
109 </varlistentry>
110
111 <varlistentry>
112 <term>
113 <varname>FIREWALL_CLAMP_PATH_MTU</varname> = [true|<emphasis>false</emphasis>]
114 </term>
115
116 <listitem>
117 <para>
118 If Path MTU Discovery does not work well, enable this option.
119 It sets the MSS value of a packet so that the remote site would
120 never send a packet bigger than the MSS value.
121 </para>
122 <para>
123 No ICMP packets are needed to make this work, so use this on
124 networks with broken ICMP filtering.
125 </para>
126 </listitem>
127 </varlistentry>
128
129 <varlistentry>
130 <term>
131 <varname>FIREWALL_DEFAULT_TTL</varname> = <replaceable>64</replaceable>
132 </term>
133
134 <listitem>
135 <para>
136 Here you can change the default TTL used for sending packets.
137 </para>
138 <para>
139 The given value must be between 10 and 255.
140 Don't mess with this unless you know what you are doing.
141 </para>
142 </listitem>
143 </varlistentry>
144
145 <varlistentry>
146 <term>
147 <varname>FIREWALL_LOG_BAD_TCP_FLAGS</varname> = [<emphasis>true</emphasis>|false]
148 </term>
149
150 <listitem>
151 <para>
152 Enable this to log TCP packets with bad flags or options.
153 </para>
154 </listitem>
155 </varlistentry>
156
157 <varlistentry>
158 <term>
159 <varname>FIREWALL_LOG_INVALID_ICMP</varname> = [<emphasis>true</emphasis>|false]
160 </term>
161
162 <listitem>
163 <para>
164 Enable this to log INVALID ICMP packets.
165 </para>
166 </listitem>
167 </varlistentry>
168
169 <varlistentry>
170 <term>
171 <varname>FIREWALL_LOG_INVALID_TCP</varname> = [<emphasis>true</emphasis>|false]
172 </term>
173
174 <listitem>
175 <para>
176 Enable this to log INVALID TCP packets.
177 </para>
178 </listitem>
179 </varlistentry>
180
181 <varlistentry>
182 <term>
183 <varname>FIREWALL_LOG_INVALID_UDP</varname> = [<emphasis>true</emphasis>|false]
184 </term>
185
186 <listitem>
187 <para>
188 Enable this to log INVALID UDP packets.
189 </para>
190 </listitem>
191 </varlistentry>
192
193 <varlistentry>
194 <term>
195 <varname>FIREWALL_LOG_MARTIANS</varname> = [true|<emphasis>false</emphasis>]
196 </term>
197
198 <listitem>
199 <para>
200 Enable this to log packets with impossible addresses.
201 </para>
202 </listitem>
203 </varlistentry>
204
205 <varlistentry>
206 <term>
207 <varname>FIREWALL_LOG_STEALTH_SCANS</varname> = [<emphasis>true</emphasis>|false]
208 </term>
209
210 <listitem>
211 <para>
212 Enable this to log all stealth scans.
213 </para>
214 </listitem>
215 </varlistentry>
216
217 <varlistentry>
218 <term>
219 <varname>FIREWALL_PMTU_DISCOVERY</varname> = [true|<emphasis>false</emphasis>]
220 </term>
221
222 <listitem>
223 <para>
224 Enables Path MTU Discovery.
225 </para>
226 </listitem>
227 </varlistentry>
228
229 <varlistentry>
230 <term>
231 <varname>FIREWALL_RP_FILTER</varname> = [<emphasis>true</emphasis>|false]
232 </term>
233
234 <listitem>
235 <para>
236 Enable to drop connection from non-routable IPs,
237 e.g. prevent source routing.
238 </para>
239 </listitem>
240 </varlistentry>
241
242 <varlistentry>
243 <term>
244 <varname>FIREWALL_SYN_COOKIES</varname> = [<emphasis>true</emphasis>|false]
245 </term>
246
247 <listitem>
248 <para>
249 Enable for SYN-flood protection.
250 </para>
251 </listitem>
252 </varlistentry>
253
254 <varlistentry>
255 <term>
256 <varname>FIREWALL_USE_ECN</varname> = [<emphasis>true</emphasis>|false]
257 </term>
258
259 <listitem>
260 <para>
261 Enables the ECN (Explicit Congestion Notification) TCP flag.
262 </para>
263 <para>
264 Some routers on the Internet still do not support ECN properly,
265 so this is not enabled by default.
266 When this setting is disabled, ECN is only advertised
267 when asked for.
268 </para>
269 </listitem>
270 </varlistentry>
271 </variablelist>
272 </refsect1>
273
274 <refsect1>
275 <title>See Also</title>
276
277 <para>
278 <citerefentry>
279 <refentrytitle>firewall</refentrytitle>
280 <manvolnum>8</manvolnum>
281 </citerefentry>
282 </para>
283 </refsect1>
284 </refentry>
Networking code of IPFire 3.x.