Provided by: fiaif_1.23.1-3_all bug

NAME

       zone.conf - fiaif zone configuration files

DESCRIPTION

       fiaif.conf  is the file that determines how zones should be set up in the firewall. A zone
       describes how traffic from other zones are allowed into  a  zone,  and  what  packets  are
       allowed  from  the  zone  itself.   Zones are based upon the interface and the network the
       interface is connected to. It is possible to have multiple zones  per  interface,  if  and
       only  if  the  interface  is  not  declared  public.  See  the  PUBLIC  variable  for more
       information.

       The general syntax of a configuration file is the same as for a bash(1) script,  in  which
       only variables should be present.

       The variables can be on three forms:

       VARIABLE
              This is a simple variable. It can only be assigned a single value.

       VARIABLE_FOO
              The  denotes  a variable sequence. The FOO can be replaced by any keyword, allowing
              multiple values to be specified.

       VARIABLE[N]
              A variable array. Any number of values can be specified by increasing  N  for  each
              value.

VARIABLES

   NAME
       Syntax: <name>

       Specify the name of the zone. This must be the same as specified in /etc/fiaif/fiaif.conf.

   DEV
       Syntax: <interface-name>

       Specifies the interface name in which this zone is connected.

   DYNAMIC
       Syntax: 0|1

       Specifies  whether  the IP of the interface is dynamic (e.g., obtained via DHCP or unknown
       when FIAIF is started) or not. Disabling this provides better security, but  this  is  not
       always an option given from ISPs.

   GLOBAL
       Syntax: 0|1

       Is  set  to one, any packets originating from IANA reserved networks are discarded (except
       those specified in the NET and NET_EXTRA variables).  This should be set on your  internet
       connection. If this is set to true, the interface cannot have multible zone definitions.

   IP
       Syntax: <IP address>

       The IP of the interface.  This is only necessary to specify if DYNAMIC=0.

   MASK
       Syntax: <network mask>

       The  network  mask  of the network connected to this interface.  This is only necessary to
       specify if DYNAMIC=0.  This information can be found be using the ifconfig command.

   NET
       Syntax: <ip address/networkmask>

       The network mask for the interface.  This is only necessary to specify if DYNAMIC=0.  This
       information can be found be using the ifconfig command.

   BCAST
       Syntax: <broadcast address>

       The  broadcast  address of the interface.  This is only necessary to specify if DYNAMIC=0.
       This information can be found be using the ifconfig command.

   IP_EXTRA
       Syntax: [IP]*

       Contains a list of additional IP addresses that the interface can receive. Extra IP's  for
       an interface is usually created by using interface aliases (e.g. eth0:0).

   NET_EXTRA
       Syntax: [IP/MASK]*

       A  list specifying any extra networks besides the NET variables that are connected to this
       zone (interface). The extra nets would normally be connected though other routers.

   DHCP_SERVER
       Syntax: <0|1>

       Set to '1' if the server should accept DHCP queries.  Only one zone per  interface  should
       have this enabled, since DHCP packets do not hold any valid destination address.

   INPUT[N]
       Syntax:       <ACCEPT|REJECT|DROP|LOG|ACCEPT_LOG|REJECT_NOLOG|DROP_NOLOG>       <protocol>
       [port<:port>[<,port>[:port]]*] ip/[mask]=>ip/[mask]

       The INPUT variable describes how packets are handled through the input chain.  Packets  on
       the  INPUT  chain  are  packets  coming  from  the  zone to the firewall itself. The first
       argument is how a matched packet is treated. Protocol and ports and ip/mask  are  used  to
       match  packets  (destination  port,  and  source=>destination  ip  address).  If  none are
       specified, the rule matches all packets. The port argument must only be specified  if  the
       protocol  is  udp,  tcp  or icmp When using these rules, a rule of thumb is only to accept
       specific packets, and to drop any not matched. The following line 1 accepts  HTTP-requests
       over the TCP protocol:

       INPUT[0]="ACCEPT tcp 80 0.0.0.0/0=>0.0.0.0/0"

       INPUT[1]="ACCEPT udp 1024:65535 0.0.0.0/0=>0.0.0.0/0"

       INPUT[2]="DROP ALL 0.0.0.0=>0.0.0.0"

   OUTPUT[N]
       Syntax:       <ACCEPT|REJECT|DROP|LOG|ACCEPT_LOG|REJECT_NOLOG|DROP_NOLOG>       <protocol>
       [port<:port>[<,port>[:port]]*] ip/[mask]=>ip/[mask]

       Like the INPUT[N] rule. Packets on the OUTPUT  chain  are  packets  originating  from  the
       firewall  itself going out into the zone itself.  ports are destination ports, and ip/mask
       is the source and destination ip/mask (if '=>' is not given, the ip is assumed to  be  the
       destination  ip).  The port argument must only be specified if the protocol is udp, tcp or
       icmp The following example drops all telnet packets over the tcp protocol, drops  any  udp
       packets, and allows any other send from the firewall itself.

