Provided by: fiaif_1.23.1-4_all 
NAME
fiaif.conf - fiaif global configuration file
DESCRIPTION
fiaif.conf is the file that declares which zones should be set up in the firewall. A "zone" is a piece
of the "IP universe" existing on the other side of a particular interface. A zone is defined in a file
listing rules for the handling of IP traffic into, out of, and through the associated interface. The
zonefile is described in zone.conf(8). General configuration parameters are also declared in this file.
fiaif.conf and the zonefiles are bash(1) scripts in which the values of variables used in the fiaif
program are assigned. Although they are shell scripts, they should contain nothing but assignment
statements.
Parameters in the configuration files are of three forms:
SIMPLE
These parameters take only a single value. The value may be a number or a string.
GROUP
These parameters are treated as a group, and all members of the group are processed in the same
way. There are two parts to these parameters´ names. The first part is the name of the group, and
the second part is a mnemonic.
ARRAY
Parameter values are declared in an array. Any number of values can be specified by incrementing
the array index for each value.
DEFINITIONS
bashcommand -> [a shell command line]
dirpath -> [path to a directory (no trailing ´/´)]
fname -> [filename with no path]
modulename -> [the name of an iptables module]
portspec -> [a port number | a service in /etc/services]
posint -> [an integer >= 0]
TOStype -> [a Type-of-service name | a Type-of-service number]
zonename -> [the zone identifier from a zone file]
byteint -> 0..255
cidrmask -> 0..32
nullstring -> [nothing]
string -> [char]<string>|<nullstring>
boolean -> 0|1
burstspec -> <posint>|<posint>/<timespec>
IP4addr -> <byteint>.<byteint>.<byteint>.<byteint>
iptablesprotocol -> [a protocol number | a protocol name from /etc/protocols]
modulelist -> <nullstring>|<modulename> <modulelist>
netaddr -> <IP4addr>/<cidrmask>
netlist -> <nullstring>|<netaddr> <netlist>
pathlist -> <dirpath>|<dirpath>:<pathlist>
plist -> <nullstring>|<iptablesprotocol> <plist>
tablelist -> mangle filter nat
timespec -> second|minute|hour|day
TOSportlist -> <nullstring> | any | <TOSportlistOpt>
TOSportlistOpt -> <portspec> | <portspec>,<TOSportlist>
ICMPtype -> <ICMP type string>
zonelist -> <nullstring>|<zonename> <zonelist>
CONSTANT PARAMETERS
The values of these parameters should (almost certainly) not be altered.
TABLES
Syntax: TABLES= "<tablelist>"
A list of the packet processing tables in the Linux kernel. As of version 2.4.18, only three tables are
available: mangle, filter, and nat.
RESERVED_NETWORKS
Syntax: RESERVED_NETWORKS= "<netlist>"|"<fname>"
A list of the reserved ipnumbers and masks, or a file containing this list, one <netaddr> per line. See
http://www.iana.com for more information.
PRIVATE_NETWORKS
Syntax: PRIVATE_NETWORKS= "<netlist>"|"<fname>"
A list of the private ipnumbers and masks, or a file containing this list, one <netaddr> per line. See
http://www.iana.com and rfc1918 for more information.
LOOPBACK_NET
Syntax: LOOPBACK_NET= "<netaddr>"
The network of the loopback interface. "127.0.0.1/8" in the distribution.
BIN_PATH
Syntax: BIN_PATH= "<pathlist>"
The search path for the iptables and tc binaries.
PARAMETERS
The values of these parameters should be altered. They define the firewall deployed by fiaif and
customize it for local networks and security policy.
DONT_START
Syntax: DONT_START= <boolean>
If set to one, the firewall will not be started. DONT_START is set to 1 in the distributed fiaf.conf to
prevent the inadvertant deployment of an unconfigured firewall from a download. Set the value to zero or
delete the line to enable the firewall.
CONF_DIR
Syntax: CONF_DIR= "<directorypath>/"
The path to the configuration directory. CONF_DIR is set to "/etc/fiaif/" in the distribution.
SET_PROC_ERRORS
Syntax: SET_PROC_ERRORS= <boolean>
SET_PROC_WARNINGS
Syntax: SET_PROC_WARNINGS= <boolean>
When the command "fiaif test" is issued, a list of errors and warnings are displayed.
If SET_PROC_ERRORS is 1, FIAIF will attempt to correct the errors.
If SET_PROC_WARNINGS is 1, FIAIF will attempt to correct the warnings.
SAVE_STATE
Syntax: SAVE_STATE= <boolean>
If enabled, FIAIF will save all iptables rules to a file after these have been applied, if no errors were
encountered while generating the rules. When FIAIF is started again, this file is used if and only if no
modifications have been made to any configuration files. Rules are saved to /var/lib/fiaif/iptables.
Enabling this option greatly improves start time of FIAIF, but may cause problems if, for example, the
ipnumber of a static interface changes, in which case /etc/init.d/fiaif force-reload should be used to
rebuild ruleset from configuration files.
