|
Introduction News Download Installation Configuration Maintaining Documentation Mailing List Development FAQ Mirrors Authors Donation License |
|
||
|
Fiaif is started from initd scripts. This means that the
fiaif is started every time you boot your machine. When started
fiaif reads: /etc/fiaif/fiaif.conf: This is the global configuration file. It defines the zones available, and a number of other global settings, such as type of service (TOS) settings, references to reserved and private networks. The configuration also specifies if FIAIF should control /proc settings. For each zone specified in this configuration file by the ZONE variable, a file describing the zone parameters must be present, pointed to by CONF_<zone name> variable. The default (the sample configuration files) sets up an external zone EXT, which is your Internet connection. Two additional zone configuration files are provided: an internal zone, INT, to describe your private network, and a "demilitarized zone," DMZ, to describe a DMZ for Internet server sites. In the default fiaf.conf, neither are used. The default setup of the External zone: Accepts dns queries, ssh, http, https and icmp-ping .The default setup of the Internal zone (not enabled in the default fiaif.conf): Allows all connections from this zone to the firewall.The default setup of the DMZ (not enabled in the default fiaif.conf): Accept www and https requests from the external zone (Internet).This setup can of course be customized to suit your needs. Read through the zone files, and try to understand/modify the variables. Make sure that you setup the device information (GLOBAL, DYNAMIC, IP, DEV, NET, BCAST) correctly. Test the firewall by running: # /etc/init.d/fiaif test This command only verifies the syntax of your configuration files. This is like saying 'Run, but don't actually deploy the firewall yet'. If any errors are displayed on the screen you probably have a configuration error. If you are sure there are no errors in the configuration files, it is a bug, and you should report it to the mailing list. You are now ready to start the firewall. If this is the first time you ever have setup a firewall, you probably want to set DEBUG=1, and watch the logs for dropped packets. The parameter specifies that it should apply all firewall rules, but never actually block a packet - very useful if you do not have direct access to the machine itself. Module loading is done automatically by iptables, and can be specified in the global configuration file, though you cannot specify modules parameters. Use this to load connection-tracking modules such as the ftp and irc connection tracking modules. Note: You will need a Linux kernel which supports iptables. This page will not go into detail, but I advice you to enable the options as listed here in your .config (either by editing by hand or using make menuconfig or make xconfig.) Starting the firewall: When you have configured FIAIF to suit your needs, you can start the firewall by issuing the command: # /etc/init.d/fiaif start Watch the logs: # cat /var/log/messages If many packets are reported, your configuration may be too restricting. The firewall can be stopped with: # /etc/init.d/fiaif stop List of default configuration files: |
