Provided by: fiaif_1.23.1-4_all bug

NAME

       fiaif - FIAIF is an Intelligent Firewall.

SYNOPSIS

       fiaif        <start|stop|restart|force-reload|status|panic|tc-start|tc-
       stop|tc-status>

DESCRIPTION

       Fiaif deploys a  packet-filtering  firewall  by  reading  configuration
       files  and  setting  up  IP packet filtering rules using iptables.  The
       firewall is "zone"  based,  meaning  that  each  network  interface  is
       associated  with a defined piece of the "IP universe" on the other side
       of that interface from the host.  A zone is defined in a text file (the
       zone  configuration  file) listing rules for the handling of IP traffic
       into, out of, and through the associated interface.   The  rules  spell
       out  which connections to accept, which to reject, which to ignore, and
       which to forward through the firewall.  It is also  possible  to  setup
       source  and  destination NAT for altering the source and/or destination
       addresses of packets as they pass through.   All  non-accepted  packets
       are logged to the system log.

       It  should  be  noted  that  any  packet related to an already accepted
       connection is allowed though the firewall.

OPTIONS

       start  This will save the current state of netfilter, and apply the new
              firewall as described in the configuration files.

       stop   Restores the state saved when FIAIF was started.

       restart
              Same as stop,start

       force-reload
              This  option  is the same as start, although it does not use any
              previously saved rules, and  can  be  used  even  if  fiaif  has
              already been started.

       panic  Shut off all IP traffic - don't accept any packets from anywhere
              for any reason.  This can be used,  for  example,  if  uninvited
              guests  are  discovered  on  the  system  to  quickly  close the
              firewall and start analyzing log files.

       status Lists all rules in the firewall.

       test   Instead of deploying the firewall, all rules are written to  the
              file  specified  in  the  "TEST_FILE"  parameter  in  the global
              configuration file. This command also runs a sanity check on the
              networking configuration.  Any problems or warnings arising from
              this    check    are    printed    to    STDERR.     Refer    to
              http://www.linuxhq.com/kernel/v2.4/doc/networking/ip-
              sysctl.txt.html for details on settings tested.  When  deployed,
              FIAIF   can   automatically   fix  the  warnings  and/or  errors
              displayed. Please see fiaif.conf(8) for more information.

FILES

       /etc/fiaif/fiaif.conf
              The global configuration file.  See  fiaif.conf(8)  for  further
              details.

       /var/lib/fiaif/fiaif
              file containing rules generated by fiaif.
       /var/lib/fiaif/iptables
              previous netfilter state

       /var/lib/fiaif/sysctl
              previous state of /proc before fiaif was started.

       /var/log/messages
              All illegal packets are logged to this file though syslog(3)

DIAGNOSTICS

       Errors  are  logged  to  STDOUT.  If any errors is printed, then please
       recheck your configuration files.

ENVIRONMENT

       If the NO_CLEANUP variable is set to a non-empty value, then rules  are
       not cleaned up after FIAIF is started. This will speed up FIAIF startup
       time, but at the cost of having lots of rules and performance  may  (on
       small  systems  with  many  zones)  be affected. On a three zone system
       FIAIF generated in total 310 rules. After cleaning up  the  rules,  the
       number of rules was down to 241. A reduction of 22%.

       The   FIAIF_CONF   can   be  used  to  specify  an  anternative  global
       configurationfile, rather than using the default /etc/fiaif/fiaif.conf.
       This  can  be  used  to  ease  switching between two different firewall
       configurations.

BUGS

       The test command line option is no guarantee  that  the  firewall  will
       perform  as  expected,  only  that  the syntax is correct. Only limited
       semantic checks of rulesis performed.

REPORTING BUGS

       Report bugs to <fiaif@fiaif.net>.

AUTHOR

       Anders Fugmann <anders(at)fugmann.net>

SEE ALSO

       fiaif.conf(8), zone.conf(8), iptables(8), syslog(3)