When FIAIF is started, it reads /etc/fiaif/fiaif.conf. This is
the global configuration file. It defines the zones available, and a
number of other global settings, such as type of service
(TOS) settings, references to reserved and private networks.
The default (the sample configuration files, see appendix app:default)
sets up an external zone EXT, which is your Internet connection. Two
additional zone configuration files are provided: an internal zone,
INT, to describe your private network, and a demilitarized
zone, DMZ, to describe a zone in which servers accessable
from the internet are located. In the default configuration neither are
used.
- Accepts dns queries, ssh, http, https and icmp-ping.
- Limits ping to 1 per sec, with a start-value of 3.
- Close communication with TCP-RESET on authorization
requests.
- Allows all connections from this zone to the firewall.
- Redirects all http requests to a transparent proxy.
- Adds Masquerading/NAT for all connections going out on the
external interface.
- Disallows any new packets from any other zones (already
established connections are automatically let though)
- Accept www and https requests from the external zone (Internet).
- No communication with the firewall itself is allowed. The idea
being that a cracker's gaining access to a machine in the DMZ, does
not pose a security risk for any other zones or for the firewall
itself.
- Accept only ssh from the internal zone. This way machines in the
DMZ can be administered.
Subsections
Anders Peter Fugmann
2004-02-26
