Man Linux: Main Page and Category List

NAME

       zone.conf - fiaif zone configuration files

DESCRIPTION

       fiaif.conf  is  the  file that determines how zones should be set up in
       the firewall. A zone describes how traffic from other zones are allowed
       into  a zone, and what packets are allowed from the zone itself.  Zones
       are based upon the interface and the network the interface is connected
       to. It is possible to have multiple zones per interface, if and only if
       the interface is not declared public. See the PUBLIC variable for  more
       information.

       The general syntax of a configuration file is the same as for a bash(1)
       script, in which only variables should be present.

       The variables can be on three forms:

       VARIABLE
              This is a simple variable. It can  only  be  assigned  a  single
              value.

       VARIABLE_FOO
              The  denotes a variable sequence. The FOO can be replaced by any
              keyword, allowing multiple values to be specified.

       VARIABLE[N]
              A variable array. Any number  of  values  can  be  specified  by
              increasing N for each value.

VARIABLES

   NAME
       Syntax: <name>

       Specify  the  name  of  the zone. This must be the same as specified in
       /etc/fiaif/fiaif.conf.

   DEV
       Syntax: <interface-name>

       Specifies the interface name in which this zone is connected.

   DYNAMIC
       Syntax: 0|1

       Specifies whether the IP of the interface is  dynamic  (e.g.,  obtained
       via  DHCP  or  unknown  when  FIAIF  is started) or not. Disabling this
       provides better security, but this is not always an option  given  from
       ISPs.

   GLOBAL
       Syntax: 0|1

       Is  set to one, any packets originating from IANA reserved networks are
       discarded (except those specified in the NET and NET_EXTRA  variables).
       This should be set on your internet connection. If this is set to true,
       the interface cannot have multible zone definitions.

   IP
       Syntax: <IP address>

       The IP of  the  interface.   This  is  only  necessary  to  specify  if
       DYNAMIC=0.

   MASK
       Syntax: <network mask>

       The  network  mask of the network connected to this interface.  This is
       only necessary to specify if DYNAMIC=0.  This information can be  found
       be using the ifconfig command.

   NET
       Syntax: <ip address/networkmask>

       The  network mask for the interface.  This is only necessary to specify
       if DYNAMIC=0.  This information can be  found  be  using  the  ifconfig
       command.

   BCAST
       Syntax: <broadcast address>

       The  broadcast  address  of  the  interface.  This is only necessary to
       specify if DYNAMIC=0.  This information  can  be  found  be  using  the
       ifconfig command.

   IP_EXTRA
       Syntax: [IP]*

       Contains  a  list  of  additional  IP  addresses that the interface can
       receive. Extra IP’s for  an  interface  is  usually  created  by  using
       interface aliases (e.g. eth0:0).

   NET_EXTRA
       Syntax: [IP/MASK]*

       A list specifying any extra networks besides the NET variables that are
       connected to this zone (interface). The extra nets  would  normally  be
       connected though other routers.

   DHCP_SERVER
       Syntax: <0|1>

       Set to ’1’ if the server should accept DHCP queries.  Only one zone per
       interface should have this enabled, since DHCP packets do not hold  any
       valid destination address.

   INPUT[N]
       Syntax:     <ACCEPT|REJECT|DROP|LOG|ACCEPT_LOG|REJECT_NOLOG|DROP_NOLOG>
       <protocol> [port<:port>[<,port>[:port]]*] ip/[mask]=>ip/[mask]

       The INPUT variable describes how packets are handled through the  input
       chain.  Packets  on the INPUT chain are packets coming from the zone to
       the firewall itself. The first argument is  how  a  matched  packet  is
       treated.  Protocol  and  ports  and  ip/mask  are used to match packets
       (destination port, and source=>destination ip  address).  If  none  are
       specified, the rule matches all packets. The port argument must only be
       specified if the protocol is udp, tcp or icmp When using these rules, a
       rule  of  thumb is only to accept specific packets, and to drop any not
       matched. The following  line  1  accepts  HTTP-requests  over  the  TCP
       protocol:

       INPUT[0]="ACCEPT tcp 80 0.0.0.0/0=>0.0.0.0/0"

       INPUT[1]="ACCEPT udp 1024:65535 0.0.0.0/0=>0.0.0.0/0"

       INPUT[2]="DROP ALL 0.0.0.0=>0.0.0.0"

   OUTPUT[N]
       Syntax:     <ACCEPT|REJECT|DROP|LOG|ACCEPT_LOG|REJECT_NOLOG|DROP_NOLOG>
       <protocol> [port<:port>[<,port>[:port]]*] ip/[mask]=>ip/[mask]

       Like the INPUT[N]  rule.  Packets  on  the  OUTPUT  chain  are  packets
       originating  from  the  firewall itself going out into the zone itself.
       ports are destination ports, and ip/mask is the source and  destination
       ip/mask  (if ’=>’ is not given, the ip is assumed to be the destination
       ip). The port argument must only be specified if the protocol  is  udp,
       tcp or icmp The following example drops all telnet packets over the tcp
       protocol, drops any udp packets, and allows any  other  send  from  the
       firewall itself.