ZONES
Syntax: ZONES= "<zonelist>"
A list of the zones to be set up. There must be a zone file in the configuration directory matching each
zone named in this list.
Example:
ZONES="INT EXT"
CONF_[XXX]
Syntax: CONF_[XXX]= "<fname>"
A group (CONF) containing the names of the zone files. It should match closly the names listed in the
ZONES parameter. The zone files must be in the directory specified in CONF_DIR.
Example:
CONF_INT="zone.internal"
CONT_EXT="zone.external"
TEST_FILE
Syntax: TEST_FILE= "<dirpath>/<fname>"
The absolute pathname of the file to which commands are written when fiaif is run with the ´test´ option.
Set to "/tmp/fiaif.out" in the distribution.
DEBUG
Syntax: DEBUG= <boolean>
If set to 1, fiaif will not drop any packets, but all rules are still applied, and the results will be in
the syslog. Use this as a debugging tool if you are experiencing problems while setting up the zones.
Set to zero for fiaif to work normally.
VERBOSE
Syntax: VERBOSE= <boolean>
Set this variable to 1 to have fiaif log all dropped or redirected packets in the syslog. If no logging
is wanted, set it to 0. See LOG_LIMIT and LOG_BURST for details on when logging occurs.
LOG_PREFIX
Syntax: FIAIF_ <string>
Specify the prefix to use when logging packets to system log or though ulogd.
ENABLE_ULOGD
Syntax: ENABLE_ULOGD= <boolean>
If set to 1 (and the ulogd is running on the system), fiaif logs via a ulogd. If set to 0, fiaif logs
through the standard syslog facility.
LOG_LIMIT
Syntax: LOG_LIMIT= <posint>
LOG_BURST
Syntax: LOG_BURST= "<burstspec>"
Specify how often dropped or rejected packets should be entered into the system log. Tune to avoid
spamming of logs.
LOG_LIMIT is the maximum average matching rate. If no <timespec> is provided, ´/second´ is assumed.
LOG_BURST is the maximum initial number of packets to match; this number is incrememted by one every
time the limit specified above is not reached, up to this number. Note the quotes around LOG_BURST´s
value.
LOG_LEVEL
Syntax: LOG_LEVEL= <byteint>
This specifies the loglevel, for logging to syslog or ulogd. When using syslog, the number specifies the
priority, see syslog.conf(5). If ENABLE_ULOG is true, LOG_LEVEL number specifies the netlink group
(1-32), to which the line to be logged is is sent.
MODULES
Syntax: MODULES= "<modulelist>"
Specifies iptables modules to be loaded upon starting the firewall. The modules remain loaded as long as
the firewall is deployed.
PRE_SCRIPT[N]
Syntax: PRE_SCRIPT[N]= "<bashcommand>"
POST_SCRIPT[N]
Syntax: POST_SCRIPT[N]= "<bashcommand>"
This pair of array parameters may contain shell commands to be executed before/after fiaif creates the
iptables rules. The lines are executed in array-index sequence.
Three chains per zone exists to support user-defined rules. The chain names are: USER_INPUT_<ZONE_NAME>
USER_OUTPUT_<ZONE_NAME> USER_FORWARD_<ZONE_NAME> Where the zone name is the name of the zone. Packets
will go though these chains before hitting rules generated by INPUT, OUTPUT and FORWARD rules in the zone
configuration files. Remember that only packets in the NEW state will hit these chains, and hence there
is no need to test the state of a packet in these chains.
ALIASES
Points to a file with IP alias specifications. These aliases are available to all zone configuration
files, and can be used in rules where the syntax [<ip>[/<mask>]=>[<ip>[/<mask>] is used, as replacement
for either side. See IPSET in zone.conf(8) for more information.
TOS_FILE
Syntax: TOS_FILE= "<fname>"
Specify the name of the Type-Of-Service configuration file located in the configuration directory. This
file specifies manipulation of the TOS bits in TCP and UDP packets. Traffic control examines these
fields to determine into which class a packet should fall.
The file contains a group (TOS) with values of the form:
TOS_[XXX]= "<TOS-type> <protocol> <TOSportlist|ICMPtype>"
Examples:
TOS_MIN_DLY_UDP= "Minimize-Delay udp"
TOS_NORM_SRVC_TCP= "Normal-Service tcp www,https"
FILES
/etc/fiaif/fiaif.conf
The configuration file for FIAIF
/etc/fiaif/private_networks
A list of private networks as specified by RFC1918
/etc/fiaif/reserved_networks
A list of reserved networks as specified by IANA.
/etc/fiaif/aliases
Specifies IP aliases to be used for all configuration files.
AUTHOR
Anders Fugmann <anders(at)fugmann.net>
SEE ALSO
fiaif(8), zone.conf(8)
Linux Aug 2002 FIAIF.CONF(5)