1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
config ADK_KPACKAGE_KMOD_NF_CONNTRACK
tristate 'Netfilter connection tracking support'
select ADK_KERNEL_NETFILTER_XTABLES
help
Connection tracking keeps a record of what packets have passed
through your machine, in order to figure out how they are related
into connections.
Layer 3 independent connection tracking is experimental scheme
which generalize ip_conntrack to support other layer 3 protocols.
config ADK_KPACKAGE_KMOD_NETFILTER_XT_TARGET_CLASSIFY
tristate '"CLASSIFY" target support'
select ADK_KERNEL_NETFILTER_XTABLES
help
This option adds a `CLASSIFY' target, which enables the user to set
the priority of a packet. Some qdiscs can use this value for
classification, among these are:
atm, cbq, dsmark, pfifo_fast, htb, prio
config ADK_KPACKAGE_KMOD_NETFILTER_XT_TARGET_CONNMARK
tristate '"CONNMARK" target support'
select ADK_KERNEL_NETFILTER_XTABLES
select ADK_KPACKAGE_KMOD_NF_CONNTRACK
help
This option adds a `CONNMARK' target, which allows one to manipulate
the connection mark value. Similar to the MARK target, but
affects the connection mark value rather than the packet mark value.
config ADK_KPACKAGE_KMOD_NETFILTER_XT_TARGET_MARK
tristate '"MARK" target support'
select ADK_KERNEL_NETFILTER_XTABLES
help
This option adds a `MARK' target, which allows you to create rules
in the `mangle' table which alter the netfilter mark (nfmark) field
associated with the packet prior to routing. This can change
the routing method (see `Use netfilter MARK value as routing
key') and can also be used by other subsystems to change their
behavior.
config ADK_KPACKAGE_KMOD_NETFILTER_XT_TARGET_NFQUEUE
tristate '"NFQUEUE" target support'
select ADK_KERNEL_NETFILTER_XTABLES
help
This target replaced the old obsolete QUEUE target.
As opposed to QUEUE, it supports 65535 different queues,
not just one.
config ADK_KPACKAGE_KMOD_NETFILTER_XT_TARGET_TCPMSS
tristate 'TCPMSS target'
select ADK_KERNEL_NETFILTER_XTABLES
help
config ADK_KPACKAGE_KMOD_NF_CONNTRACK_MARK
bool 'Connection mark tracking support'
depends on ADK_KPACKAGE_KMOD_NF_CONNTRACK
select ADK_KERNEL_IP_NF_MATCH_CONNMARK
help
This option enables support for connection marks, used by the
`CONNMARK' target and `connmark' match. Similar to the mark value
of packets, but this mark value is kept in the conntrack session
instead of the individual packets.
config ADK_KPACKAGE_KMOD_NF_CONNTRACK_SECMARK
bool 'Connection tracking security mark support'
depends on ADK_KPACKAGE_KMOD_NF_CONNTRACK
#FIXME select NETWORK_SECMARK
help
This option enables security markings to be applied to
connections. Typically they are copied to connections from
packets using the CONNSECMARK target and copied back from
connections to packets with the same target, with the packets
being originally labeled via SECMARK.
config ADK_KPACKAGE_KMOD_NF_CONNTRACK_FTP
tristate 'FTP protocol support'
depends on ADK_KPACKAGE_KMOD_NF_CONNTRACK
help
Tracking FTP connections is problematic: special helpers are
required for tracking them, and doing masquerading and other forms
of Network Address Translation on them.
