Fiaif
deploys a packet-filtering firewall by reading configuration files and
setting up IP packet filtering rules using
iptables.
The firewall is "zone" based, meaning that each network interface is
associated with a defined piece of the "IP universe" on the other side
of that interface from the host.
A zone is defined in a text file (the zone configuration file)
listing rules for the handling
of IP traffic into, out of, and through the associated interface.
The rules spell out which connections to accept, which to reject,
which to ignore, and which to forward through the firewall.
It is also possible to setup source and destination NAT for altering the
source and/or destination addresses of packets as they pass through.
All non-accepted packets are logged to the system log.
It should be noted that any packet related to an already accepted
connection is allowed though the firewall.
OPTIONS
start
This will save the current state of netfilter, and apply the new
firewall as described in the configuration files.
stop
Restores the state saved when FIAIF was started.
restart
Same as stop,start
force-reload
This option is the same as start, although it does not use any
previously saved rules, and can be used even if fiaif has already been
started.
start-tc
Start/restart only traffic shaping. Useful if you are playing arround
with that part of the fiaf subsystem.
panic
Shut off all IP traffic - don't accept any packets from anywhere for
any reason.
This can be used, for example, if uninvited guests are discovered on
the system to quickly close the firewall and start analyzing log files.
status
Lists all rules in the firewall.
test
Instead of deploying the firewall, all rules are written to the file
specified in the "TEST_FILE" parameter in the global configuration
file. This command also runs a sanity check on the networking
configuration. Any problems or warnings arising from this check are
printed to STDERR. Refer to
http://www.linuxhq.com/kernel/v2.4/doc/networking/ip-sysctl.txt.html
for details on settings tested. When deployed, FIAIF can automatically
fix the warnings and/or errors displayed. Please see
fiaif.conf(8) for more information.
tc-start
Start only traffic shaping. This option ignores the "ENABLE_TC"
parameter in the global configuration file.
tc-stop
Stops the traffic shaping. This option ignores the "ENABLE_TC"
parameter in the global configuration file.
tc-status
Lists packet counters for all traffic classes.
FILES
/etc/fiaif/fiaif.conf
The global configuration file. See
fiaif.conf(8)
for further details.
/var/lib/fiaif/fiaif
file containing rules generated by fiaif.
/var/lib/fiaif/iptables
previous netfilter state
/var/lib/fiaif/sysctl
previous state of /proc before fiaif was started.
/var/log/messages
All illegal packets are logged to this file though
syslog(3)
DIAGNOSTICS
Errors are logged to STDOUT. If any errors is printed, then please
recheck your configuration files.
ENVIRONMENT
If the
NO_CLEANUP
variable is set to a non-empty value, then rules are not cleaned up
after FIAIF is started. This will speed up FIAIF startup time, but at
the cost of having lots of rules and performance may (on small
systems with many zones) be affected. On a three zone system FIAIF
generated in total 310 rules. After cleaning up the rules, the number
of rules was down to 241. A reduction of 22%.
The
FIAIF_CONF
can be used to specify an anternative global configurationfile, rather
than using the default /etc/fiaif/fiaif.conf. This can be used to ease
switching between two different firewall configurations.
BUGS
The
test
command line option is no guarantee that the firewall will perform as
expected, only that the syntax is correct. Only limited semantic checks of rulesis performed.