Provided by: fiaif_1.23.1-4_all 
NAME
fiaif.conf - fiaif global configuration file
DESCRIPTION
fiaif.conf is the file that declares which zones should be set up in the firewall. A
"zone" is a piece of the "IP universe" existing on the other side of a particular
interface. A zone is defined in a file listing rules for the handling of IP traffic into,
out of, and through the associated interface. The zonefile is described in zone.conf(8).
General configuration parameters are also declared in this file.
fiaif.conf and the zonefiles are bash(1) scripts in which the values of variables used in
the fiaif program are assigned. Although they are shell scripts, they should contain
nothing but assignment statements.
Parameters in the configuration files are of three forms:
SIMPLE
These parameters take only a single value. The value may be a number or a string.
GROUP
These parameters are treated as a group, and all members of the group are processed
in the same way. There are two parts to these parameters´ names. The first part is
the name of the group, and the second part is a mnemonic.
ARRAY
Parameter values are declared in an array. Any number of values can be specified
by incrementing the array index for each value.
DEFINITIONS
bashcommand -> [a shell command line]
dirpath -> [path to a directory (no trailing ´/´)]
fname -> [filename with no path]
modulename -> [the name of an iptables module]
portspec -> [a port number | a service in /etc/services]
posint -> [an integer >= 0]
TOStype -> [a Type-of-service name | a Type-of-service number]
zonename -> [the zone identifier from a zone file]
byteint -> 0..255
cidrmask -> 0..32
nullstring -> [nothing]
string -> [char]<string>|<nullstring>
boolean -> 0|1
burstspec -> <posint>|<posint>/<timespec>
IP4addr -> <byteint>.<byteint>.<byteint>.<byteint>
iptablesprotocol -> [a protocol number | a protocol name from /etc/protocols]
modulelist -> <nullstring>|<modulename> <modulelist>
netaddr -> <IP4addr>/<cidrmask>
netlist -> <nullstring>|<netaddr> <netlist>
pathlist -> <dirpath>|<dirpath>:<pathlist>
plist -> <nullstring>|<iptablesprotocol> <plist>
tablelist -> mangle filter nat
timespec -> second|minute|hour|day
TOSportlist -> <nullstring> | any | <TOSportlistOpt>
TOSportlistOpt -> <portspec> | <portspec>,<TOSportlist>
ICMPtype -> <ICMP type string>
zonelist -> <nullstring>|<zonename> <zonelist>
CONSTANT PARAMETERS
The values of these parameters should (almost certainly) not be altered.
TABLES
Syntax: TABLES= "<tablelist>"
A list of the packet processing tables in the Linux kernel. As of version 2.4.18, only
three tables are available: mangle, filter, and nat.
RESERVED_NETWORKS
Syntax: RESERVED_NETWORKS= "<netlist>"|"<fname>"
A list of the reserved ipnumbers and masks, or a file containing this list, one <netaddr>
per line. See http://www.iana.com for more information.
PRIVATE_NETWORKS
Syntax: PRIVATE_NETWORKS= "<netlist>"|"<fname>"
A list of the private ipnumbers and masks, or a file containing this list, one <netaddr>
per line. See http://www.iana.com and rfc1918 for more information.
LOOPBACK_NET
Syntax: LOOPBACK_NET= "<netaddr>"
The network of the loopback interface. "127.0.0.1/8" in the distribution.
BIN_PATH
Syntax: BIN_PATH= "<pathlist>"
The search path for the iptables and tc binaries.
PARAMETERS
The values of these parameters should be altered. They define the firewall deployed by
fiaif and customize it for local networks and security policy.
DONT_START
Syntax: DONT_START= <boolean>
If set to one, the firewall will not be started. DONT_START is set to 1 in the
distributed fiaf.conf to prevent the inadvertant deployment of an unconfigured firewall
from a download. Set the value to zero or delete the line to enable the firewall.
CONF_DIR
Syntax: CONF_DIR= "<directorypath>/"
The path to the configuration directory. CONF_DIR is set to "/etc/fiaif/" in the
distribution.
SET_PROC_ERRORS
Syntax: SET_PROC_ERRORS= <boolean>
SET_PROC_WARNINGS
Syntax: SET_PROC_WARNINGS= <boolean>
When the command "fiaif test" is issued, a list of errors and warnings are displayed.
If SET_PROC_ERRORS is 1, FIAIF will attempt to correct the errors.
If SET_PROC_WARNINGS is 1, FIAIF will attempt to correct the warnings.
SAVE_STATE
Syntax: SAVE_STATE= <boolean>
If enabled, FIAIF will save all iptables rules to a file after these have been applied, if
no errors were encountered while generating the rules. When FIAIF is started again, this
file is used if and only if no modifications have been made to any configuration files.
Rules are saved to /var/lib/fiaif/iptables.
