Provided by: fiaif_1.22.1-1_all bug

NAME

       fiaif - FIAIF is an Intelligent Firewall.

SYNOPSIS

       fiaif <start|stop|restart|force-reload|status|panic|tc-start|tc-stop|tc-status>

DESCRIPTION

       Fiaif deploys a packet-filtering firewall by reading configuration files and setting up IP
       packet filtering rules using iptables.  The firewall is "zone" based,  meaning  that  each
       network  interface  is  associated  with a defined piece of the "IP universe" on the other
       side of that interface from the host.  A  zone  is  defined  in  a  text  file  (the  zone
       configuration file) listing rules for the handling of IP traffic into, out of, and through
       the associated interface.  The rules spell out  which  connections  to  accept,  which  to
       reject,  which  to ignore, and which to forward through the firewall.  It is also possible
       to setup source and destination NAT for altering the source and/or  destination  addresses
       of packets as they pass through.  All non-accepted packets are logged to the system log.

       It  should  be  noted that any packet related to an already accepted connection is allowed
       though the firewall.

OPTIONS

       start  This will save the current state of  netfilter,  and  apply  the  new  firewall  as
              described in the configuration files.

       stop   Restores the state saved when FIAIF was started.

       restart
              Same as stop,start

       force-reload
              This  option  is  the  same as start, although it does not use any previously saved
              rules, and can be used even if fiaif has already been started.

       start-tc
              Start/restart only traffic shaping. Useful if you are  playing  arround  with  that
              part of the fiaf subsystem.

       panic  Shut  off  all  IP traffic - don't accept any packets from anywhere for any reason.
              This can be used, for example, if uninvited guests are discovered on the system  to
              quickly close the firewall and start analyzing log files.

       status Lists all rules in the firewall.

       test   Instead  of  deploying the firewall, all rules are written to the file specified in
              the "TEST_FILE" parameter in the global configuration file. This command also  runs
              a  sanity  check on the networking configuration.  Any problems or warnings arising
              from     this     check     are     printed     to      STDERR.       Refer      to
              http://www.linuxhq.com/kernel/v2.4/doc/networking/ip-sysctl.txt.html for details on
              settings tested. When deployed, FIAIF can automatically  fix  the  warnings  and/or
              errors displayed. Please see fiaif.conf(8) for more information.

       tc-start
              Start  only  traffic  shaping. This option ignores the "ENABLE_TC" parameter in the
              global configuration file.

       tc-stop
              Stops the traffic shaping. This option ignores the  "ENABLE_TC"  parameter  in  the
              global configuration file.

       tc-status
              Lists packet counters for all traffic classes.

FILES

       /etc/fiaif/fiaif.conf
              The global configuration file. See fiaif.conf(8) for further details.

       /var/lib/fiaif/fiaif
              file containing rules generated by fiaif.
       /var/lib/fiaif/iptables
              previous netfilter state

       /var/lib/fiaif/sysctl
              previous state of /proc before fiaif was started.

       /var/log/messages
              All illegal packets are logged to this file though syslog(3)

DIAGNOSTICS

       Errors  are  logged  to  STDOUT.  If  any  errors  is  printed,  then  please recheck your
       configuration files.

ENVIRONMENT

       If the NO_CLEANUP variable is set to a non-empty value, then  rules  are  not  cleaned  up
       after  FIAIF  is started. This will speed up FIAIF startup time, but at the cost of having
       lots of rules and performance may (on small systems with many zones)  be  affected.  On  a
       three  zone  system  FIAIF  generated in total 310 rules. After cleaning up the rules, the
       number of rules was down to 241. A reduction of 22%.

       The FIAIF_CONF can be used to specify an anternative global configurationfile, rather than
       using  the  default  /etc/fiaif/fiaif.conf. This can be used to ease switching between two
       different firewall configurations.

BUGS

       The test command line option is no guarantee that the firewall will perform  as  expected,
       only that the syntax is correct. Only limited semantic checks of rulesis performed.

REPORTING BUGS

       Report bugs to <fiaif@fiaif.net>.

AUTHOR

       Anders Fugmann <anders(at)fugmann.net>

SEE ALSO

       fiaif.conf(8), zone.conf(8), iptables(8), syslog(3)