       OUTPUT[0]="DROP tcp 21 0.0.0.0/0=>0.0.0.0/0"

       OUTPUT[1]="DROP udp ALL 0.0.0.0/0=>0.0.0.0/0"

       OUTPUT[2]="ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0"

   FORWARD[N]
       Syntax:                                                      <zone|ALL>
       <ACCEPT|REJECT|DROP|LOG|ACCEPT_LOG|REJECT_NOLOG|DROP_NOLOG>
       <protocol[port<:port>[<,port>[:port]]*]> <ip/[mask]=>ip/[mask]>

       Use to specify how packets arriving from other zones are to be treated.
       If protocol or ports and ip/mask is not specified, then ALL is assumed.
       The  port  specifies  the destination port, and ip specifies the source
       and destination ip. The port argument must only  be  specified  if  the
       protocol  is udp, tcp or icmp An example: A demilitarized zone may only
       accept HTTP requests from  the  internet  (zone  EXT).  This  would  be
       specified by:

       FORWARD[0]="EXT ACCEPT tcp 80 0.0.0.0/0=>0.0.0.0/0"

       FORWARD[1]="ALL DROP ALL 0.0.0.0/0=>0.0.0.0/0"

   MARK[N]
       Syntax:                     <zone|ALL>                    <mark number>
       <protocol[port<:port>[<,port>[:port]]*]> <ip/[mask]=>ip/[mask]>

       Use the MARK rules to  set  a  MARK  on  packets  passing  through  the
       firewall.  This  can  then be used to determine how a packet is routed.
       FIAIF does not do  traffic-shaping  based  on  mark  values.  The  port
       argument  must only be specified if the protocol is udp, tcp or icmp If
       the source zone is ALL then all packets going into the zone are marked.
       If  the  source  zone equals the zone-name of which the rule is in then
       only packets originating from the firewall are marked.

       Otherwise,  only  packets  routed  through  the  firewall  are  marked.
       Example:  Mark all tcp packets going into the zone with ’1’ and all udp
       packets with mark ’2’.

       MARK[0]="ALL 1 tcp ALL 0.0.0.0/0=>0.0.0.0/0"

       MARK[1]="ALL 2 udp ALL 0.0.0.0/0=>0.0.0.0/0"

   REPLY_FOO
       Syntax:   <zone>    <type>    <protocol [port[:port][<,port>[:port]]*]>
       <ip[/mask]=>ip[/mask]>

       Make special replies to packets. The type can be one of the following:

       icmp-net-unreachable,   icmp-host-unreachable,   icmp-port-unreachable,
       icmp-proto-unreachable,  icmp-net-prohibited,  icmp-host-prohibited  or
       tcp-reset (Only valid for the TCP protocol).

       The zone argument specifies the source of the packet.

       This can be used, for example, to disallow authentication requests, but
       instead of dropping the packets, close the connection by sending a tcp-
       reset.

       REPLY_AUTH="EXT tcp-reset tcp auth 0.0.0.0/0=>0.0.0.0/0"

   MAC_DROP
       Syntax: [MAC_ADDRESS]*|[file]

       Disallow  any  communication with specified MAC-addresses in this zone.
       Inserted on PREROUTING chain. If the value is a file, then each line in
       the file is treated as an MAC address. Anything after a ’#’ is regarded
       as a comment and is ignored.

   IP_DROP
       Syntax: [IP/MASK]*|[file]

       Disallow any communication with specified IP addresses  in  this  zone.
       If  the value is a file, then each line in the file is treated as an ip
       address. Anything after a ’#’ is regarded as a comment and is  ignored.

   ECN_REMOVE
       Syntax: [IP/MASK]*|[file]

       Remove  the  ECN bit from all packets destined to the specified servers
       (located in the zone). If the value is a file, then each  line  in  the
       file is treated as an ip address. Anything after a ’#’ is regarded as a
       comment and is ignored.

   REDIRECT_FOO
       Syntax:         <protocol[port[:port]]>          <ip[/mask]=>ip[/mask]>
       <[ipaddr[,ipaddr]*]> [port]

       Alter  the  destination  of packets.  The rule applies only for packets
       originating from this zone. Packets can be redirected to  the  firewall
       itself  (127.0.0.1),  to  other  zones  or  back  into  the zone itself
       (requires DYNAMIC==0 and GLOBAL==0). If packets are redirected to other
       zones,  then  remember  to add a FORWARD rule in the configuration file
       for the destination zone, allowing the packets to pass through.  Please
       note,  that  redirecting  packets  back into the zone may cause serious
       network degradation.

       Example:

       REDIRECT_PROXY="tcp 80 0.0.0.0/0=>0.0.0.0/0 127.0.0.1 3128"

       All packets coming from the zone itself to port 80  are  redirected  to
       the  firewall  itself  port  3128, and this line can be used to setup a
       transparent proxy.

