Provided by: fiaif_1.23.1-4_all bug


       fiaif - FIAIF is an Intelligent Firewall.


       fiaif        <start|stop|restart|force-reload|status|panic|tc-start|tc-


       Fiaif deploys a  packet-filtering  firewall  by  reading  configuration
       files  and  setting  up  IP packet filtering rules using iptables.  The
       firewall is "zone"  based,  meaning  that  each  network  interface  is
       associated  with a defined piece of the "IP universe" on the other side
       of that interface from the host.  A zone is defined in a text file (the
       zone  configuration  file) listing rules for the handling of IP traffic
       into, out of, and through the associated interface.   The  rules  spell
       out  which connections to accept, which to reject, which to ignore, and
       which to forward through the firewall.  It is also  possible  to  setup
       source  and  destination NAT for altering the source and/or destination
       addresses of packets as they pass through.   All  non-accepted  packets
       are logged to the system log.

       It  should  be  noted  that  any  packet related to an already accepted
       connection is allowed though the firewall.


       start  This will save the current state of netfilter, and apply the new
              firewall as described in the configuration files.

       stop   Restores the state saved when FIAIF was started.

              Same as stop,start

              This  option  is the same as start, although it does not use any
              previously saved rules, and  can  be  used  even  if  fiaif  has
              already been started.

       panic  Shut off all IP traffic - don't accept any packets from anywhere
              for any reason.  This can be used,  for  example,  if  uninvited
              guests  are  discovered  on  the  system  to  quickly  close the
              firewall and start analyzing log files.

       status Lists all rules in the firewall.

       test   Instead of deploying the firewall, all rules are written to  the
              file  specified  in  the  "TEST_FILE"  parameter  in  the global
              configuration file. This command also runs a sanity check on the
              networking configuration.  Any problems or warnings arising from
              this    check    are    printed    to    STDERR.     Refer    to
              sysctl.txt.html for details on settings tested.  When  deployed,
              FIAIF   can   automatically   fix  the  warnings  and/or  errors
              displayed. Please see fiaif.conf(8) for more information.


              The global configuration file.  See  fiaif.conf(8)  for  further

              file containing rules generated by fiaif.
              previous netfilter state

              previous state of /proc before fiaif was started.

              All illegal packets are logged to this file though syslog(3)


       Errors  are  logged  to  STDOUT.  If any errors is printed, then please
       recheck your configuration files.


       If the NO_CLEANUP variable is set to a non-empty value, then rules  are
       not cleaned up after FIAIF is started. This will speed up FIAIF startup
       time, but at the cost of having lots of rules and performance  may  (on
       small  systems  with  many  zones)  be affected. On a three zone system
       FIAIF generated in total 310 rules. After cleaning up  the  rules,  the
       number of rules was down to 241. A reduction of 22%.

       The   FIAIF_CONF   can   be  used  to  specify  an  anternative  global
       configurationfile, rather than using the default /etc/fiaif/fiaif.conf.
       This  can  be  used  to  ease  switching between two different firewall


       The test command line option is no guarantee  that  the  firewall  will
       perform  as  expected,  only  that  the syntax is correct. Only limited
       semantic checks of rulesis performed.


       Report bugs to <>.


       Anders Fugmann <anders(at)>


       fiaif.conf(8), zone.conf(8), iptables(8), syslog(3)