Man Linux: Main Page and Category List

NAME

       fwb_ipf - Policy compiler for ipfilter

SYNOPSIS

       fwb_ipf   [-vVx]   [-d  wdir]  [-o  output.fw]  [-i]  -f  data_file.xml
       object_name

DESCRIPTION

       fwb_ipf is a firewall policy compiler  component  of  Firewall  Builder
       (see fwbuilder(1)). This compiler generates code for ipfilter. Compiler
       reads objects definitions and firewall description from the  data  file
       specified  with  "-f" option and generates ipfilter configuration files
       and firewall activation script.

       All generated files have names that start with the name of the firewall
       object.  Firewall  activation  script has extension ".fw" and is simple
       shell script that flushes current policy,  loads  new  filter  and  nat
       rules  and  then  activates ipfilter.  IPFilter configuration file name
       starts with the name of the firewall  object,  plus  "-ipf.conf".   NAT
       configuration  file  name  also  starts  with  the name of the firewall
       object, plus "-nat.conf". For example,  if  firewall  object  has  name
       "myfirewall",  then  compiler will create three files: "myfirewall.fw",
       "myfirewall-pf.conf", "myfirewall-nat.conf".

       The data file and the name of the firewall objects must be specified on
       the command line. Other command line parameters are optional.

OPTIONS

       -f FILE
              Specify the name of the data file to be processed.

       -o output.fw
              Specify output file name

       -d wdir
              Specify    working    directory.   Compiler   creates   firewall
              activation script  and  ipfilter  configuration  files  in  this
              directory.  If this parameter is missing, then all files will be
              placed in the current working directory.

       -v     Be verbose: compiler prints diagnostic messages when it works.

       -V     Print version number and quit.

       -i     When this option is present, the last argument  on  the  command
              line is supposed to be firewall object ID rather than its name

       -x     Generate  debugging  information  while  working. This option is
              intended for debugging only and  may  produce  lots  of  cryptic
              messages.

NOTES

       Support for ipf returned in version 1.0.1 of Firewall Builder

       Supported features:

       o      both ipf.conf and nat.conf files are generated

       o      negation in policy rules

       o      stateful inspection in individual rule can be turned off in rule
              options  dialog.  By  default  compiler  adds  "keep  state"  or
              "modulate state" to each rule with action ’pass’

       o      rule options dialog provides a choice of icmp or tcp rst replies
              for rules with action "Reject"

       o      compiler adds flag "allow-opts" if match on ip options is needed

       o      compiler can generate rules matching on TCP flags

       o      compiler  can  generate  script  adding ip aliases for NAT rules
              using addresses that do not  belong  to  any  interface  of  the
              firewall

       o      compiler  always  adds rule "block quick all" at the very bottom
              of the script to ensure "block all by default"  policy  even  if
              the policy is empty.

       o      Address ranges in both policy and NAT

       Features that are not supported (yet)

       o      negation in NAT

       o      custom services

       Features that won’t be supported (at least not anytime soon)

       o      policy routing

URL

       Firewall   Builder   home   page  is  located  at  the  following  URL:
       http://www.fwbuilder.org/

BUGS

       Please report bugs using bug tracking system on SourceForge:

       http://sourceforge.net/tracker/?group_id=5314&atid=105314

SEE ALSO

       fwbuilder(1), fwb_ipt(1), fwb_pf(1)