Provided by: fiaif_1.23.1-4_all bug


       fiaif.conf - fiaif global configuration file


       fiaif.conf  is  the  file  that  declares which zones should be set up in the firewall.  A
       "zone" is a piece of the "IP  universe"  existing  on  the  other  side  of  a  particular
       interface.  A zone is defined in a file listing rules for the handling of IP traffic into,
       out of, and through the associated interface.  The zonefile is described in  zone.conf(8).
       General configuration parameters are also declared in this file.

       fiaif.conf  and the zonefiles are bash(1) scripts in which the values of variables used in
       the fiaif program are assigned.  Although they are  shell  scripts,  they  should  contain
       nothing but assignment statements.

       Parameters in the configuration files are of three forms:

              These parameters take only a single value. The value may be a number or a string.

              These parameters are treated as a group, and all members of the group are processed
              in the same way.  There are two parts to these parameters´ names. The first part is
              the name of the group, and the second part is a mnemonic.

              Parameter  values  are declared in an array.  Any number of values can be specified
              by incrementing the array index for each value.


       bashcommand -> [a shell command line]
       dirpath -> [path to a directory (no trailing ´/´)]
       fname -> [filename with no path]
       modulename -> [the name of an iptables module]
       portspec -> [a port number | a service in /etc/services]
       posint -> [an integer >= 0]
       TOStype -> [a Type-of-service name | a Type-of-service number]
       zonename -> [the zone identifier from a zone file]

       byteint -> 0..255
       cidrmask -> 0..32
       nullstring -> [nothing]
       string -> [char]<string>|<nullstring>

       boolean -> 0|1
       burstspec -> <posint>|<posint>/<timespec>
       IP4addr -> <byteint>.<byteint>.<byteint>.<byteint>
       iptablesprotocol -> [a protocol number | a protocol name from /etc/protocols]
       modulelist -> <nullstring>|<modulename> <modulelist>
       netaddr -> <IP4addr>/<cidrmask>
       netlist -> <nullstring>|<netaddr> <netlist>
       pathlist -> <dirpath>|<dirpath>:<pathlist>
       plist -> <nullstring>|<iptablesprotocol> <plist>
       tablelist -> mangle filter nat
       timespec -> second|minute|hour|day
       TOSportlist -> <nullstring> | any | <TOSportlistOpt>
       TOSportlistOpt -> <portspec> | <portspec>,<TOSportlist>
       ICMPtype -> <ICMP type string>
       zonelist -> <nullstring>|<zonename> <zonelist>


       The values of these parameters should (almost certainly) not be altered.

       Syntax: TABLES= "<tablelist>"

       A list of the packet processing tables in the Linux kernel.  As of  version  2.4.18,  only
       three tables are available: mangle, filter, and nat.

       Syntax: RESERVED_NETWORKS= "<netlist>"|"<fname>"

       A  list of the reserved ipnumbers and masks, or a file containing this list, one <netaddr>
       per line.  See for more information.

       Syntax: PRIVATE_NETWORKS= "<netlist>"|"<fname>"

       A list of the private ipnumbers and masks, or a file containing this list,  one  <netaddr>
       per line.  See and rfc1918 for more information.

       Syntax: LOOPBACK_NET= "<netaddr>"

       The network of the loopback interface. "" in the distribution.

       Syntax: BIN_PATH= "<pathlist>"

       The search path for the iptables and tc binaries.


       The  values  of  these parameters should be altered.  They define the firewall deployed by
       fiaif and customize it for local networks and security policy.

       Syntax: DONT_START= <boolean>

       If set to one, the firewall  will  not  be  started.   DONT_START  is  set  to  1  in  the
       distributed  fiaf.conf  to  prevent the inadvertant deployment of an unconfigured firewall
       from a download.  Set the value to zero or delete the line to enable the firewall.

       Syntax: CONF_DIR= "<directorypath>/"

       The path to the  configuration  directory.   CONF_DIR  is  set  to  "/etc/fiaif/"  in  the

       Syntax: SET_PROC_ERRORS= <boolean>
       Syntax: SET_PROC_WARNINGS= <boolean>

       When the command "fiaif test" is issued, a list of errors and warnings are displayed.
       If SET_PROC_ERRORS is 1, FIAIF will attempt to correct the errors.
       If SET_PROC_WARNINGS is 1, FIAIF will attempt to correct the warnings.

       Syntax: SAVE_STATE= <boolean>

       If enabled, FIAIF will save all iptables rules to a file after these have been applied, if
       no errors were encountered while generating the rules. When FIAIF is started  again,  this
       file  is  used  if and only if no modifications have been made to any configuration files.
       Rules are saved to /var/lib/fiaif/iptables.

