Provided by: fiaif_1.23.1-4_all 
NAME
fiaif - FIAIF is an Intelligent Firewall.
SYNOPSIS
fiaif <start|stop|restart|force-reload|status|panic|tc-start|tc-stop|tc-status>
DESCRIPTION
Fiaif deploys a packet-filtering firewall by reading configuration files and setting up IP
packet filtering rules using iptables. The firewall is "zone" based, meaning that each
network interface is associated with a defined piece of the "IP universe" on the other
side of that interface from the host. A zone is defined in a text file (the zone
configuration file) listing rules for the handling of IP traffic into, out of, and through
the associated interface. The rules spell out which connections to accept, which to
reject, which to ignore, and which to forward through the firewall. It is also possible
to setup source and destination NAT for altering the source and/or destination addresses
of packets as they pass through. All non-accepted packets are logged to the system log.
It should be noted that any packet related to an already accepted connection is allowed
though the firewall.
OPTIONS
start This will save the current state of netfilter, and apply the new firewall as
described in the configuration files.
stop Restores the state saved when FIAIF was started.
restart
Same as stop,start
force-reload
This option is the same as start, although it does not use any previously saved
rules, and can be used even if fiaif has already been started.
panic Shut off all IP traffic - don't accept any packets from anywhere for any reason.
This can be used, for example, if uninvited guests are discovered on the system to
quickly close the firewall and start analyzing log files.
status Lists all rules in the firewall.
test Instead of deploying the firewall, all rules are written to the file specified in
the "TEST_FILE" parameter in the global configuration file. This command also runs
a sanity check on the networking configuration. Any problems or warnings arising
from this check are printed to STDERR. Refer to
http://www.linuxhq.com/kernel/v2.4/doc/networking/ip-sysctl.txt.html for details on
settings tested. When deployed, FIAIF can automatically fix the warnings and/or
errors displayed. Please see fiaif.conf(8) for more information.
FILES
/etc/fiaif/fiaif.conf
The global configuration file. See fiaif.conf(8) for further details.
/var/lib/fiaif/fiaif
file containing rules generated by fiaif.
/var/lib/fiaif/iptables
previous netfilter state
/var/lib/fiaif/sysctl
previous state of /proc before fiaif was started.
/var/log/messages
All illegal packets are logged to this file though syslog(3)
DIAGNOSTICS
Errors are logged to STDOUT. If any errors is printed, then please recheck your
configuration files.
ENVIRONMENT
If the NO_CLEANUP variable is set to a non-empty value, then rules are not cleaned up
after FIAIF is started. This will speed up FIAIF startup time, but at the cost of having
lots of rules and performance may (on small systems with many zones) be affected. On a
three zone system FIAIF generated in total 310 rules. After cleaning up the rules, the
number of rules was down to 241. A reduction of 22%.
The FIAIF_CONF can be used to specify an anternative global configurationfile, rather than
using the default /etc/fiaif/fiaif.conf. This can be used to ease switching between two
different firewall configurations.
BUGS
The test command line option is no guarantee that the firewall will perform as expected,
only that the syntax is correct. Only limited semantic checks of rulesis performed.
REPORTING BUGS
Report bugs to <fiaif@fiaif.net>.
AUTHOR
Anders Fugmann <anders(at)fugmann.net>
SEE ALSO
fiaif.conf(8), zone.conf(8), iptables(8), syslog(3)