[people/stevee/network.git] / man / firewall-settings.xml

<?xml version="1.0"?>
<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">

<refentry id="firewall-settings">
	<refentryinfo>
		<title>firewall-settings</title>
		<productname>network</productname>

		<authorgroup>
			<author>
				<contrib>Developer</contrib>
				<firstname>Michael</firstname>
				<surname>Tremer</surname>
				<email>michael.tremer@ipfire.org</email>
			</author>
		</authorgroup>
	</refentryinfo>

	<refmeta>
		<refentrytitle>firewall-settings</refentrytitle>
		<manvolnum>8</manvolnum>
	</refmeta>

	<refnamediv>
		<refname>firewall-settings</refname>
		<refpurpose>Firewall Configuration Control Program</refpurpose>
	</refnamediv>

	<refsynopsisdiv>
		<cmdsynopsis>
			<command>firewall-settings</command>
		</cmdsynopsis>

		<cmdsynopsis>
			<command>firewall-settings <replaceable>KEY=VALUE</replaceable></command>
		</cmdsynopsis>
	</refsynopsisdiv>

	<refsect1>
		<title>Description</title>

		<para>
			The <command>firewall-settings</command> command may be used to set
			global firewall settingsuration options.
		</para>
		<para>
			Please have a look at the individual man pages for more options.
		</para>
	</refsect1>

	<refsect1>
		<title>Commands</title>

		<para>
			If no additional argument is given, running the command will
			dump a list of all settingsuration variables and their current values.
		</para>

		<para>
			You may set a new value by adding the variable name and the new
			value to the command line.
		</para>
	</refsect1>

	<refsect1>
		<title>Variables</title>

		<variablelist>
			<varlistentry>
				<term>
					<varname>CONNTRACK_MAX_CONNECTIONS</varname> = <replaceable>16384</replaceable>
				</term>

				<listitem>
					<para>
						Limits the max. number of simultaneous connections.
					</para>
					<para>
						Modify this if you want to handle a larger number of concurrent
						connections. Every connection will use approx. 16 kBytes of memory.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<varname>CONNTRACK_UDP_TIMEOUT</varname> = <replaceable>60</replaceable>
				</term>

				<listitem>
					<para>
						Defines the timeout (in seconds) the kernel will wait until
						a half-assured UDP connection is fully established.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<varname>FIREWALL_ACCEPT_ICMP_REDIRECTS</varname> = [true|<emphasis>false</emphasis>]
				</term>

				<listitem>
					<para>
						Enable if you want to accept ICMP redirect messages.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<varname>FIREWALL_CLAMP_PATH_MTU</varname> = [true|<emphasis>false</emphasis>]
				</term>

				<listitem>
					<para>
						If Path MTU Discovery does not work well, enable this option.
						It sets the MSS value of a packet so that the remote site would
						never send a packet bigger than the MSS value.
					</para>
					<para>
						No ICMP packets are needed to make this work, so use this on
						networks with broken ICMP filtering.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<varname>FIREWALL_DEFAULT_TTL</varname> = <replaceable>64</replaceable>
				</term>

				<listitem>
					<para>
						Here you can change the default TTL used for sending packets.
					</para>
					<para>
						The given value must be between 10 and 255.
						Don't mess with this unless you know what you are doing.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<varname>FIREWALL_LOG_BAD_TCP_FLAGS</varname> = [<emphasis>true</emphasis>|false]
				</term>

				<listitem>
					<para>
						Enable this to log TCP packets with bad flags or options.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<varname>FIREWALL_LOG_INVALID_ICMP</varname> = [<emphasis>true</emphasis>|false]
				</term>

				<listitem>
					<para>
						Enable this to log INVALID ICMP packets.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<varname>FIREWALL_LOG_INVALID_TCP</varname> = [<emphasis>true</emphasis>|false]
				</term>

				<listitem>
					<para>
						Enable this to log INVALID TCP packets.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<varname>FIREWALL_LOG_INVALID_UDP</varname> = [<emphasis>true</emphasis>|false]
				</term>

				<listitem>
					<para>
						Enable this to log INVALID UDP packets.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<varname>FIREWALL_LOG_MARTIANS</varname> = [true|<emphasis>false</emphasis>]
				</term>

				<listitem>
					<para>
						Enable this to log packets with impossible addresses.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<varname>FIREWALL_LOG_STEALTH_SCANS</varname> = [<emphasis>true</emphasis>|false]
				</term>

				<listitem>
					<para>
						Enable this to log all stealth scans.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<varname>FIREWALL_PMTU_DISCOVERY</varname> = [<emphasis>true</emphasis>|false]
				</term>

				<listitem>
					<para>
						Enables Path MTU Discovery.
						Disable it when you are experiencing problems.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<varname>FIREWALL_RP_FILTER</varname> = [<emphasis>true</emphasis>|false]
				</term>

