Section: Maintenance Commands (8)Updated: March 8, 2004Local indexUp
zorp - Zorp Firewall Suite
The zorp command is the main entry point for a Zorp instance, as such it is
generally called by zorpctl(8) with command line parameters specified in
--version or -V
Display version a compilation information.
--as <name> or -a
Set instance name to <name>. Each log message is prefixed with this name.
--also-as <name> or -A
Add a secondary instance named <name>. Secondary instances share the same
Zorp process but they have a separate section in the configuration file.
--policy <name> or -p
Use the file named <name> as policy. This file must be a valid policy file.
--verbose [num] or -v
Set verbosity level to [num], or if [num] is omitted increment it by one.
Default the verbosity level is 3, and possible values include 0-10.
--pidfile [num] or -P
Set path to PID file where the pid of the main process is stored.
--foreground or -F
Do not daemonize, stay in foreground. This option is also implied by -l.
--no-syslog or -l
Instead of sending messages to the syslog, send it to the standard output.
--log-tags or -T
Prepend log category and level to each message.
Escape non-printable characters to avoid binary log files. Each character
less than 0x20 and greater than 0x7F are escaped in the form <XX>.
--log-spec <spec> or -s
Set verbosity mask on a per category basis. Each log message has an assigned
multi-level category, where levels are separated by a dot. For example
HTTP requests are logged under
is a comma separated list of log specifications. A single log specification
consists of a wildcard matching log category, a colon, and a number specifying
the verbosity level of that given category. Categories match from left to right.
The last matching entry will be used as the verbosity of the given category.
If no match is found the default verbosity specified with --verbose is used.
--threads <num> or -t
Set the maximum number of threads that this Zorp instance may use
--idle-threads <num> or -I
Set the maximum number of idle threads, this option has effect only if
threadpools are enabled, see the option --threadpools.
--threadpools or -O
Enable the use of threadpools which means that threads associated with
sessions are not automatically freed, only if the maximum number of idle
threads is exceeded.
--uid <uid> or -u
Switch to the supplied uid after starting up.
--gid <gid> or -g
Switch to the supplied gid after starting up.
--chroot <dir> or -R
Change root to specified directory before reading configuration file. The
directory must be set up accordingly.
--caps <caps> or -C
Switch to the supplied set of capabilities after starting up. This should
contain the required capabilities in the permitted set. For the syntax of
capability description see the man page cap_from_text(3).
--no-caps or -N
Do not change capabilities at all.
--tproxy <id> or -Y
Override autodetected proxy implementation. <id> can be one of the
following: netfilter (TPROXY patch for netfilter), linux22 (standard Linux
2.2 transparent proxying), ipf (patched for transparent proxying).
--autobind-ip <IP address> or -B
The autobind parameter as required by the TPROXY support for the kernel. It
must be an ip address of a local interface and should not clash with any
real-world IP addresses. It is best assigned to a dummy interface.
--crypto-engine or -E
Set the OpenSSL crypto engine name to use for hardware accelerated crypto support.
--stack-size or -S
Set the maximum stack size used by threads. Note that the maximum number of
parallel threads depends on the size specified here. The default size (256k)
is enough for about 4000 parallel threads.