Provided by: fiaif_1.22.1-1_all bug

NAME

       fiaif - FIAIF is an Intelligent Firewall.

SYNOPSIS

       fiaif        <start|stop|restart|force-reload|status|panic|tc-start|tc-
       stop|tc-status>

DESCRIPTION

       Fiaif deploys a  packet-filtering  firewall  by  reading  configuration
       files  and  setting  up  IP packet filtering rules using iptables.  The
       firewall is "zone"  based,  meaning  that  each  network  interface  is
       associated  with a defined piece of the "IP universe" on the other side
       of that interface from the host.  A zone is defined in a text file (the
       zone  configuration  file) listing rules for the handling of IP traffic
       into, out of, and through the associated interface.   The  rules  spell
       out  which connections to accept, which to reject, which to ignore, and
       which to forward through the firewall.  It is also  possible  to  setup
       source  and  destination NAT for altering the source and/or destination
       addresses of packets as they pass through.   All  non-accepted  packets
       are logged to the system log.

       It  should  be  noted  that  any  packet related to an already accepted
       connection is allowed though the firewall.

OPTIONS

       start  This will save the current state of netfilter, and apply the new
              firewall as described in the configuration files.

       stop   Restores the state saved when FIAIF was started.

       restart
              Same as stop,start

       force-reload
              This  option  is the same as start, although it does not use any
              previously saved rules, and  can  be  used  even  if  fiaif  has
              already been started.

       start-tc
              Start/restart  only  traffic  shaping. Useful if you are playing
              arround with that part of the fiaf subsystem.

       panic  Shut off all IP traffic - don't accept any packets from anywhere
              for  any  reason.   This  can be used, for example, if uninvited
              guests are  discovered  on  the  system  to  quickly  close  the
              firewall and start analyzing log files.

       status Lists all rules in the firewall.

       test   Instead  of deploying the firewall, all rules are written to the
              file specified  in  the  "TEST_FILE"  parameter  in  the  global
              configuration file. This command also runs a sanity check on the
              networking configuration.  Any problems or warnings arising from
              this    check    are    printed    to    STDERR.     Refer    to
              http://www.linuxhq.com/kernel/v2.4/doc/networking/ip-
              sysctl.txt.html  for  details on settings tested. When deployed,
              FIAIF  can  automatically  fix  the   warnings   and/or   errors
              displayed. Please see fiaif.conf(8) for more information.

       tc-start
              Start  only traffic shaping. This option ignores the "ENABLE_TC"
              parameter in the global configuration file.

       tc-stop
              Stops the traffic shaping. This option ignores  the  "ENABLE_TC"
              parameter in the global configuration file.

       tc-status
              Lists packet counters for all traffic classes.

FILES

       /etc/fiaif/fiaif.conf
              The  global  configuration  file.  See fiaif.conf(8) for further
              details.

       /var/lib/fiaif/fiaif
              file containing rules generated by fiaif.
       /var/lib/fiaif/iptables
              previous netfilter state

       /var/lib/fiaif/sysctl
              previous state of /proc before fiaif was started.

       /var/log/messages
              All illegal packets are logged to this file though syslog(3)

DIAGNOSTICS

       Errors are logged to STDOUT. If any  errors  is  printed,  then  please
       recheck your configuration files.

ENVIRONMENT

       If  the NO_CLEANUP variable is set to a non-empty value, then rules are
       not cleaned up after FIAIF is started. This will speed up FIAIF startup
       time,  but  at the cost of having lots of rules and performance may (on
       small systems with many zones) be affected.  On  a  three  zone  system
       FIAIF  generated  in  total 310 rules. After cleaning up the rules, the
       number of rules was down to 241. A reduction of 22%.

       The  FIAIF_CONF  can  be  used  to  specify   an   anternative   global
       configurationfile, rather than using the default /etc/fiaif/fiaif.conf.
       This can be used to  ease  switching  between  two  different  firewall
       configurations.

BUGS

       The  test  command  line  option is no guarantee that the firewall will
       perform as expected, only that the  syntax  is  correct.  Only  limited
       semantic checks of rulesis performed.

REPORTING BUGS

       Report bugs to <fiaif@fiaif.net>.

AUTHOR

       Anders Fugmann <anders(at)fugmann.net>

SEE ALSO

       fiaif.conf(8), zone.conf(8), iptables(8), syslog(3)