				<listitem>
					<para>
						Enable to drop connection from non-routable IPs,
						e.g. prevent source routing.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<varname>FIREWALL_SYN_COOKIES</varname> = [<emphasis>true</emphasis>|false]
				</term>

				<listitem>
					<para>
						Enable for SYN-flood protection.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<varname>FIREWALL_USE_ECN</varname> = [true|<emphasis>false</emphasis>]
				</term>

				<listitem>
					<para>
						Enables the ECN (Explicit Congestion Notification) TCP flag.
					</para>
					<para>
						Some routers on the Internet still do not support ECN properly,
						so this is not enabled by default.
						When this setting is disabled, ECN is only advertised
						when asked for.
					</para>
				</listitem>
			</varlistentry>
		</variablelist>
	</refsect1>

	<refsect1>
		<title>See Also</title>

		<para>
			<citerefentry>
				<refentrytitle>firewall</refentrytitle>
				<manvolnum>8</manvolnum>
			</citerefentry>
		</para>
	</refsect1>
</refentry>
Commit	Line	Data
ef953be2 MT	1	<?xml version="1.0"?>
	2	<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
	4
2b0ff832	5	<refentry id="firewall-settings">
ef953be2	6	<refentryinfo>
2b0ff832	7	<title>firewall-settings</title>
ef953be2 MT	8	<productname>network</productname>
	9
	10	<authorgroup>
	11	<author>
	12	<contrib>Developer</contrib>
	13	<firstname>Michael</firstname>
	14	<surname>Tremer</surname>
	15	<email>michael.tremer@ipfire.org</email>
	16	</author>
	17	</authorgroup>
	18	</refentryinfo>
	19
	20	<refmeta>
2b0ff832	21	<refentrytitle>firewall-settings</refentrytitle>
ef953be2 MT	22	<manvolnum>8</manvolnum>
	23	</refmeta>
	24
	25	<refnamediv>
2b0ff832	26	<refname>firewall-settings</refname>
ef953be2 MT	27	<refpurpose>Firewall Configuration Control Program</refpurpose>
	28	</refnamediv>
	29
	30	<refsynopsisdiv>
	31	<cmdsynopsis>
2b0ff832	32	<command>firewall-settings</command>
ef953be2 MT	33	</cmdsynopsis>
	34
	35	<cmdsynopsis>
2b0ff832	36	<command>firewall-settings <replaceable>KEY=VALUE</replaceable></command>
ef953be2 MT	37	</cmdsynopsis>
	38	</refsynopsisdiv>
	39
	40	<refsect1>
	41	<title>Description</title>
	42
	43	<para>
2b0ff832 MT	44	The <command>firewall-settings</command> command may be used to set
2b0ff832 MT	45	global firewall settingsuration options.
ef953be2 MT	46	</para>
	47	<para>
	48	Please have a look at the individual man pages for more options.
	49	</para>
	50	</refsect1>
	51
	52	<refsect1>
	53	<title>Commands</title>
	54
	55	<para>
	56	If no additional argument is given, running the command will
2b0ff832	57	dump a list of all settingsuration variables and their current values.
ef953be2 MT	58	</para>
	59
	60	<para>
	61	You may set a new value by adding the variable name and the new
	62	value to the command line.
	63	</para>
	64	</refsect1>
	65
	66	<refsect1>
	67	<title>Variables</title>
	68
	69	<variablelist>
	70	<varlistentry>
	71	<term>
	72	<varname>CONNTRACK_MAX_CONNECTIONS</varname> = <replaceable>16384</replaceable>
	73	</term>
	74
	75	<listitem>
	76	<para>
	77	Limits the max. number of simultaneous connections.
	78	</para>
	79	<para>
	80	Modify this if you want to handle a larger number of concurrent
	81	connections. Every connection will use approx. 16 kBytes of memory.
	82	</para>
	83	</listitem>
	84	</varlistentry>
	85
	86	<varlistentry>
	87	<term>
	88	<varname>CONNTRACK_UDP_TIMEOUT</varname> = <replaceable>60</replaceable>
	89	</term>
	90
	91	<listitem>
	92	<para>
	93	Defines the timeout (in seconds) the kernel will wait until
	94	a half-assured UDP connection is fully established.
	95	</para>
	96	</listitem>
	97	</varlistentry>
	98
	99	<varlistentry>
	100	<term>
	101	<varname>FIREWALL_ACCEPT_ICMP_REDIRECTS</varname> = [true\|<emphasis>false</emphasis>]
	102	</term>
	103
	104	<listitem>
	105	<para>
	106	Enable if you want to accept ICMP redirect messages.
	107	</para>
	108	</listitem>
	109	</varlistentry>
	110
	111	<varlistentry>
	112	<term>
	113	<varname>FIREWALL_CLAMP_PATH_MTU</varname> = [true\|<emphasis>false</emphasis>]
	114	</term>
