Provided by: fiaif_1.23.1-4_all 
NAME
zone.conf - fiaif zone configuration files
DESCRIPTION
fiaif.conf is the file that determines how zones should be set up in the firewall. A zone
describes how traffic from other zones are allowed into a zone, and what packets are
allowed from the zone itself. Zones are based upon the interface and the network the
interface is connected to. It is possible to have multiple zones per interface, if and
only if the interface is not declared public. See the PUBLIC variable for more
information.
The general syntax of a configuration file is the same as for a bash(1) script, in which
only variables should be present.
The variables can be on three forms:
VARIABLE
This is a simple variable. It can only be assigned a single value.
VARIABLE_FOO
The denotes a variable sequence. The FOO can be replaced by any keyword, allowing
multiple values to be specified.
VARIABLE[N]
A variable array. Any number of values can be specified by increasing N for each
value.
VARIABLES
NAME
Syntax: <name>
Specify the name of the zone. This must be the same as specified in /etc/fiaif/fiaif.conf.
DEV
Syntax: <interface-name>
Specifies the interface name in which this zone is connected.
DYNAMIC
Syntax: 0|1
Specifies whether the IP of the interface is dynamic (e.g., obtained via DHCP or unknown
when FIAIF is started) or not. Disabling this provides better security, but this is not
always an option given from ISPs.
GLOBAL
Syntax: 0|1
Is set to one, any packets originating from IANA reserved networks are discarded (except
those specified in the NET and NET_EXTRA variables). This should be set on your internet
connection. If this is set to true, the interface cannot have multible zone definitions.
IP
Syntax: <IP address>
The IP of the interface. This is only necessary to specify if DYNAMIC=0.
MASK
Syntax: <network mask>
The network mask of the network connected to this interface. This is only necessary to
specify if DYNAMIC=0. This information can be found be using the ifconfig command.
NET
Syntax: <ip address/networkmask>
The network mask for the interface. This is only necessary to specify if DYNAMIC=0. This
information can be found be using the ifconfig command.
BCAST
Syntax: <broadcast address>
The broadcast address of the interface. This is only necessary to specify if DYNAMIC=0.
This information can be found be using the ifconfig command.
IP_EXTRA
Syntax: [IP]*
Contains a list of additional IP addresses that the interface can receive. Extra IP's for
an interface is usually created by using interface aliases (e.g. eth0:0).
NET_EXTRA
Syntax: [IP/MASK]*
A list specifying any extra networks besides the NET variables that are connected to this
zone (interface). The extra nets would normally be connected though other routers.
DHCP_SERVER
Syntax: <0|1>
Set to '1' if the server should accept DHCP queries. Only one zone per interface should
have this enabled, since DHCP packets do not hold any valid destination address.
INPUT[N]
Syntax: <ACCEPT|REJECT|DROP|LOG|ACCEPT_LOG|REJECT_NOLOG|DROP_NOLOG> <protocol>
[port<:port>[<,port>[:port]]*] ip/[mask]=>ip/[mask]
The INPUT variable describes how packets are handled through the input chain. Packets on
the INPUT chain are packets coming from the zone to the firewall itself. The first
argument is how a matched packet is treated. Protocol and ports and ip/mask are used to
match packets (destination port, and source=>destination ip address). If none are
specified, the rule matches all packets. The port argument must only be specified if the
protocol is udp, tcp or icmp When using these rules, a rule of thumb is only to accept
specific packets, and to drop any not matched. The following line 1 accepts HTTP-requests
over the TCP protocol:
INPUT[0]="ACCEPT tcp 80 0.0.0.0/0=>0.0.0.0/0"
INPUT[1]="ACCEPT udp 1024:65535 0.0.0.0/0=>0.0.0.0/0"
INPUT[2]="DROP ALL 0.0.0.0=>0.0.0.0"
OUTPUT[N]
Syntax: <ACCEPT|REJECT|DROP|LOG|ACCEPT_LOG|REJECT_NOLOG|DROP_NOLOG> <protocol>
[port<:port>[<,port>[:port]]*] ip/[mask]=>ip/[mask]
Like the INPUT[N] rule. Packets on the OUTPUT chain are packets originating from the
firewall itself going out into the zone itself. ports are destination ports, and ip/mask
is the source and destination ip/mask (if '=>' is not given, the ip is assumed to be the
destination ip). The port argument must only be specified if the protocol is udp, tcp or
icmp The following example drops all telnet packets over the tcp protocol, drops any udp
packets, and allows any other send from the firewall itself.
