FIAIF is an Intelligent Firewall
Mailing List

Fiaif is started from initd scripts. This means that the fiaif is started every time you boot your machine. When started fiaif reads: /etc/fiaif/fiaif.conf:
This is the global configuration file. It defines the zones available, and a number of other global settings, such as type of service (TOS) settings, references to reserved and private networks. The configuration also specifies if FIAIF should control /proc settings.
For each zone specified in this configuration file by the ZONE variable, a file describing the zone parameters must be present, pointed to by CONF_<zone name> variable.
The default (the sample configuration files) sets up an external zone EXT, which is your Internet connection.
Two additional zone configuration files are provided: an internal zone, INT, to describe your private network, and a "demilitarized zone," DMZ, to describe a DMZ for Internet server sites. In the default fiaf.conf, neither are used.
The default setup of the External zone:
Accepts dns queries, ssh, http, https and icmp-ping .
Limits ping to 1 per sec, with a start-value of 3.
Sends TCP-RESET on auth queries.
The default setup of the Internal zone (not enabled in the default fiaif.conf):
Allows all connections from this zone to the firewall.
Redirects all http requests to a transparent proxy.
Adds Masquerading/NAT for all connections going out on the external interface.
Disallows any new packets from any other zones (already established connections is automatically let though)
The default setup of the DMZ (not enabled in the default fiaif.conf):
Accept www and https requests from the external zone (Internet).
No communication with the firewall itself is allowed. The idea being that a cracker's gaining access to a machine in the DMZ, does not pose a security risk for any other zones or for the firewall itself.
Accept only ssh from the internal zone. This way machines in the DMZ can be administered.
This setup can of course be customized to suit your needs.
Read through the zone files, and try to understand/modify the variables.
Make sure that you setup the device information (GLOBAL, DYNAMIC, IP, DEV, NET, BCAST) correctly.
Test the firewall by running:
# /etc/init.d/fiaif test
This command only verifies the syntax of your configuration files. This is like saying 'Run, but don't actually deploy the firewall yet'.
If any errors are displayed on the screen you probably have a configuration error.
If you are sure there are no errors in the configuration files, it is a bug, and you should report it to the mailing list.
You are now ready to start the firewall. If this is the first time you ever have setup a firewall, you probably want to set DEBUG=1, and watch the logs for dropped packets. The parameter specifies that it should apply all firewall rules, but never actually block a packet - very useful if you do not have direct access to the machine itself.
Module loading is done automatically by iptables, and can be specified in the global configuration file, though you cannot specify modules parameters. Use this to load connection-tracking modules such as the ftp and irc connection tracking modules.
Note: You will need a Linux kernel which supports iptables. This page will not go into detail, but I advice you to enable the options as listed here in your .config (either by editing by hand or using make menuconfig or make xconfig.)
Starting the firewall:
When you have configured FIAIF to suit your needs, you can start the firewall by issuing the command:
# /etc/init.d/fiaif start
Watch the logs:
# cat /var/log/messages
If many packets are reported, your configuration may be too restricting.
The firewall can be stopped with:
# /etc/init.d/fiaif stop
List of default configuration files: