FIAIF is an Intelligent Firewall
Mailing List

The Goal of FIAIF is to provide a highly customizable script for setting up an iptables based firewall.
The official FIAIF web page is
Unlike many other scripts, FIAIF can be truly customized allowing multiple interfaces (or rather zones). There is no limit on the number of zones. All configuration is done through configuration files. There is no need to understand the script behind it all.
The script makes heavy use of state-full firewalling, and all RELATED and ESTABLISHED packets are accepted on all chains. If you wish to block something out, don't accept it in the first place.
The script is written in BASH. Though this is not the optimal programming language to use, it means that you do not need to install extra interpreters on your firewall. This allows you to have a minimalistic installation on your firewall.

Fiaif global options support:
  • TOS bit can be set per protocol/port basis. (To be used by traffic shaping).
  • Limit syslog logging.
  • Specification of multiple zones - One or more per interface.
  • Load specific connection tracking modules (FTP, IRC etc.).
  • Examination of /proc/sys/net setting, for possibly dangerous system configurations.
  • Setup of linux runtime parameters.
  • Run userdefined commands before and after applying the firewall.
  • Syslog scanning, giving more human readable output based on setup.
A zone specifies a network interface (eth0, eth1, ppp0, vlan0, etc.) on the firewall and the network to which it connects (lo is handled by FIAIF itself, and does not need a zone file).
Zones support:
  • Handling of dynamic IP's (DHCP).
  • Interfaces with multiple IP addresses.
  • Allow/drop and/or reject packets hitting the firewall from the zone.
  • Restrict the type of packets originating from the firewall itself.
  • Restrict packets coming from other zones.
  • Ban IP's within the zone.
  • Ban MAC addresses within the zone.
  • Watch traffic from a specific IP.
  • Limit number of specific packets, e.g. to avoid DoS attack.
  • Port forwarding, changing the destination IP and port, allowing e.g. a transparent proxy.
  • Masquerading/SNAT.
  • Traffic Shaping per interface.
  • Ulogd logging support.
  • Packet marking, for e.g. advanced routing.
  • Definition of IP aliases, to ease maintenance and improve readability of configuration files.
  • And more.