       Enabling this option greatly improves start time of FIAIF, but may cause problems if,  for
       example,  the  ipnumber  of  a  static  interface changes, in which case /etc/init.d/fiaif
       force-reload should be used to rebuild ruleset from configuration files.

       Syntax: ZONES= "<zonelist>"

       A list of the zones to be set up.   There  must  be  a  zone  file  in  the  configuration
       directory matching each zone named in this list.

       ZONES="INT EXT"

       Syntax: CONF_[XXX]= "<fname>"

       A  group  (CONF) containing the names of the zone files.  It should match closly the names
       listed in the ZONES parameter. The zone files  must  be  in  the  directory  specified  in


       Syntax: TEST_FILE= "<dirpath>/<fname>"

       The absolute pathname of the file to which commands are written when fiaif is run with the
       ´test´ option. Set to "/tmp/fiaif.out" in the distribution.

       Syntax: DEBUG= <boolean>

       If set to 1, fiaif will not drop any packets, but all rules are  still  applied,  and  the
       results  will  be  in  the  syslog.   Use this as a debugging tool if you are experiencing
       problems while setting up the zones.  Set to zero for fiaif to work normally.

       Syntax: VERBOSE= <boolean>

       Set this variable to 1 to have fiaif log all dropped or redirected packets in the  syslog.
       If  no  logging  is  wanted, set it to 0.  See LOG_LIMIT and LOG_BURST for details on when
       logging occurs.

       Syntax: FIAIF_ <string>

       Specify the prefix to use when logging packets to system log or though ulogd.

       Syntax: ENABLE_ULOGD= <boolean>

       If set to 1 (and the ulogd is running on the system), fiaif logs via a ulogd.  If  set  to
       0, fiaif logs through the standard syslog facility.

       Syntax: LOG_LIMIT= <posint>
       Syntax: LOG_BURST= "<burstspec>"

       Specify how often dropped or rejected packets should be entered into the system log.  Tune
       to avoid spamming of logs.

       LOG_LIMIT is the maximum  average matching rate.  If no <timespec> is provided,  ´/second´
       is assumed.

       LOG_BURST is the maximum  initial  number  of packets to match; this number is incrememted
       by one every time  the  limit specified  above is not reached, up to  this  number.   Note
       the quotes around LOG_BURST´s value.

       Syntax: LOG_LEVEL= <byteint>

       This  specifies  the  loglevel,  for  logging  to syslog or ulogd.  When using syslog, the
       number specifies the priority, see syslog.conf(5).   If  ENABLE_ULOG  is  true,  LOG_LEVEL
       number specifies the netlink group (1-32), to which the line to be logged is is sent.

       Syntax: MODULES= "<modulelist>"

       Specifies  iptables  modules  to be loaded upon starting the firewall.  The modules remain
       loaded as long as the firewall is deployed.

       Syntax: PRE_SCRIPT[N]= "<bashcommand>"
       Syntax: POST_SCRIPT[N]= "<bashcommand>"

       This pair of array parameters may contain shell commands to be executed before/after fiaif
       creates the iptables rules.  The lines are executed in array-index sequence.

       Three  chains  per  zone  exists  to  support  user-defined  rules.  The  chain names are:
       name  is  the  name  of the zone. Packets will go though these chains before hitting rules
       generated by INPUT, OUTPUT and FORWARD rules in the  zone  configuration  files.  Remember
       that  only  packets  in the NEW state will hit these chains, and hence there is no need to
       test the state of a packet in these chains.

       Points to a file with IP alias specifications. These aliases are  available  to  all  zone
       configuration    files,    and    can    be    used    in    rules    where   the   syntax
       [<ip>[/<mask>]=>[<ip>[/<mask>] is used, as replacement  for  either  side.  See  IPSET  in
       zone.conf(8) for more information.

       Syntax: TOS_FILE= "<fname>"

       Specify  the  name  of the Type-Of-Service configuration file located in the configuration
       directory.  This file specifies manipulation of the TOS  bits  in  TCP  and  UDP  packets.
       Traffic control examines these fields to determine into which class a packet should fall.

       The file contains a group (TOS) with values of the form:
              TOS_[XXX]= "<TOS-type> <protocol> <TOSportlist|ICMPtype>"

              TOS_MIN_DLY_UDP= "Minimize-Delay udp"
              TOS_NORM_SRVC_TCP= "Normal-Service tcp www,https"


              The configuration file for FIAIF
              A list of private networks as specified by RFC1918
              A list of reserved networks as specified by IANA.
              Specifies IP aliases to be used for all configuration files.


       Anders Fugmann <anders(at)>


       fiaif(8), zone.conf(8)