   WATCH_IP
       Syntax: [IP]*|[file]

       Log every packet coming from or going to the specific IP addresses.  If
       the  value  is  a  file, then each line in the file is treated as an IP
       address. Anything after a ’#’ is regarded as a comment and is  ignored.

   SNAT[N]
       Syntax:        <ZONE|ip>       <protocol[port[:port][<,port>[:port]]*]>
       <ip[/mask]=>ip[/mask]>

       Change the source address of a packet coming from this zone. If a  ZONE
       is  specified, then all packets are masqueraded to all ip addresses for
       the specified zone, specified by the IP or  IP_EXTRA  directive,  in  a
       round  robin fashion. The last options specifies the protocol, port and
       original source and destination of the packets to be SNAT’ed.

       To use MASQUADING, where EXT is the zone for the internet use:

       SNAT[0]="EXT ALL 0.0.0.0/0=>0.0.0.0/0"

   LIMIT_FOO
       Syntax:                                                          <zone>
       <ACCEPT|REJECT|DROP|LOG|ACCEPT_LOG|REJECT_NOLOG|DROP_NOLOG>     <limit>
       <burt> <protocol[port<:port>[<,port>[:port]]*]> <ip[/mask]=>ip[/mask]>

       Limit number of packets. A LIMIT rule specifies how  many  packets  are
       acceptable within the specified period of time. If more packets arrive,
       policy specifies how to handle these.

       zone: Is the zone from which the packet originates. This  can  be  this
       zone itself.

       limit:  Maximum  average  matching rate: specified as a number, with an
       optional ´/second´, ´/minute´, ´/hour´, or ´/day´ suffix.

       burst: Maximum initial number of packets to  match:  this  number  gets
       incremented by one every time the limit specified above is not reached,
       up to this number.

       protocol: The protocol: TCP|UDP|ICMP|ALL. This parameter  is  optional.
       The port argument must only be specified if the protocol is udp, tcp or
       icmp

       ports: If protocol is tcp|udp: A list of ports or a port range.   icmp:
       A  list  of  icmp types seperated by commas. This parameter is optional
       pending on the specified protocol.

       ip[/mask]=>ip[/mask] Specifies source address and optional  destination
       address. This can only be specified if protocol is also specified.

       For example to limit number of echo requests (ping) from zone EXT, use:

       LIMIT_PING="EXT DROP 1/second 3 ICMP echo-request 0.0.0.0/0=>0.0.0.0/0"

   TC_ENABLE
       Syntax: <0|1>

       Enable or disable Traffic Shaping for this zone (traffic going into the
       network card, or being sent from the network card.) TC is only  enabled
       if ENABLE_TC is set in the global configuration as well.

   TC_UPLINK
   TC_DOWNLINK
       Syntax: <kbit>

       Specify  maximum uplink and downlink speeds. The values are specifed in
       kilobits (1024 bits).

   TC_TYPE
       Syntax: <HTB|HFSC>

       Specify the  type  of  traffic  shaping  to  be  used.  htb  is  videly
       available, but the hfsc type shaping yields much better results. Choose
       hfsc if you have the nessesary modules.

   TC_VOIP
       Syntax: <0|1>

       Specify ’1’ to enable special VOIP traffic shaping  classes.  Currently
       only  implemented  for  the  HFSC  type  shaper.  It reserves a minimum
       bandwidth for voip traffic, and creates a special high  priority  class
       for voip related traffic.

   IPSET_FOO
       Syntax: <ip</mask>>[ip</mask>]*| <file>

       Sepcify  a  set of ip’s to be used in zone rules. Ip’s specified can be
       either  numbers,  hostnames,  networks  or  names  of  other  ip   sets
       (recursively).  The  name  of  the  set will be the name occuring after
       IPSET_. Ip sets is bound to a zone, and cannot be  used  across  zones.
       Currently,  ip-sets  can  only be used in INPUT, OUTPUT, FORWARD, SNAT,
       REDIRECT and MARK rules. If the ipset points to a file, then  the  file
       is  read  (relative  to  CONF_PATH  ).   The  name  of IP sets must not
       conflict with aliases defined in the file pointed  to  by  the  ALIASES
       directive in fiaif global configuration file.

       An example of the use of IP sets:

       IPSET_NAMESERVERS="1.2.3.4 1.2.3.5"

       INPUT[N]="ACCEPT tcp domain NAMESERVERS=>0.0.0.0/0"

       Which is equivalent to:

       INPUT[N]="ACCEPT tcp domain 1.2.3.4=>0.0.0.0/0"

       INPUT[N+1]="ACCEPT tcp domain 1.2.3.5=>0.0.0.0/0"

AUTHOR

       Anders Fugmann <anders(at)fugmann.net>

SEE ALSO

       fiaif(8), fiaif.conf(8), iptables(8), ifconfig(8)