FIAIF is an Intelligent Firewall
FIAIF
Introduction
News
Download
Installation
Configuration
Maintaining
Documentation
Mailing List
Development
FAQ
Authors
License

Maintaining
Check your logs on a regular basis. Firewalls are not 100% secure - don't trust them too blindly.
A utility fiaif-scan has has been provided along with the package. This converts logged packets in the syslog into human readable text.
Example:
  # cat /var/log/messages | fiaif-scan
  Jun 7 16:01:07: DROP queue=FORWARD(EXT->INT) protocol=TCP \
    source=pro18.it.dtu.dk:1031 destination=marvin.athome.dk:ssh
  Jun 7 16:02:22: DROP queue=FORWARD(EXT->INT) protocol=TCP \
    source=pro18.it.dtu.dk:1032 destination=marvin.athome.dk:ssh
  Jun 7 16:02:32: SYN queue=INPUT(EXT) protocol=TCP \
    source=mail.cmrus.com.:65180 destination=cpe.customer.tele.dk:www
  Jun 7 16:03:37: DROP queue=FORWARD(EXT->INT) protocol=TCP \
    source=pro18.it.dtu.dk:1033 destination=marvin.athome.dk:ssh
  Jun 7 16:04:52: DROP queue=FORWARD(EXT->INT) protocol=TCP \
    source=pro18.it.dtu.dk:1034 destination=marvin.athome.dk:ssh
  
Lines logged printed in the system log (or ulog if ulogd is enabled), always means that a packet is dropped. Every linie is prefixed to identify why the packet was dropped. The prefixes are:
  • DROP
    This means that the packet was dropped by a standard rule. This can be either by the INPUT, FORWARD or OUTPUT rules, or MAC_DROP or IP_DROP parameters.
  • MARTIAN
    This means that the system encountered an packet with an illegal source or destination. If this is an error, check the IP, MASK, NET, BCAST parameters.
  • REJECT
    This is equivelent to DROP, when the target in an INPUT, FORWARD or OUTPUT rule is REJECT.
  • INVALID
    Means that IPtables sees the packet as an invalid packet, and is is associated with no known connection.
  • <ZONE>_MISS
    This indicates an error in a zone configuration, where no rules applied to the packet. You should make sure that the INPUT, FORWARD and OUTPUT rules contains a catch all rule for the zone stated.
  • UNMATCHED_ZONE
    This means that no zones applied to the packet. Usually this is because the NET parameter for a zone does not cover all possible packets.
  • WATCH
    IP numbers declared in the WATCH parameter is logged this way. These packets are not dropped, contrary the statement above.
  • LIMIT_ACCEPT, LIMIT_DROP, LIMIT_REJECT
    Any packet matchin a LIMIT rule are logged with this prefix. Only packets dropped by the rule are logged.
  • SYN
    Packets not part of any already esablish tcp connection which does not carry the SYN tcp flag, is regarded as illegal.
  • SCAN
    Fiaif contains some validation checks on all packets. If these validation checks finds packets, which does not conform to RFC's they are dropped and logged. Examples are XMAS packets and NULL packets. It usually means that someone is attacking the firewall.

Check for upgrades on a regular basis. Everything has bugs - even this script. When bugs are discovered, they are often fixed before posted. Being up-to-date on the kernel, iptables, and this script (as well as many other programs), may prevent crackers from using exploits.