/mandos/trunk

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">

<!--

This file is used by both mandos(8) and mandos.conf(5), since these

options can be used both on the command line and in the config file.

It is also used for some texts by mandos-client(8mandos).

-->

<section>

  <title/>

  <para id="interface">

    If this is specified, the server will only announce the service

    and listen to requests on the specified network interface.

    Default is to use all available interfaces.  <emphasis

    >Note:</emphasis> a failure to bind to the specified

    interface is not considered critical, and the server will not

    exit, but instead continue normally.

  </para>

  <para id="address">

    If this option is used, the server will only listen to the

    specified IPv6 address.  If a link-local address is specified, an

    interface should be set, since a link-local address is only valid

    on a single interface.  By default, the server will listen to all

    available addresses.  If set, this must normally be an IPv6

    address; an IPv4 address can only be specified using IPv4-mapped

    IPv6 address syntax: <quote><systemitem class="ipaddress"

    >::FFFF:192.0.2.3</systemitem ></quote>.  (Only if IPv6 usage is

    <emphasis>disabled</emphasis> (see below) must this be an IPv4

    address.)

  </para>

  <para id="port">

    If this option is used, the server will bind to that port. By

    default, the server will listen to an arbitrary port given by the

    operating system.

  </para>

  <para id="debug">

    If the server is run in debug mode, it will run in the foreground

    and print a lot of debugging information.  The default is to

    <emphasis>not</emphasis> run in debug mode.

  </para>

  <para id="priority">

    GnuTLS priority string for the <acronym>TLS</acronym> handshake.

    The default is

    <quote><literal>SECURE128&#8203;:!CTYPE-X.509&#8203;:+CTYPE-RAWPK&#8203;:!RSA&#8203;:!VERS-ALL&#8203;:+VERS-TLS1.3&#8203;:%PROFILE_ULTRA</literal></quote>

    when using raw public keys in TLS, and

    <quote><literal>SECURE256&#8203;:!CTYPE-X.509&#8203;:+CTYPE-OPENPGP&#8203;:!RSA&#8203;:+SIGN-DSA-SHA256</literal></quote>

    when using OpenPGP keys in TLS,.  See <citerefentry><refentrytitle

    >gnutls_priority_init</refentrytitle>

    <manvolnum>3</manvolnum></citerefentry> for the syntax.

    <emphasis>Warning</emphasis>: changing this may make the

    <acronym>TLS</acronym> handshake fail, making server-client

    communication impossible.  Changing this option may also make the

    network traffic decryptable by an attacker.

  </para>

  <para id="servicename">

    Zeroconf service name.  The default is

    <quote><literal>Mandos</literal></quote>.  This only needs to be

    changed if for some reason is would be necessary to run more than

    one server on the same <emphasis>host</emphasis>.  This would not

    normally be useful.  If there are name collisions on the same

    <emphasis>network</emphasis>, the newer server will automatically

    rename itself to <quote><literal>Mandos #2</literal></quote>, and

    so on; therefore, this option is not needed in that case.

  </para>

  <para id="dbus">

    This option controls whether the server will provide a D-Bus

    system bus interface.  The default is to provide such an

    interface.

  </para>

  <para id="ipv6">

    This option controls whether the server will use IPv6 sockets and

    addresses.  The default is to use IPv6.  This option should

    <emphasis>never</emphasis> normally be turned off, <emphasis>even in

    IPv4-only environments</emphasis>.  This is because <citerefentry>

    <refentrytitle>mandos-client</refentrytitle>

    <manvolnum>8mandos</manvolnum></citerefentry> will normally use

    IPv6 link-local addresses, and will not be able to find or connect

    to the server if this option is turned off.  <emphasis>Only

    advanced users should consider changing this option</emphasis>.

  </para>

  <para id="restore">

    This option controls whether the server will restore its state

    from the last time it ran.  Default is to restore last state.

  </para>

  <para id="statedir">

    Directory to save (and restore) state in.  Default is

    <quote><filename

    class="directory">/var/lib/mandos</filename></quote>.

  </para>

  <para id="socket">

    If this option is used, the server will not create a new network

    socket, but will instead use the supplied file descriptor.  By

    default, the server will create a new network socket.

  </para>

  <para id="foreground">

    This option will make the server run in the foreground and not

    write a PID file.  The default is to <emphasis>not</emphasis> run

    in the foreground, except in <option>debug</option> mode, which

    implies this option.

  </para>

  <para id="zeroconf">

    This option controls whether the server will announce its

    existence using Zeroconf.  Default is to use Zeroconf.  If

    Zeroconf is not used, a <option>port</option> number or a

    <option>socket</option> is required.

  </para>

</section>