       OUTPUT[0]="DROP tcp 21 0.0.0.0/0=>0.0.0.0/0"

       OUTPUT[1]="DROP udp ALL 0.0.0.0/0=>0.0.0.0/0"

       OUTPUT[2]="ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0"

   FORWARD[N]
       Syntax:       <zone|ALL>       <ACCEPT|REJECT|DROP|LOG|ACCEPT_LOG|REJECT_NOLOG|DROP_NOLOG>
       <protocol[port<:port>[<,port>[:port]]*]> <ip/[mask]=>ip/[mask]>

       Use to specify how packets arriving from other zones are to be  treated.  If  protocol  or
       ports  and  ip/mask  is  not  specified,  then  ALL  is  assumed.  The  port specifies the
       destination port, and ip specifies the source and destination ip. The port  argument  must
       only be specified if the protocol is udp, tcp or icmp An example: A demilitarized zone may
       only accept HTTP requests from the internet (zone EXT). This would be specified by:

       FORWARD[0]="EXT ACCEPT tcp 80 0.0.0.0/0=>0.0.0.0/0"

       FORWARD[1]="ALL DROP ALL 0.0.0.0/0=>0.0.0.0/0"

   MARK[N]
       Syntax:      <zone|ALL>       <mark number>       <protocol[port<:port>[<,port>[:port]]*]>
       <ip/[mask]=>ip/[mask]>

       Use the MARK rules to set a MARK on packets passing through the firewall. This can then be
       used to determine how a packet is routed. The port argument must only be specified if  the
       protocol  is  udp,  tcp  or icmp If the source zone is ALL then all packets going into the
       zone are marked. If the source zone equals the zone-name of which the rule is in then only
       packets originating from the firewall are marked.

       Otherwise,  only  packets  routed  through the firewall are marked.  Example: Mark all tcp
       packets going into the zone with '1' and all udp packets with mark '2'.

       MARK[0]="ALL 1 tcp ALL 0.0.0.0/0=>0.0.0.0/0"

       MARK[1]="ALL 2 udp ALL 0.0.0.0/0=>0.0.0.0/0"

   REPLY_FOO
       Syntax: <zone> <type> <protocol [port[:port][<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>

       Make special replies to packets. The type can be one of the following:

       icmp-net-unreachable,    icmp-host-unreachable,     icmp-port-unreachable,     icmp-proto-
       unreachable,  icmp-net-prohibited,  icmp-host-prohibited  or tcp-reset (Only valid for the
       TCP protocol).

       The zone argument specifies the source of the packet.

       This can be used, for  example,  to  disallow  authentication  requests,  but  instead  of
       dropping the packets, close the connection by sending a tcp-reset.

       REPLY_AUTH="EXT tcp-reset tcp auth 0.0.0.0/0=>0.0.0.0/0"

   MAC_DROP
       Syntax: [MAC_ADDRESS]*|[file]

       Disallow  any  communication  with  specified  MAC-addresses  in  this  zone.  Inserted on
       PREROUTING chain. If the value is a file, then each line in the file is treated as an  MAC
       address. Anything after a '#' is regarded as a comment and is ignored.

   IP_DROP
       Syntax: [IP/MASK]*|[file]

       Disallow  any  communication  with specified IP addresses in this zone.  If the value is a
       file, then each line in the file is treated as an ip address.  Anything  after  a  '#'  is
       regarded as a comment and is ignored.

   ECN_REMOVE
       Syntax: [IP/MASK]*|[file]

       Remove  the  ECN  bit  from  all packets destined to the specified servers (located in the
       zone). If the value is a file, then each line in the file is treated  as  an  ip  address.
       Anything after a '#' is regarded as a comment and is ignored.