Enabling this option greatly improves start time of FIAIF, but may cause problems if, for
example, the ipnumber of a static interface changes, in which case /etc/init.d/fiaif
force-reload should be used to rebuild ruleset from configuration files.
ZONES
Syntax: ZONES= "<zonelist>"
A list of the zones to be set up. There must be a zone file in the configuration
directory matching each zone named in this list.
Example:
ZONES="INT EXT"
CONF_[XXX]
Syntax: CONF_[XXX]= "<fname>"
A group (CONF) containing the names of the zone files. It should match closly the names
listed in the ZONES parameter. The zone files must be in the directory specified in
CONF_DIR.
Example:
CONF_INT="zone.internal"
CONT_EXT="zone.external"
TEST_FILE
Syntax: TEST_FILE= "<dirpath>/<fname>"
The absolute pathname of the file to which commands are written when fiaif is run with the
´test´ option. Set to "/tmp/fiaif.out" in the distribution.
DEBUG
Syntax: DEBUG= <boolean>
If set to 1, fiaif will not drop any packets, but all rules are still applied, and the
results will be in the syslog. Use this as a debugging tool if you are experiencing
problems while setting up the zones. Set to zero for fiaif to work normally.
VERBOSE
Syntax: VERBOSE= <boolean>
Set this variable to 1 to have fiaif log all dropped or redirected packets in the syslog.
If no logging is wanted, set it to 0. See LOG_LIMIT and LOG_BURST for details on when
logging occurs.
LOG_PREFIX
Syntax: FIAIF_ <string>
Specify the prefix to use when logging packets to system log or though ulogd.
ENABLE_ULOGD
Syntax: ENABLE_ULOGD= <boolean>
If set to 1 (and the ulogd is running on the system), fiaif logs via a ulogd. If set to
0, fiaif logs through the standard syslog facility.
LOG_LIMIT
Syntax: LOG_LIMIT= <posint>
LOG_BURST
Syntax: LOG_BURST= "<burstspec>"
Specify how often dropped or rejected packets should be entered into the system log. Tune
to avoid spamming of logs.
LOG_LIMIT is the maximum average matching rate. If no <timespec> is provided, ´/second´
is assumed.
LOG_BURST is the maximum initial number of packets to match; this number is incrememted
by one every time the limit specified above is not reached, up to this number. Note
the quotes around LOG_BURST´s value.
LOG_LEVEL
Syntax: LOG_LEVEL= <byteint>
This specifies the loglevel, for logging to syslog or ulogd. When using syslog, the
number specifies the priority, see syslog.conf(5). If ENABLE_ULOG is true, LOG_LEVEL
number specifies the netlink group (1-32), to which the line to be logged is is sent.
MODULES
Syntax: MODULES= "<modulelist>"
Specifies iptables modules to be loaded upon starting the firewall. The modules remain
loaded as long as the firewall is deployed.
PRE_SCRIPT[N]
Syntax: PRE_SCRIPT[N]= "<bashcommand>"
POST_SCRIPT[N]
Syntax: POST_SCRIPT[N]= "<bashcommand>"
This pair of array parameters may contain shell commands to be executed before/after fiaif
creates the iptables rules. The lines are executed in array-index sequence.
Three chains per zone exists to support user-defined rules. The chain names are:
USER_INPUT_<ZONE_NAME> USER_OUTPUT_<ZONE_NAME> USER_FORWARD_<ZONE_NAME> Where the zone
name is the name of the zone. Packets will go though these chains before hitting rules
generated by INPUT, OUTPUT and FORWARD rules in the zone configuration files. Remember
that only packets in the NEW state will hit these chains, and hence there is no need to
test the state of a packet in these chains.
ALIASES
Points to a file with IP alias specifications. These aliases are available to all zone
configuration files, and can be used in rules where the syntax
[<ip>[/<mask>]=>[<ip>[/<mask>] is used, as replacement for either side. See IPSET in
zone.conf(8) for more information.
TOS_FILE
Syntax: TOS_FILE= "<fname>"
Specify the name of the Type-Of-Service configuration file located in the configuration
directory. This file specifies manipulation of the TOS bits in TCP and UDP packets.
Traffic control examines these fields to determine into which class a packet should fall.
The file contains a group (TOS) with values of the form:
TOS_[XXX]= "<TOS-type> <protocol> <TOSportlist|ICMPtype>"
Examples:
TOS_MIN_DLY_UDP= "Minimize-Delay udp"
TOS_NORM_SRVC_TCP= "Normal-Service tcp www,https"
FILES
/etc/fiaif/fiaif.conf
The configuration file for FIAIF
/etc/fiaif/private_networks
A list of private networks as specified by RFC1918
/etc/fiaif/reserved_networks
A list of reserved networks as specified by IANA.
/etc/fiaif/aliases
Specifies IP aliases to be used for all configuration files.
AUTHOR
Anders Fugmann <anders(at)fugmann.net>
SEE ALSO
fiaif(8), zone.conf(8)