Fiaif is started from initd scripts. This means that the
fiaif is started every time you boot your machine. When started
fiaif reads: /etc/fiaif/fiaif.conf:
This is the global configuration file. It defines the zones available, and a number of
other global settings, such as type of service (TOS)
settings, references to reserved and
private networks. The
configuration also specifies if FIAIF should control
For each zone specified in this configuration
file by the ZONE variable, a file describing the zone
parameters must be present, pointed to by CONF_<zone
The default (the sample configuration files) sets up an external
zone EXT, which is your
Two additional zone configuration files are provided: an internal zone, INT, to describe your private network,
and a "demilitarized zone," DMZ,
to describe a DMZ for Internet server sites. In the default fiaf.conf,
neither are used.
The default setup of the External zone:
Accepts dns queries, ssh, http, https and icmp-ping .
The default setup of the Internal zone (not enabled in the default fiaif.conf):
Limits ping to 1 per sec, with a start-value of 3.
Sends TCP-RESET on auth queries.
Allows all connections from this zone to the firewall.
The default setup of the DMZ (not enabled in the default fiaif.conf):
Redirects all http requests to a transparent proxy.
Adds Masquerading/NAT for all connections going out on the external interface.
Disallows any new packets from any other zones (already established
connections is automatically let though)
Accept www and https requests from the external zone
This setup can of course be customized to suit your needs.
No communication with the firewall itself is
allowed. The idea being that a cracker's gaining access to a
machine in the DMZ, does not pose a security risk for any
other zones or for the firewall itself.
Accept only ssh from the internal zone. This way machines in the
DMZ can be administered.
Read through the zone files, and try to understand/modify the
Make sure that you setup the device information
(GLOBAL, DYNAMIC, IP, DEV, NET, BCAST)
Test the firewall by running:
This command only verifies the syntax of your configuration files.
This is like saying 'Run, but don't actually deploy the firewall yet'.
If any errors are displayed on
the screen you probably have a configuration error.
If you are
sure there are no errors in the configuration files, it is a bug, and
you should report it to the mailing list.
You are now ready to start the firewall. If this is the first
time you ever have setup a firewall, you probably want to set
DEBUG=1, and watch the logs for dropped packets. The parameter
specifies that it should apply all firewall rules, but never
actually block a packet - very useful if you do not have
direct access to the machine itself.
Module loading is done automatically by iptables, and can be specified in the global
configuration file, though you cannot specify modules parameters. Use this to
load connection-tracking modules such as the ftp and irc
connection tracking modules.
Note: You will need a Linux kernel which supports iptables. This
page will not go into detail, but I advice you to enable the options
as listed here in your .config
(either by editing by hand or using make menuconfig or
Starting the firewall:
When you have configured FIAIF to suit your needs, you can start the firewall by
issuing the command:
# /etc/init.d/fiaif start
Watch the logs:
# cat /var/log/messages
many packets are reported, your configuration may be too restricting.
The firewall can be stopped with:
List of default configuration files: