NAME
fiaif.conf - fiaif global configuration file
DESCRIPTION
fiaif.conf is the file that declares which zones should be set up in
the firewall. A "zone" is a piece of the "IP universe" existing on the
other side of a particular interface. A zone is defined in a file
listing rules for the handling of IP traffic into, out of, and through
the associated interface. The zonefile is described in zone.conf(8).
General configuration parameters are also declared in this file.
fiaif.conf and the zonefiles are bash(1) scripts in which the values of
variables used in the fiaif program are assigned. Although they are
shell scripts, they should contain nothing but assignment statements.
Parameters in the configuration files are of three forms:
SIMPLE
These parameters take only a single value. The value may be a
number or a string.
GROUP
These parameters are treated as a group, and all members of the
group are processed in the same way. There are two parts to
these parameters´ names. The first part is the name of the
group, and the second part is a mnemonic.
ARRAY
Parameter values are declared in an array. Any number of values
can be specified by incrementing the array index for each value.
DEFINITIONS
bashcommand -> [a shell command line]
dirpath -> [path to a directory (no trailing ´/´)]
fname -> [filename with no path]
modulename -> [the name of an iptables module]
portspec -> [a port number | a service in /etc/services]
posint -> [an integer >= 0]
TOStype -> [a Type-of-service name | a Type-of-service number]
zonename -> [the zone identifier from a zone file]
byteint -> 0..255
cidrmask -> 0..32
nullstring -> [nothing]
string -> [char]<string>|<nullstring>
boolean -> 0|1
burstspec -> <posint>|<posint>/<timespec>
IP4addr -> <byteint>.<byteint>.<byteint>.<byteint>
iptablesprotocol -> [a protocol number | a protocol name from
/etc/protocols]
modulelist -> <nullstring>|<modulename> <modulelist>
netaddr -> <IP4addr>/<cidrmask>
netlist -> <nullstring>|<netaddr> <netlist>
pathlist -> <dirpath>|<dirpath>:<pathlist>
plist -> <nullstring>|<iptablesprotocol> <plist>
tablelist -> mangle filter nat
timespec -> second|minute|hour|day
TOSportlist -> <nullstring> | any | <TOSportlistOpt>
TOSportlistOpt -> <portspec> | <portspec>,<TOSportlist>
ICMPtype -> <ICMP type string>
zonelist -> <nullstring>|<zonename> <zonelist>
CONSTANT PARAMETERS
The values of these parameters should (almost certainly) not be
altered.
TABLES
Syntax: TABLES= "<tablelist>"
A list of the packet processing tables in the Linux kernel. As of
version 2.4.18, only three tables are available: mangle, filter, and
nat.
RESERVED_NETWORKS
Syntax: RESERVED_NETWORKS= "<netlist>"|"<fname>"
A list of the reserved ipnumbers and masks, or a file containing this
list, one <netaddr> per line. See http://www.iana.com for more
information.
PRIVATE_NETWORKS
Syntax: PRIVATE_NETWORKS= "<netlist>"|"<fname>"
A list of the private ipnumbers and masks, or a file containing this
list, one <netaddr> per line. See http://www.iana.com and rfc1918 for
more information.
LOOPBACK_NET
Syntax: LOOPBACK_NET= "<netaddr>"
The network of the loopback interface. "127.0.0.1/8" in the
distribution.
BIN_PATH
Syntax: BIN_PATH= "<pathlist>"
The search path for the iptables and tc binaries.
PARAMETERS
The values of these parameters should be altered. They define the
firewall deployed by fiaif and customize it for local networks and
security policy.
DONT_START
Syntax: DONT_START= <boolean>
If set to one, the firewall will not be started. DONT_START is set to
1 in the distributed fiaf.conf to prevent the inadvertant deployment of
an unconfigured firewall from a download. Set the value to zero or
delete the line to enable the firewall.
CONF_DIR
Syntax: CONF_DIR= "<directorypath>/"
The path to the configuration directory. CONF_DIR is set to
"/etc/fiaif/" in the distribution.
SET_PROC_ERRORS
Syntax: SET_PROC_ERRORS= <boolean>
SET_PROC_WARNINGS
Syntax: SET_PROC_WARNINGS= <boolean>
When the command "fiaif test" is issued, a list of errors and warnings
are displayed.
If SET_PROC_ERRORS is 1, FIAIF will attempt to correct the errors.
If SET_PROC_WARNINGS is 1, FIAIF will attempt to correct the warnings.
SAVE_STATE
Syntax: SAVE_STATE= <boolean>
If enabled, FIAIF will save all iptables rules to a file after these
have been applied, if no errors were encountered while generating the
rules. When FIAIF is started again, this file is used if and only if no
modifications have been made to any configuration files. Rules are
saved to /var/lib/fiaif/iptables.
Enabling this option greatly improves start time of FIAIF, but may
cause problems if, for example, the ipnumber of a static interface
changes, in which case /etc/init.d/fiaif force-reload should be used to
rebuild ruleset from configuration files.
