Provided by: fiaif_1.23.1-3_all bug

NAME

       fiaif - FIAIF is an Intelligent Firewall.

SYNOPSIS

       fiaif <start|stop|restart|force-reload|status|panic|tc-start|tc-stop|tc-status>

DESCRIPTION

       Fiaif deploys a packet-filtering firewall by reading configuration files and setting up IP
       packet filtering rules using iptables.  The firewall is "zone" based,  meaning  that  each
       network  interface  is  associated  with a defined piece of the "IP universe" on the other
       side of that interface from the host.  A  zone  is  defined  in  a  text  file  (the  zone
       configuration file) listing rules for the handling of IP traffic into, out of, and through
       the associated interface.  The rules spell out  which  connections  to  accept,  which  to
       reject,  which  to ignore, and which to forward through the firewall.  It is also possible
       to setup source and destination NAT for altering the source and/or  destination  addresses
       of packets as they pass through.  All non-accepted packets are logged to the system log.

       It  should  be  noted that any packet related to an already accepted connection is allowed
       though the firewall.

OPTIONS

       start  This will save the current state of  netfilter,  and  apply  the  new  firewall  as
              described in the configuration files.

       stop   Restores the state saved when FIAIF was started.

       restart
              Same as stop,start

       force-reload
              This  option  is  the  same as start, although it does not use any previously saved
              rules, and can be used even if fiaif has already been started.

       panic  Shut off all IP traffic - don't accept any packets from anywhere  for  any  reason.
              This  can be used, for example, if uninvited guests are discovered on the system to
              quickly close the firewall and start analyzing log files.

       status Lists all rules in the firewall.

       test   Instead of deploying the firewall, all rules are written to the file  specified  in
              the  "TEST_FILE" parameter in the global configuration file. This command also runs
              a sanity check on the networking configuration.  Any problems or  warnings  arising
              from      this      check      are     printed     to     STDERR.      Refer     to
              http://www.linuxhq.com/kernel/v2.4/doc/networking/ip-sysctl.txt.html for details on
              settings  tested.  When  deployed,  FIAIF can automatically fix the warnings and/or
              errors displayed. Please see fiaif.conf(8) for more information.

FILES

       /etc/fiaif/fiaif.conf
              The global configuration file. See fiaif.conf(8) for further details.

       /var/lib/fiaif/fiaif
              file containing rules generated by fiaif.
       /var/lib/fiaif/iptables
              previous netfilter state

       /var/lib/fiaif/sysctl
              previous state of /proc before fiaif was started.

       /var/log/messages
              All illegal packets are logged to this file though syslog(3)

DIAGNOSTICS

       Errors are logged  to  STDOUT.  If  any  errors  is  printed,  then  please  recheck  your
       configuration files.

ENVIRONMENT

       If  the  NO_CLEANUP  variable  is  set to a non-empty value, then rules are not cleaned up
       after FIAIF is started. This will speed up FIAIF startup time, but at the cost  of  having
       lots  of  rules  and  performance may (on small systems with many zones) be affected. On a
       three zone system FIAIF generated in total 310 rules. After cleaning  up  the  rules,  the
       number of rules was down to 241. A reduction of 22%.

       The FIAIF_CONF can be used to specify an anternative global configurationfile, rather than
       using the default /etc/fiaif/fiaif.conf. This can be used to ease  switching  between  two
       different firewall configurations.

BUGS

       The  test  command line option is no guarantee that the firewall will perform as expected,
       only that the syntax is correct. Only limited semantic checks of rulesis performed.

REPORTING BUGS

       Report bugs to <fiaif@fiaif.net>.

AUTHOR

       Anders Fugmann <anders(at)fugmann.net>

SEE ALSO

       fiaif.conf(8), zone.conf(8), iptables(8), syslog(3)