OUTPUT[0]="DROP tcp 21 0.0.0.0/0=>0.0.0.0/0"
OUTPUT[1]="DROP udp ALL 0.0.0.0/0=>0.0.0.0/0"
OUTPUT[2]="ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0"
FORWARD[N]
Syntax: <zone|ALL> <ACCEPT|REJECT|DROP|LOG|ACCEPT_LOG|REJECT_NOLOG|DROP_NOLOG>
<protocol[port<:port>[<,port>[:port]]*]> <ip/[mask]=>ip/[mask]>
Use to specify how packets arriving from other zones are to be treated. If protocol or
ports and ip/mask is not specified, then ALL is assumed. The port specifies the
destination port, and ip specifies the source and destination ip. The port argument must
only be specified if the protocol is udp, tcp or icmp An example: A demilitarized zone may
only accept HTTP requests from the internet (zone EXT). This would be specified by:
FORWARD[0]="EXT ACCEPT tcp 80 0.0.0.0/0=>0.0.0.0/0"
FORWARD[1]="ALL DROP ALL 0.0.0.0/0=>0.0.0.0/0"
MARK[N]
Syntax: <zone|ALL> <mark number> <protocol[port<:port>[<,port>[:port]]*]>
<ip/[mask]=>ip/[mask]>
Use the MARK rules to set a MARK on packets passing through the firewall. This can then be
used to determine how a packet is routed. The port argument must only be specified if the
protocol is udp, tcp or icmp If the source zone is ALL then all packets going into the
zone are marked. If the source zone equals the zone-name of which the rule is in then only
packets originating from the firewall are marked.
Otherwise, only packets routed through the firewall are marked. Example: Mark all tcp
packets going into the zone with '1' and all udp packets with mark '2'.
MARK[0]="ALL 1 tcp ALL 0.0.0.0/0=>0.0.0.0/0"
MARK[1]="ALL 2 udp ALL 0.0.0.0/0=>0.0.0.0/0"
REPLY_FOO
Syntax: <zone> <type> <protocol [port[:port][<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>
Make special replies to packets. The type can be one of the following:
icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-
unreachable, icmp-net-prohibited, icmp-host-prohibited or tcp-reset (Only valid for the
TCP protocol).
The zone argument specifies the source of the packet.
This can be used, for example, to disallow authentication requests, but instead of
dropping the packets, close the connection by sending a tcp-reset.
REPLY_AUTH="EXT tcp-reset tcp auth 0.0.0.0/0=>0.0.0.0/0"
MAC_DROP
Syntax: [MAC_ADDRESS]*|[file]
Disallow any communication with specified MAC-addresses in this zone. Inserted on
PREROUTING chain. If the value is a file, then each line in the file is treated as an MAC
address. Anything after a '#' is regarded as a comment and is ignored.
IP_DROP
Syntax: [IP/MASK]*|[file]
Disallow any communication with specified IP addresses in this zone. If the value is a
file, then each line in the file is treated as an ip address. Anything after a '#' is
regarded as a comment and is ignored.
ECN_REMOVE
Syntax: [IP/MASK]*|[file]
Remove the ECN bit from all packets destined to the specified servers (located in the
zone). If the value is a file, then each line in the file is treated as an ip address.
Anything after a '#' is regarded as a comment and is ignored.