ZONES
Syntax: ZONES= "<zonelist>"
A list of the zones to be set up. There must be a zone file in the
configuration directory matching each zone named in this list.
Example:
ZONES="INT EXT"
CONF_[XXX]
Syntax: CONF_[XXX]= "<fname>"
A group (CONF) containing the names of the zone files. It should match
closly the names listed in the ZONES parameter. The zone files must be
in the directory specified in CONF_DIR.
Example:
CONF_INT="zone.internal"
CONT_EXT="zone.external"
TEST_FILE
Syntax: TEST_FILE= "<dirpath>/<fname>"
The absolute pathname of the file to which commands are written when
fiaif is run with the ´test´ option. Set to "/tmp/fiaif.out" in the
distribution.
DEBUG
Syntax: DEBUG= <boolean>
If set to 1, fiaif will not drop any packets, but all rules are still
applied, and the results will be in the syslog. Use this as a
debugging tool if you are experiencing problems while setting up the
zones. Set to zero for fiaif to work normally.
VERBOSE
Syntax: VERBOSE= <boolean>
Set this variable to 1 to have fiaif log all dropped or redirected
packets in the syslog. If no logging is wanted, set it to 0. See
LOG_LIMIT and LOG_BURST for details on when logging occurs.
LOG_PREFIX
Syntax: FIAIF_ <string>
Specify the prefix to use when logging packets to system log or though
ulogd.
ENABLE_ULOGD
Syntax: ENABLE_ULOGD= <boolean>
If set to 1 (and the ulogd is running on the system), fiaif logs via a
ulogd. If set to 0, fiaif logs through the standard syslog facility.
LOG_LIMIT
Syntax: LOG_LIMIT= <posint>
LOG_BURST
Syntax: LOG_BURST= "<burstspec>"
Specify how often dropped or rejected packets should be entered into
the system log. Tune to avoid spamming of logs.
LOG_LIMIT is the maximum average matching rate. If no <timespec> is
provided, ´/second´ is assumed.
LOG_BURST is the maximum initial number of packets to match; this
number is incrememted by one every time the limit specified above is
not reached, up to this number. Note the quotes around LOG_BURST´s
value.
LOG_LEVEL
Syntax: LOG_LEVEL= <byteint>
This specifies the loglevel, for logging to syslog or ulogd. When
using syslog, the number specifies the priority, see syslog.conf(5).
If ENABLE_ULOG is true, LOG_LEVEL number specifies the netlink group
(1-32), to which the line to be logged is is sent.
ENABLE_TC
Syntax: ENABLE_TC= <boolean>
Enable or disable traffic shaping system wide. Setting to 0 overrides
the TC_ENABLE value in all zone configurations. To enable traffic
shaping in a zone, TC_ENABLE must be set to 1 in fiaif.conf and in the
zone configuration as well.
MODULES
Syntax: MODULES= "<modulelist>"
Specifies iptables modules to be loaded upon starting the firewall.
The modules remain loaded as long as the firewall is deployed.
PRE_SCRIPT[N]
Syntax: PRE_SCRIPT[N]= "<bashcommand>"
POST_SCRIPT[N]
Syntax: POST_SCRIPT[N]= "<bashcommand>"
This pair of array parameters may contain shell commands to be executed
before/after fiaif creates the iptables rules. The lines are executed
in array-index sequence.
Three chains per zone exists to support user-defined rules. The chain
names are: USER_INPUT_<ZONE_NAME> USER_OUTPUT_<ZONE_NAME>
USER_FORWARD_<ZONE_NAME> Where the zone name is the name of the zone.
Packets will go though these chains before hitting rules generated by
INPUT, OUTPUT and FORWARD rules in the zone configuration files.
Remember that only packets in the NEW state will hit these chains, and
hence there is no need to test the state of a packet in these chains.
ALIASES
Points to a file with IP alias specifications. These aliases are
available to all zone configuration files, and can be used in rules
where the syntax [<ip>[/<mask>]=>[<ip>[/<mask>] is used, as replacement
for either side. See IPSET in zone.conf(8) for more information.
TOS_FILE
Syntax: TOS_FILE= "<fname>"
Specify the name of the Type-Of-Service configuration file located in
the configuration directory. This file specifies manipulation of the
TOS bits in TCP and UDP packets. Traffic control examines these fields
to determine into which class a packet should fall.
The file contains a group (TOS) with values of the form:
TOS_[XXX]= "<TOS-type> <protocol> <TOSportlist|ICMPtype>"
Examples:
TOS_MIN_DLY_UDP= "Minimize-Delay udp"
TOS_NORM_SRVC_TCP= "Normal-Service tcp www,https"
FILES
/etc/fiaif/fiaif.conf
The configuration file for FIAIF
/etc/fiaif/private_networks
A list of private networks as specified by RFC1918
/etc/fiaif/reserved_networks
A list of reserved networks as specified by IANA.
/etc/fiaif/aliases
Specifies IP aliases to be used for all configuration files.
AUTHOR
Anders Fugmann <anders(at)fugmann.net>
SEE ALSO
fiaif(8), zone.conf(8)