NAMEfiaif.conf - fiaif global configuration file
DESCRIPTIONfiaif.conf is the file that declares which zones should be set up in the firewall. A "zone" is a piece of the "IP universe" existing on the other side of a particular interface. A zone is defined in a file listing rules for the handling of IP traffic into, out of, and through the associated interface. The zonefile is described in zone.conf(8). General configuration parameters are also declared in this file. fiaif.conf and the zonefiles are bash(1) scripts in which the values of variables used in the fiaif program are assigned. Although they are shell scripts, they should contain nothing but assignment statements. Parameters in the configuration files are of three forms: SIMPLE These parameters take only a single value. The value may be a number or a string. GROUP These parameters are treated as a group, and all members of the group are processed in the same way. There are two parts to these parameters' names. The first part is the name of the group, and the second part is a mnemonic. ARRAY Parameter values are declared in an array. Any number of values can be specified by incrementing the array index for each value.
DEFINITIONSbashcommand -> [a shell command line] dirpath -> [path to a directory (no trailing '/')] fname -> [filename with no path] modulename -> [the name of an iptables module] portspec -> [a port number | a service in /etc/services] posint -> [an integer >= 0] TOStype -> [a Type-of-service name | a Type-of-service number] zonename -> [the zone identifier from a zone file] byteint -> 0..255 cidrmask -> 0..32 nullstring -> [nothing] string -> [char]<string>|<nullstring> boolean -> 0|1 burstspec -> <posint>|<posint>/<timespec> IP4addr -> <byteint>.<byteint>.<byteint>.<byteint> iptablesprotocol -> [a protocol number | a protocol name from /etc/protocols] modulelist -> <nullstring>|<modulename> <modulelist> netaddr -> <IP4addr>/<cidrmask> netlist -> <nullstring>|<netaddr> <netlist> pathlist -> <dirpath>|<dirpath>:<pathlist> plist -> <nullstring>|<iptablesprotocol> <plist> tablelist -> mangle filter nat timespec -> second|minute|hour|day TOSportlist -> <nullstring> | any | <TOSportlistOpt> TOSportlistOpt -> <portspec> | <portspec>,<TOSportlist> ICMPtype -> <ICMP type string> zonelist -> <nullstring>|<zonename> <zonelist>
CONSTANT PARAMETERSThe values of these parameters should (almost certainly) not be altered. TABLES Syntax: TABLES= "<tablelist>" A list of the packet processing tables in the Linux kernel. As of version 2.4.18, only three tables are available: mangle, filter, and nat. RESERVED_NETWORKS Syntax: RESERVED_NETWORKS= "<netlist>"|"<fname>" A list of the reserved ipnumbers and masks, or a file containing this list, one <netaddr> per line. See //www.iana.com for more information. PRIVATE_NETWORKS Syntax: PRIVATE_NETWORKS= "<netlist>"|"<fname>" A list of the private ipnumbers and masks, or a file containing this list, one <netaddr> per line. See //www.iana.com and rfc1918 for more information. LOOPBACK_NET Syntax: LOOPBACK_NET= "<netaddr>" The network of the loopback interface. "127.0.0.1/8" in the distribution. BIN_PATH Syntax: BIN_PATH= "<pathlist>" The search path for the iptables and tc binaries.
PARAMETERSThe values of these parameters should be altered. They define the firewall deployed by fiaif and customize it for local networks and security policy. DONT_START Syntax: DONT_START= <boolean> If set to one, the firewall will not be started. DONT_START is set to 1 in the distributed fiaf.conf to prevent the inadvertant deployment of an unconfigured firewall from a download. Set the value to zero or delete the line to enable the firewall. CONF_DIR Syntax: CONF_DIR= "<directorypath>/" The path to the configuration directory. CONF_DIR is set to "/etc/fiaif/" in the distribution. SET_PROC_ERRORS Syntax: SET_PROC_ERRORS= <boolean> SET_PROC_WARNINGS Syntax: SET_PROC_WARNINGS= <boolean> When the command "fiaif test" is issued, a list of errors and warnings are displayed. If SET_PROC_ERRORS is 1, FIAIF will attempt to correct the errors. If SET_PROC_WARNINGS is 1, FIAIF will attempt to correct the warnings. SAVE_STATE Syntax: SAVE_STATE= <boolean> If enabled, FIAIF will save all iptables rules to a file after these have been applied, if no errors were encountered while generating the rules. When FIAIF is started again, this file is used if and only if no modifications have been made to any configuration files. Rules are saved to /var/lib/fiaif/iptables. Enabling this option greatly improves start time of FIAIF, but may cause problems if, for example, the ipnumber of a static interface changes, in which case /etc/init.d/fiaif force-reload should