REDIRECT_FOO
Syntax: <protocol[port[:port]]> <ip[/mask]=>ip[/mask]> <[ipaddr[,ipaddr]*]> [port]
Alter the destination of packets. The rule applies only for packets originating from this
zone. Packets can be redirected to the firewall itself (127.0.0.1), to other zones or back
into the zone itself (requires DYNAMIC==0 and GLOBAL==0). If packets are redirected to
other zones, then remember to add a FORWARD rule in the configuration file for the
destination zone, allowing the packets to pass through. Please note, that redirecting
packets back into the zone may cause serious network degradation.
Example:
REDIRECT_PROXY="tcp 80 0.0.0.0/0=>0.0.0.0/0 127.0.0.1 3128"
All packets coming from the zone itself to port 80 are redirected to the firewall itself
port 3128, and this line can be used to setup a transparent proxy.
WATCH_IP
Syntax: [IP]*|[file]
Log every packet coming from or going to the specific IP addresses. If the value is a
file, then each line in the file is treated as an IP address. Anything after a '#' is
regarded as a comment and is ignored.
SNAT[N]
Syntax: <ZONE|ip> <protocol[port[:port][<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>
Change the source address of a packet coming from this zone. If a ZONE is specified, then
all packets are masqueraded to all ip addresses for the specified zone, specified by the
IP or IP_EXTRA directive, in a round robin fashion. The last options specifies the
protocol, port and original source and destination of the packets to be SNAT'ed.
To use MASQUADING, where EXT is the zone for the internet use:
SNAT[0]="EXT ALL 0.0.0.0/0=>0.0.0.0/0"
LIMIT_FOO
Syntax: <zone> <ACCEPT|REJECT|DROP|LOG|ACCEPT_LOG|REJECT_NOLOG|DROP_NOLOG> <limit> <burt>
<protocol[port<:port>[<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>
Limit number of packets. A LIMIT rule specifies how many packets are acceptable within the
specified period of time. If more packets arrive, policy specifies how to handle these.
zone: Is the zone from which the packet originates. This can be this zone itself.
limit: Maximum average matching rate: specified as a number, with an optional ´/second´,
´/minute´, ´/hour´, or ´/day´ suffix.
burst: Maximum initial number of packets to match: this number gets incremented by one
every time the limit specified above is not reached, up to this number.
protocol: The protocol: TCP|UDP|ICMP|ALL. This parameter is optional. The port argument
must only be specified if the protocol is udp, tcp or icmp
ports: If protocol is tcp|udp: A list of ports or a port range. icmp: A list of icmp
types separated by commas. This parameter is optional pending on the specified protocol.
ip[/mask]=>ip[/mask] Specifies source address and optional destination address. This can
only be specified if protocol is also specified.
For example to limit number of echo requests (ping) from zone EXT, use:
LIMIT_PING="EXT DROP 1/second 3 ICMP echo-request 0.0.0.0/0=>0.0.0.0/0"
IPSET_FOO
Syntax: <ip</mask>>[ip</mask>]*| <file>
Specify a set of ip's to be used in zone rules. Ip's specified can be either numbers,
hostnames, networks or names of other ip sets (recursively). The name of the set will be
the name occuring after IPSET_. Ip sets is bound to a zone, and cannot be used across
zones. Currently, ip-sets can only be used in INPUT, OUTPUT, FORWARD, SNAT, REDIRECT and
MARK rules. If the ipset points to a file, then the file is read (relative to CONF_PATH ).
The name of IP sets must not conflict with aliases defined in the file pointed to by the
ALIASES directive in fiaif global configuration file.
An example of the use of IP sets:
IPSET_NAMESERVERS="1.2.3.4 1.2.3.5"
INPUT[N]="ACCEPT tcp domain NAMESERVERS=>0.0.0.0/0"
Which is equivalent to:
INPUT[N]="ACCEPT tcp domain 1.2.3.4=>0.0.0.0/0"
INPUT[N+1]="ACCEPT tcp domain 1.2.3.5=>0.0.0.0/0"
AUTHOR
Anders Fugmann <anders(at)fugmann.net>
SEE ALSO
fiaif(8), fiaif.conf(8), iptables(8), ifconfig(8)