	115
	116	<listitem>
	117	<para>
	118	If Path MTU Discovery does not work well, enable this option.
	119	It sets the MSS value of a packet so that the remote site would
	120	never send a packet bigger than the MSS value.
	121	</para>
122	<para>
123	No ICMP packets are needed to make this work, so use this on
124	networks with broken ICMP filtering.
125	</para>
126	</listitem>
127	</varlistentry>
128
129	<varlistentry>
130	<term>
131	<varname>FIREWALL_DEFAULT_TTL</varname> = <replaceable>64</replaceable>
132	</term>
133
134	<listitem>
135	<para>
136	Here you can change the default TTL used for sending packets.
137	</para>
138	<para>
139	The given value must be between 10 and 255.
140	Don't mess with this unless you know what you are doing.
141	</para>
142	</listitem>
143	</varlistentry>
144
4320067c MT	145	<varlistentry>
	146	<term>
	147	<varname>FIREWALL_LOG_BAD_TCP_FLAGS</varname> = [<emphasis>true</emphasis>\|false]
	148	</term>
	149
	150	<listitem>
	151	<para>
	152	Enable this to log TCP packets with bad flags or options.
	153	</para>
	154	</listitem>
	155	</varlistentry>
	156
	157	<varlistentry>
	158	<term>
	159	<varname>FIREWALL_LOG_INVALID_ICMP</varname> = [<emphasis>true</emphasis>\|false]
	160	</term>
	161
	162	<listitem>
	163	<para>
	164	Enable this to log INVALID ICMP packets.
	165	</para>
	166	</listitem>
	167	</varlistentry>
	168
	169	<varlistentry>
	170	<term>
	171	<varname>FIREWALL_LOG_INVALID_TCP</varname> = [<emphasis>true</emphasis>\|false]
	172	</term>
	173
	174	<listitem>
	175	<para>
	176	Enable this to log INVALID TCP packets.
	177	</para>
	178	</listitem>
	179	</varlistentry>
	180
	181	<varlistentry>
	182	<term>
	183	<varname>FIREWALL_LOG_INVALID_UDP</varname> = [<emphasis>true</emphasis>\|false]
	184	</term>
	185
	186	<listitem>
	187	<para>
	188	Enable this to log INVALID UDP packets.
	189	</para>
	190	</listitem>
	191	</varlistentry>
	192
ef953be2 MT	193	<varlistentry>
	194	<term>
	195	<varname>FIREWALL_LOG_MARTIANS</varname> = [true\|<emphasis>false</emphasis>]
	196	</term>
	197
	198	<listitem>
	199	<para>
	200	Enable this to log packets with impossible addresses.
	201	</para>
	202	</listitem>
	203	</varlistentry>
	204
4320067c MT	205	<varlistentry>
	206	<term>
	207	<varname>FIREWALL_LOG_STEALTH_SCANS</varname> = [<emphasis>true</emphasis>\|false]
	208	</term>
	209
	210	<listitem>
	211	<para>
	212	Enable this to log all stealth scans.
	213	</para>
	214	</listitem>
	215	</varlistentry>
	216
ef953be2 MT	217	<varlistentry>
	218	<term>
	219	<varname>FIREWALL_PMTU_DISCOVERY</varname> = [<emphasis>true</emphasis>\|false]
	220	</term>
	221
	222	<listitem>
	223	<para>
	224	Enables Path MTU Discovery.
	225	Disable it when you are experiencing problems.
	226	</para>
	227	</listitem>
	228	</varlistentry>
	229
	230	<varlistentry>
	231	<term>
	232	<varname>FIREWALL_RP_FILTER</varname> = [<emphasis>true</emphasis>\|false]
	233	</term>
	234
	235	<listitem>
	236	<para>
	237	Enable to drop connection from non-routable IPs,
	238	e.g. prevent source routing.
	239	</para>
	240	</listitem>
	241	</varlistentry>
	242
	243	<varlistentry>
	244	<term>
	245	<varname>FIREWALL_SYN_COOKIES</varname> = [<emphasis>true</emphasis>\|false]
	246	</term>
	247
	248	<listitem>
	249	<para>
	250	Enable for SYN-flood protection.
	251	</para>
	252	</listitem>
	253	</varlistentry>
	254
	255	<varlistentry>
	256	<term>
	257	<varname>FIREWALL_USE_ECN</varname> = [true\|<emphasis>false</emphasis>]
	258	</term>
	259
	260	<listitem>
	261	<para>
	262	Enables the ECN (Explicit Congestion Notification) TCP flag.
	263	</para>
	264	<para>
	265	Some routers on the Internet still do not support ECN properly,
	266	so this is not enabled by default.
	267	When this setting is disabled, ECN is only advertised
	268	when asked for.
	269	</para>
	270	</listitem>
	271	</varlistentry>
	272	</variablelist>
	273	</refsect1>
	274
	275	<refsect1>
	276	<title>See Also</title>
	277
	278	<para>
	279	<citerefentry>
	280	<refentrytitle>firewall</refentrytitle>
281	<manvolnum>8</manvolnum>
282	</citerefentry>
283	</para>
284	</refsect1>
285	</refentry>