FIAIF is an Intelligent Firewall
FIAIF
Introduction
News
Download
Installation
Configuration
Maintaining
Documentation
Mailing List
Development
FAQ
Authors
License

Frequently Asked Questions
 
Q:  What is FIAIF?
A:  In short, FIAIF is a set of scripts that, based on the configuration files, calls iptables to setup a firewall on the machine. You should read the introduction to learn more.
 
Q:  What is FIAIF an abbreviation for?
A:  FIAIF Is An Intelligent Firewall.
 
Q:  What is the official address of the official web-page for fiaif?
A: 
 
Q:  Is there a mailing list for FIAIF?
A:  Yes, look under "Mailing list" on FIAIF webpage.
 
Q:  How much does FIAIF cost to use in a production environment?
A:  FIAIF is written under the GPL license, so it costs you nothing.
 
Q:  Will you setup FIAIF for me?
A:  No, but I will be happy to help you in the process. If you need support or advice on a professional level, you could hire me as a consultant.
 
Q:  Do I need extensive iptables knowledge?
A:  No, but you need to know how basic firewalling and networking theory, in order to exploit FIAIF to the fullest.
 
Q:  I have multiple network interfaces, can FIAIF handle this?
A:  This is what FIAIF was wrote to do. So the answer is certainly yes.
 
Q:  Can I forward requests to machine behind the firewall when using SNAT/MASQUERADING?
A:  Insert a REDIRECT rule in the zone the packet hits first. Then allow the packet to be forwarded, by adding a FORWARD line in the zone for which the packet is destined.
 
Q:  How do I setup a transparent proxy (using squid), and redirect all outgoing http-requests to this?
A:  In the zone from which the http requests originates, put in the line: 'REDIRECT_PROXY="tcp 80 0.0.0.0/0=>0.0.0.0/0 127.0.0.1 3128"' (Replacing 127.0.0.1 with th ip address of the server running the squid proxy, if not the same as the firewall). Then make sure you have the following settings in squid.conf: 'httpd_accel_host virtual', 'httpd_accel_port 80', 'httpd_accel_with_proxy on' and 'httpd_accel_uses_host_header on'. Please also make sure that squid listens on a real ip and not 127.0.0.1, as this will not work.
 
Q:  Can I forward requests to the firewall itself to another machine in the same zone as the request was made from.
A:  Yes, this functionality has been implemented in FIAIF verson 1.4.3-0pre2
 
Q:  Can I make a REDIRECT_RULE to redirect to localhost?
A:  Yes, this functionality has been implemented in FIAIF verson 1.4.3-0pre2
 
Q:  Does FIAIF handle VPN setups?
A:  Yes, but it is limited to how much iptables can handle. To get IPsec up and running you must make sure you are forwarding (both ways) protocol 50 (ESP), protocol 51 (AH) and UDP sport 500 / dport 500 (IKE). Also IPSec only works with NAT if in tunnel mode. Transport mode does not work with NAT'ing firewalls.
 
Q:  I'm having problem with ftp to external sites. Please help.
A:  You need to insert ip_conntrack_ftp and ip_nat_ftp modules into the kernel. The easiest way to do this is to specify 'MODULES="ip_conntrack_ftp ip_nat_ftp"' in /etc/fiaif/fiaif.conf
 
Q:  Why is the system log spammed with ACK,FIN and like entries?
A:  Due to a "feature" in the linux firewalling code, connections are closed as soon as one end sends a FIN packet. The RFC states that you may or may not respond to this packet. Therefore when the answer "ACK,FIN" arrives, it is no longer related to any established connections. you can saftly disregard these entries.
 
Q:  How do I avoid dropped packets to be logged to every console?
A:  To avoid this, try issuing the command 'dmesg -n 1'. For more information see dmesg(8).
 
Q:  I have two Internet connections. Can I use FIAIF to handle this?
A:  Yes and no. FIAIF handles only the firewall rules and traffic shaping - not routing decisions. First use 'ip' from iproute2 package, and setup the routing. When you got the routing setup correctly, configure FIAIF to control access to the system and networks.
 
Q:  If FIAIF does not handle routing, when where should I go to find more information on this?
A:  Try the "Linux 2.4 Advanced Routing HOWTO" (http://www.linuxguruz.org/iptables/howto/2.4routing.html), and "Linux Advanced Routing & Traffic Control" (http://lartc.org/).
 
Q:  Will FIAIF ever be able to handle routing setup?
A:  Maybe - It depends on how much time I get, and if I have something to test in on. If someone would be willing to donate me a second internet connection, the I would be happy to try.
 
Q:  Something does not work, what do I do?
A:  Check that your system works without FIAIF. Lots of problems are generally because of routins setup faults. FIAIF will not configure anything else that iptables and traffic-shaping.
 
Q:  Something still does not work, what do I do?
A:  First recheck your configuration files, then post a mail to the list. Before posting, read the "Mailing List" section on the FIAIF webpage.
 
Q:  Will functionality 'foo' ever be implemented?
A:  Maybe. If it can be done in a generic manner, and there is a reason for the functionality, then the answer is usually yes. Remember that FIAIF can be extended with custom scripts very easily by using the PRE and POST scripts.
 
Q:  What major companies are using FIAIF?
A:  That I will not tell you. The reason is that if a hacker know the make of a firewall it can help him to break it in case of undiscovered/unresolved bugs.
 
Q:  Will this FAQ be extended to include more entries?
A:  Depends on you. If you have questions you would like to have answered here, please send them to me and they will be added (if appropiate).