   REDIRECT_FOO
       Syntax: <protocol[port[:port]]> <ip[/mask]=>ip[/mask]> <[ipaddr[,ipaddr]*]> [port]

       Alter the destination of packets.  The rule applies only for packets originating from this
       zone. Packets can be redirected to the firewall itself (127.0.0.1), to other zones or back
       into  the  zone  itself  (requires DYNAMIC==0 and GLOBAL==0). If packets are redirected to
       other zones, then remember to add a  FORWARD  rule  in  the  configuration  file  for  the
       destination  zone,  allowing  the  packets  to pass through. Please note, that redirecting
       packets back into the zone may cause serious network degradation.

       Example:

       REDIRECT_PROXY="tcp 80 0.0.0.0/0=>0.0.0.0/0 127.0.0.1 3128"

       All packets coming from the zone itself to port 80 are redirected to the  firewall  itself
       port 3128, and this line can be used to setup a transparent proxy.

   WATCH_IP
       Syntax: [IP]*|[file]

       Log  every  packet  coming  from or going to the specific IP addresses.  If the value is a
       file, then each line in the file is treated as an IP address.  Anything  after  a  '#'  is
       regarded as a comment and is ignored.

   SNAT[N]
       Syntax: <ZONE|ip> <protocol[port[:port][<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>

       Change  the source address of a packet coming from this zone. If a ZONE is specified, then
       all packets are masqueraded to all ip addresses for the specified zone, specified  by  the
       IP  or  IP_EXTRA  directive,  in  a  round  robin  fashion. The last options specifies the
       protocol, port and original source and destination of the packets to be SNAT'ed.

       To use MASQUADING, where EXT is the zone for the internet use:

       SNAT[0]="EXT ALL 0.0.0.0/0=>0.0.0.0/0"

   LIMIT_FOO
       Syntax: <zone> <ACCEPT|REJECT|DROP|LOG|ACCEPT_LOG|REJECT_NOLOG|DROP_NOLOG> <limit>  <burt>
       <protocol[port<:port>[<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>

       Limit number of packets. A LIMIT rule specifies how many packets are acceptable within the
       specified period of time. If more packets arrive, policy specifies how to handle these.

       zone: Is the zone from which the packet originates. This can be this zone itself.

       limit: Maximum average matching rate: specified as a number, with an  optional  ´/second´,
       ´/minute´, ´/hour´, or ´/day´ suffix.

       burst:  Maximum  initial  number  of packets to match: this number gets incremented by one
       every time the limit specified above is not reached, up to this number.

       protocol: The protocol: TCP|UDP|ICMP|ALL. This parameter is optional.  The  port  argument
       must only be specified if the protocol is udp, tcp or icmp

       ports:  If  protocol  is  tcp|udp:  A list of ports or a port range.  icmp: A list of icmp
       types separated by commas. This parameter is optional pending on the specified protocol.

       ip[/mask]=>ip[/mask] Specifies source address and optional destination address.  This  can
       only be specified if protocol is also specified.

       For example to limit number of echo requests (ping) from zone EXT, use:

       LIMIT_PING="EXT DROP 1/second 3 ICMP echo-request 0.0.0.0/0=>0.0.0.0/0"

   IPSET_FOO
       Syntax: <ip</mask>>[ip</mask>]*| <file>

       Specify  a  set  of  ip's  to be used in zone rules. Ip's specified can be either numbers,
       hostnames, networks or names of other ip sets (recursively). The name of the set  will  be
       the  name  occuring  after  IPSET_.  Ip sets is bound to a zone, and cannot be used across
       zones.  Currently, ip-sets can only be used in INPUT, OUTPUT, FORWARD, SNAT, REDIRECT  and
       MARK rules. If the ipset points to a file, then the file is read (relative to CONF_PATH ).
       The name of IP sets must not conflict with aliases defined in the file pointed to  by  the
       ALIASES directive in fiaif global configuration file.

       An example of the use of IP sets:

       IPSET_NAMESERVERS="1.2.3.4 1.2.3.5"

       INPUT[N]="ACCEPT tcp domain NAMESERVERS=>0.0.0.0/0"

       Which is equivalent to:

       INPUT[N]="ACCEPT tcp domain 1.2.3.4=>0.0.0.0/0"

       INPUT[N+1]="ACCEPT tcp domain 1.2.3.5=>0.0.0.0/0"

AUTHOR

       Anders Fugmann <anders(at)fugmann.net>

SEE ALSO

       fiaif(8), fiaif.conf(8), iptables(8), ifconfig(8)