#config ADK_KPACKAGE_KMOD_NF_CONNTRACK_RTSP
# tristate 'RTSP protocol support'
# depends on ADK_KPACKAGE_KMOD_NF_CONNTRACK
# help
# Tracking RTSP connections might be required for IPTV.
config ADK_KPACKAGE_KMOD_NF_CONNTRACK_IRC
tristate 'IRC protocol support'
depends on ADK_KPACKAGE_KMOD_NF_CONNTRACK
help
There is a commonly-used extension to IRC called
Direct Client-to-Client Protocol (DCC). This enables users to send
files to each other, and also chat to each other without the need
of a server. DCC Sending is used anywhere you send files over IRC,
and DCC Chat is most commonly used by Eggdrop bots. If you are
using NAT, this extension will enable you to send files and initiate
chats. Note that you do NOT need this extension to get files or
have others initiate chats, or everything else in IRC.
config ADK_KPACKAGE_KMOD_NF_CONNTRACK_NETBIOS_NS
tristate 'NetBIOS name service protocol support (EXPERIMENTAL)'
depends on ADK_KPACKAGE_KMOD_NF_CONNTRACK
help
NetBIOS name service requests are sent as broadcast messages from an
unprivileged port and responded to with unicast messages to the
same port. This make them hard to firewall properly because connection
tracking doesn't deal with broadcasts. This helper tracks locally
originating NetBIOS name service requests and the corresponding
responses. It relies on correct IP address configuration, specifically
netmask and broadcast address. When properly configured, the output
of "ip address show" should look similar to this:
$ ip -4 address show eth0
4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
config ADK_KPACKAGE_KMOD_NF_CONNTRACK_TFTP
tristate 'TFTP protocol support'
depends on ADK_KPACKAGE_KMOD_NF_CONNTRACK
help
TFTP connection tracking helper, this is required depending
on how restrictive your ruleset is.
If you are using a tftp client behind -j SNAT or -j MASQUERADING
you will need this.
#config ADK_KPACKAGE_KMOD_NF_CONNTRACK_AMANDA
# tristate 'Amanda backup protocol support'
# depends on ADK_KPACKAGE_KMOD_NF_CONNTRACK
# #FIXME TEXTSEARCH && TEXTSEARCH_KMP
# help
# If you are running the Amanda backup package <http://www.amanda.org/>
# on this machine or machines that will be MASQUERADED through this
# machine, then you may want to enable this feature. This allows the
# connection tracking and natting code to allow the sub-channels that
# Amanda requires for communication of the backup data, messages and
# index.
config ADK_KPACKAGE_KMOD_NF_CONNTRACK_PPTP
tristate 'PPTP protocol support'
depends on ADK_KPACKAGE_KMOD_NF_CONNTRACK
help
This module adds support for PPTP (Point to Point Tunnelling
Protocol, RFC2637) connection tracking and NAT.
If you are running PPTP sessions over a stateful firewall or NAT
box, you may want to enable this feature.
Please note that not all PPTP modes of operation are supported yet.
For more info, read top of the file
net/ipv4/netfilter/ip_conntrack_pptp.c
config ADK_KPACKAGE_KMOD_NF_CONNTRACK_H323
tristate 'H.323 protocol support (EXPERIMENTAL)'
depends on ADK_KPACKAGE_KMOD_NF_CONNTRACK
help
H.323 is a VoIP signalling protocol from ITU-T. As one of the most
important VoIP protocols, it is widely used by voice hardware and
software including voice gateways, IP phones, Netmeeting, OpenPhone,
Gnomemeeting, etc.
With this module you can support H.323 on a connection tracking/NAT
firewall.
This module supports RAS, Fast Start, H.245 Tunnelling, Call
Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
whiteboard, file transfer, etc. For more information, please
visit http://nath323.sourceforge.net/.
config ADK_KPACKAGE_KMOD_NF_CONNTRACK_SIP
tristate 'SIP protocol support (EXPERIMENTAL)'
depends on ADK_KPACKAGE_KMOD_NF_CONNTRACK
help
SIP is an application-layer control protocol that can establish,
modify, and terminate multimedia sessions (conferences) such as
Internet telephony calls. With the ip_conntrack_sip and
the ip_nat_sip modules you can support the protocol on a connection
tracking/NATing firewall.
|