− fiaif global configuration file
is the file that declares which zones should be set up in
the firewall. A "zone" is a piece of the "IP
universe" existing on the other side of a particular
interface. A zone is defined in a file listing rules for the
handling of IP traffic into, out of, and through the
associated interface. The zonefile is described in
zone.conf(8). General configuration parameters
are also declared in this file.
and the zonefiles are bash(1) scripts in which the
values of variables used in the fiaif program are assigned.
Although they are shell scripts, they should contain nothing
but assignment statements.
the configuration files are of three forms:
These parameters take only a
single value. The value may be a number or a string.
These parameters are treated as
a group, and all members of the group are processed in the
same way. There are two parts to these parameters´
names. The first part is the name of the group, and the
second part is a mnemonic.
Parameter values are declared
in an array. Any number of values can be specified by
incrementing the array index for each value.
-> [a shell command line]
dirpath -> [path to a directory (no trailing
fname -> [filename with no path]
modulename -> [the name of an iptables module]
portspec -> [a port number | a service in /etc/services]
posint -> [an integer >= 0]
TOStype -> [a Type-of-service name | a Type-of-service
zonename -> [the zone identifier from a zone file]
cidrmask -> 0..32
nullstring -> [nothing]
string -> [char]<string>|<nullstring>
iptablesprotocol -> [a protocol number | a protocol name
modulelist -> <nullstring>|<modulename>
netaddr -> <IP4addr>/<cidrmask>
netlist -> <nullstring>|<netaddr>
plist -> <nullstring>|<iptablesprotocol>
tablelist -> mangle filter nat
timespec -> second|minute|hour|day
TOSportlist -> <nullstring> | any |
TOSportlistOpt -> <portspec> |
ICMPtype -> <ICMP type string>
zonelist -> <nullstring>|<zonename>
The values of
these parameters should (almost certainly) not be
A list of the
packet processing tables in the Linux kernel. As of version
2.4.18, only three tables are available: mangle,
filter, and nat.
A list of the
reserved ipnumbers and masks, or a file containing this
list, one <netaddr> per line. See http://www.iana.com
for more information.
A list of the
private ipnumbers and masks, or a file containing this list,
one <netaddr> per line. See http://www.iana.com and
rfc1918 for more information.
The network of
the loopback interface. "127.0.0.1/8" in the
The search path
for the iptables and tc binaries.
The values of
these parameters should be altered. They define the firewall
deployed by fiaif and customize it for local networks and
Syntax: DONT_START= <boolean>
If set to one,
the firewall will not be started. DONT_START is set
to 1 in the distributed fiaf.conf to prevent the inadvertant
deployment of an unconfigured firewall from a download. Set
the value to zero or delete the line to enable the
The path to the
configuration directory. CONF_DIR is set to
"/etc/fiaif/" in the distribution.
Syntax: SET_PROC_ERRORS= <boolean>
Syntax: SET_PROC_WARNINGS= <boolean>
command "fiaif test" is issued, a list of errors
and warnings are displayed.
If SET_PROC_ERRORS is 1, FIAIF will attempt to
correct the errors.
If SET_PROC_WARNINGS is 1, FIAIF will attempt to
correct the warnings.
Syntax: SAVE_STATE= <boolean>
FIAIF will save all iptables rules to a file after these
have been applied, if no errors were encountered while
generating the rules. When FIAIF is started again, this file
is used if and only if no modifications have been made to
any configuration files. Rules are saved to
option greatly improves start time of FIAIF, but may cause
problems if, for example, the ipnumber of a static interface
changes, in which case /etc/init.d/fiaif
force−reload should be used to rebuild ruleset
from configuration files.
A list of the
zones to be set up. There must be a zone file in the
configuration directory matching each zone named in this
A group (CONF)
containing the names of the zone files. It should match
closly the names listed in the ZONES parameter. The
zone files must be in the directory specified in
pathname of the file to which commands are written when
fiaif is run with the ´test´ option. Set
to "/tmp/fiaif.out" in the distribution.
Syntax: DEBUG= <boolean>
If set to 1,
fiaif will not drop any packets, but all rules are still
applied, and the results will be in the syslog. Use this as
a debugging tool if you are experiencing problems while
setting up the zones. Set to zero for fiaif to work
Syntax: VERBOSE= <boolean>
variable to 1 to have fiaif log all dropped or redirected
packets in the syslog. If no logging is wanted, set it to 0.
See LOG_LIMIT and LOG_BURST for details on when logging
Syntax: FIAIF_ <string>
prefix to use when logging packets to system log or though
Syntax: ENABLE_ULOGD= <boolean>
If set to 1
(and the ulogd is running on the system), fiaif logs via a
ulogd. If set to 0, fiaif logs through the standard syslog
Syntax: LOG_LIMIT= <posint>
often dropped or rejected packets should be entered into the
system log. Tune to avoid spamming of logs.
is the maximum average matching rate. If no <timespec>
is provided, ´/second´ is assumed.
is the maximum initial number of packets to match; this
number is incrememted by one every time the limit specified
above is not reached, up to this number. Note the quotes
around LOG_BURST´s value.
Syntax: LOG_LEVEL= <byteint>
the loglevel, for logging to syslog or ulogd.
When using syslog, the number specifies the priority, see
syslog.conf(5). If ENABLE_ULOG is true,
LOG_LEVEL number specifies the netlink group (1-32),
to which the line to be logged is is sent.
Syntax: ENABLE_TC= <boolean>
disable traffic shaping system wide. Setting to 0 overrides
the TC_ENABLE value in all zone configurations. To
enable traffic shaping in a zone, TC_ENABLE must be
set to 1 in fiaif.conf and in the zone configuration as
iptables modules to be loaded upon starting the firewall.
The modules remain loaded as long as the firewall is
This pair of
array parameters may contain shell commands to be executed
before/after fiaif creates the iptables rules. The lines are
executed in array-index sequence.
per zone exists to support user-defined rules. The chain
names are: USER_INPUT_<ZONE_NAME>
USER_FORWARD_<ZONE_NAME> Where the zone name is
the name of the zone. Packets will go though these chains
before hitting rules generated by INPUT, OUTPUT and FORWARD
rules in the zone configuration files. Remember that only
packets in the NEW state will hit these chains, and hence
there is no need to test the state of a packet in these
Points to a file with IP alias specifications. These aliases
are available to all zone configuration files, and can be
used in rules where the syntax
is used, as replacement for either side. See IPSET in
zone.conf(8) for more information.
name of the Type-Of-Service configuration file located in
the configuration directory. This file specifies
manipulation of the TOS bits in TCP and UDP packets. Traffic
control examines these fields to determine into which class
a packet should fall.
contains a group (TOS) with values of the form:
TOS_NORM_SRVC_TCP= "Normal-Service tcp
The configuration file for
A list of private networks as
specified by RFC1918
A list of reserved networks as
specified by IANA.
Specifies IP aliases to be used
for all configuration files.