be used to rebuild ruleset from configuration files. ZONES Syntax: ZONES= "<zonelist>" A list of the zones to be set up. There must be a zone file in the configuration directory matching each zone named in this list. Example: ZONES="INT EXT" CONF_[XXX] Syntax: CONF_[XXX]= "<fname>" A group (CONF) containing the names of the zone files. It should match closly the names listed in the ZONES parameter. The zone files must be in the directory specified in CONF_DIR. Example: CONF_INT="zone.internal" CONT_EXT="zone.external" TEST_FILE Syntax: TEST_FILE= "<dirpath>/<fname>" The absolute pathname of the file to which commands are written when fiaif is run with the 'test' option. Set to "/tmp/fiaif.out" in the distribution. DEBUG Syntax: DEBUG= <boolean> If set to 1, fiaif will not drop any packets, but all rules are still applied, and the results will be in the syslog. Use this as a debugging tool if you are experiencing problems while setting up the zones. Set to zero for fiaif to work normally. VERBOSE Syntax: VERBOSE= <boolean> Set this variable to 1 to have fiaif log all dropped or redirected packets in the syslog. If no logging is wanted, set it to 0. See LOG_LIMIT and LOG_BURST for details on when logging occurs. LOG_PREFIX Syntax: FIAIF_ <string> Specify the prefix to use when logging packets to system log or though ulogd. ENABLE_ULOGD Syntax: ENABLE_ULOGD= <boolean> If set to 1 (and the ulogd is running on the system), fiaif logs via a ulogd. If set to 0, fiaif logs through the standard syslog facility. LOG_LIMIT Syntax: LOG_LIMIT= <posint> LOG_BURST Syntax: LOG_BURST= "<burstspec>" Specify how often dropped or rejected packets should be entered into the system log. Tune to avoid spamming of logs. LOG_LIMIT is the maximum average matching rate. If no <timespec> is provided, '/second' is assumed. LOG_BURST is the maximum initial number of packets to match; this number is incrememted by one every time the limit specified above is not reached, up to this number. Note the quotes around LOG_BURST's value. LOG_LEVEL Syntax: LOG_LEVEL= <byteint> This specifies the loglevel, for logging to syslog or ulogd. When using syslog, the number specifies the priority, see syslog.conf(5). If ENABLE_ULOG is true, LOG_LEVEL number specifies the netlink group (1-32), to which the line to be logged is is sent. ENABLE_TC Syntax: ENABLE_TC= <boolean> Enable or disable traffic shaping system wide. Setting to 0 overrides the TC_ENABLE value in all zone configurations. To enable traffic shaping in a zone, TC_ENABLE must be set to 1 in fiaif.conf and in the zone configuration as well. MODULES Syntax: MODULES= "<modulelist>" Specifies iptables modules to be loaded upon starting the firewall. The modules remain loaded as long as the firewall is deployed. PRE_SCRIPT[N] Syntax: PRE_SCRIPT[N]= "<bashcommand>" POST_SCRIPT[N] Syntax: POST_SCRIPT[N]= "<bashcommand>" This pair of array parameters may contain shell commands to be executed before/after fiaif creates the iptables rules. The lines are executed in array-index sequence. Three chains per zone exists to support user-defined rules. The chain names are: USER_INPUT_<ZONE_NAME> USER_OUTPUT_<ZONE_NAME> USER_FORWARD_<ZONE_NAME> Where the zone name is the name of the zone. Packets will go though these chains before hitting rules generated by INPUT, OUTPUT and FORWARD rules in the zone configuration files. Remember that only packets in the NEW state will hit these chains, and hence there is no need to test the state of a packet in these chains. ALIASES Points to a file with IP alias specifications. These aliases are available to all zone configuration files, and can be used in rules where the syntax [<ip>[/<mask>]=>[<ip>[/<mask>] is used, as replacement for either side. See IPSET in zone.conf(8) for more information. TOS_FILE Syntax: TOS_FILE= "<fname>" Specify the name of the Type-Of-Service configuration file located in the configuration directory. This file specifies manipulation of the TOS bits in TCP and UDP packets. Traffic control examines these fields to determine into which class a packet should fall. The file contains a group (TOS) with values of the form: TOS_[XXX]= "<TOS-type> <protocol> <TOSportlist|ICMPtype>" Examples: TOS_MIN_DLY_UDP= "Minimize-Delay udp" TOS_NORM_SRVC_TCP= "Normal-Service tcp www,https"
FILES/etc/fiaif/fiaif.conf The configuration file for FIAIF /etc/fiaif/private_networks A list of private networks as specified by RFC1918 /etc/fiaif/reserved_networks A list of reserved networks as specified by IANA. /etc/fiaif/aliases Specifies IP aliases to be used for all configuration files.
AUTHORAnders Fugmann <anders(at)fugmann.net>
SEE ALSOfiaif(8), zone.conf(8) FIAIF.CONF(5)