FIAIF is an Intelligent Firewall.
deploys a packet-filtering firewall by reading configuration
files and setting up IP packet filtering rules using
iptables. The firewall is "zone" based,
meaning that each network interface is associated with a
defined piece of the "IP universe" on the other
side of that interface from the host. A zone is defined in a
text file (the zone configuration file) listing rules for
the handling of IP traffic into, out of, and through the
associated interface. The rules spell out which connections
to accept, which to reject, which to ignore, and which to
forward through the firewall. It is also possible to setup
source and destination NAT for altering the source and/or
destination addresses of packets as they pass through. All
non-accepted packets are logged to the system log.
It should be
noted that any packet related to an already accepted
connection is allowed though the firewall.
This will save the current state
of netfilter, and apply the new firewall as described in the
Restores the state saved when FIAIF was started.
Same as stop,start
This option is the same as
start, although it does not use any previously saved rules,
and can be used even if fiaif has already been started.
Start/restart only traffic
shaping. Useful if you are playing arround with that part of
the fiaf subsystem.
Shut off all IP traffic - don’t accept any packets
from anywhere for any reason. This can be used, for example,
if uninvited guests are discovered on the system to quickly
close the firewall and start analyzing log files.
Lists all rules in the firewall.
Instead of deploying the firewall, all rules are written
to the file specified in the "TEST_FILE" parameter
in the global configuration file. This command also runs a
sanity check on the networking configuration. Any problems
or warnings arising from this check are printed to STDERR.
for details on settings tested. When deployed, FIAIF can
automatically fix the warnings and/or errors displayed.
Please see fiaif.conf(8) for more information.
Start only traffic shaping.
This option ignores the "ENABLE_TC" parameter in
the global configuration file.
Stops the traffic shaping. This
option ignores the "ENABLE_TC" parameter in the
global configuration file.
Lists packet counters for all
The global configuration file.
See fiaif.conf(8) for further details.
file containing rules generated
previous netfilter state
previous state of /proc before
fiaif was started.
All illegal packets are logged
to this file though syslog(3)
logged to STDOUT. If any errors is printed, then please
recheck your configuration files.
NO_CLEANUP variable is set to a non-empty value, then
rules are not cleaned up after FIAIF is started. This will
speed up FIAIF startup time, but at the cost of having lots
of rules and performance may (on small systems with many
zones) be affected. On a three zone system FIAIF generated
in total 310 rules. After cleaning up the rules, the number
of rules was down to 241. A reduction of 22%.
FIAIF_CONF can be used to specify an anternative
global configurationfile, rather than using the default
/etc/fiaif/fiaif.conf. This can be used to ease switching
between two different firewall configurations.
command line option is no guarantee that the firewall will
perform as expected, only that the syntax is correct. Only
limited semantic checks of rulesis performed.
Report bugs to