Man Linux: Main Page and Category List


       fiaif.conf - fiaif global configuration file


       fiaif.conf  is  the  file that declares which zones should be set up in
       the firewall.  A "zone" is a piece of the "IP universe" existing on the
       other  side  of  a  particular  interface.  A zone is defined in a file
       listing rules for the handling of IP traffic into, out of, and  through
       the  associated  interface.  The zonefile is described in zone.conf(8).
       General configuration parameters are also declared in this file.

       fiaif.conf and the zonefiles are bash(1) scripts in which the values of
       variables  used  in  the fiaif program are assigned.  Although they are
       shell scripts, they should contain nothing but assignment statements.

       Parameters in the configuration files are of three forms:

              These parameters take only a single value. The value  may  be  a
              number or a string.

              These  parameters are treated as a group, and all members of the
              group are processed in the same way.  There  are  two  parts  to
              these  parameters´  names.  The  first  part  is the name of the
              group, and the second part is a mnemonic.

              Parameter values are declared in an array.  Any number of values
              can be specified by incrementing the array index for each value.


       bashcommand -> [a shell command line]
       dirpath -> [path to a directory (no trailing ´/´)]
       fname -> [filename with no path]
       modulename -> [the name of an iptables module]
       portspec -> [a port number | a service in /etc/services]
       posint -> [an integer >= 0]
       TOStype -> [a Type-of-service name | a Type-of-service number]
       zonename -> [the zone identifier from a zone file]

       byteint -> 0..255
       cidrmask -> 0..32
       nullstring -> [nothing]
       string -> [char]<string>|<nullstring>

       boolean -> 0|1
       burstspec -> <posint>|<posint>/<timespec>
       IP4addr -> <byteint>.<byteint>.<byteint>.<byteint>
       iptablesprotocol  ->  [a  protocol  number  |  a  protocol  name   from
       modulelist -> <nullstring>|<modulename> <modulelist>
       netaddr -> <IP4addr>/<cidrmask>
       netlist -> <nullstring>|<netaddr> <netlist>
       pathlist -> <dirpath>|<dirpath>:<pathlist>
       plist -> <nullstring>|<iptablesprotocol> <plist>
       tablelist -> mangle filter nat
       timespec -> second|minute|hour|day
       TOSportlist -> <nullstring> | any | <TOSportlistOpt>
       TOSportlistOpt -> <portspec> | <portspec>,<TOSportlist>
       ICMPtype -> <ICMP type string>
       zonelist -> <nullstring>|<zonename> <zonelist>


       The  values  of  these  parameters  should  (almost  certainly)  not be

       Syntax: TABLES= "<tablelist>"

       A list of the packet processing tables in  the  Linux  kernel.   As  of
       version  2.4.18,  only  three tables are available: mangle, filter, and

       Syntax: RESERVED_NETWORKS= "<netlist>"|"<fname>"

       A list of the reserved ipnumbers and masks, or a file  containing  this
       list,  one  <netaddr>  per  line.   See  for  more

       Syntax: PRIVATE_NETWORKS= "<netlist>"|"<fname>"

       A list of the private ipnumbers and masks, or a  file  containing  this
       list,  one <netaddr> per line.  See and rfc1918 for
       more information.

       Syntax: LOOPBACK_NET= "<netaddr>"

       The  network  of  the  loopback   interface.   ""   in   the

       Syntax: BIN_PATH= "<pathlist>"

       The search path for the iptables and tc binaries.


       The  values  of  these  parameters  should be altered.  They define the
       firewall deployed by fiaif and customize  it  for  local  networks  and
       security policy.

       Syntax: DONT_START= <boolean>

       If  set to one, the firewall will not be started.  DONT_START is set to
       1 in the distributed fiaf.conf to prevent the inadvertant deployment of
       an  unconfigured  firewall  from  a download.  Set the value to zero or
       delete the line to enable the firewall.

       Syntax: CONF_DIR= "<directorypath>/"

       The  path  to  the  configuration  directory.   CONF_DIR  is   set   to
       "/etc/fiaif/" in the distribution.

       Syntax: SET_PROC_ERRORS= <boolean>
       Syntax: SET_PROC_WARNINGS= <boolean>

       When  the command "fiaif test" is issued, a list of errors and warnings
       are displayed.
       If SET_PROC_ERRORS is 1, FIAIF will attempt to correct the errors.
       If SET_PROC_WARNINGS is 1, FIAIF will attempt to correct the  warnings.

       Syntax: SAVE_STATE= <boolean>

       If  enabled,  FIAIF  will save all iptables rules to a file after these
       have been applied, if no errors were encountered while  generating  the
       rules. When FIAIF is started again, this file is used if and only if no
       modifications have been made to  any  configuration  files.  Rules  are
       saved to /var/lib/fiaif/iptables.

       Enabling  this  option  greatly  improves  start time of FIAIF, but may
       cause problems if, for example, the  ipnumber  of  a  static  interface
       changes, in which case /etc/init.d/fiaif force-reload should be used to
       rebuild ruleset from configuration files.

       Syntax: ZONES= "<zonelist>"

       A list of the zones to be set up.  There must be a  zone  file  in  the
       configuration directory matching each zone named in this list.

       ZONES="INT EXT"

       Syntax: CONF_[XXX]= "<fname>"

       A group (CONF) containing the names of the zone files.  It should match
       closly the names listed in the ZONES parameter. The zone files must  be
       in the directory specified in CONF_DIR.


       Syntax: TEST_FILE= "<dirpath>/<fname>"

       The  absolute  pathname  of the file to which commands are written when
       fiaif is run with the ´test´ option. Set  to  "/tmp/fiaif.out"  in  the

       Syntax: DEBUG= <boolean>

       If  set  to 1, fiaif will not drop any packets, but all rules are still
       applied, and the results  will  be  in  the  syslog.   Use  this  as  a
       debugging  tool  if  you are experiencing problems while setting up the
       zones.  Set to zero for fiaif to work normally.

       Syntax: VERBOSE= <boolean>

       Set this variable to 1 to have fiaif  log  all  dropped  or  redirected
       packets  in  the  syslog.   If  no logging is wanted, set it to 0.  See
       LOG_LIMIT and LOG_BURST for details on when logging occurs.

       Syntax: FIAIF_ <string>

       Specify the prefix to use when logging packets to system log or  though

       Syntax: ENABLE_ULOGD= <boolean>

       If  set to 1 (and the ulogd is running on the system), fiaif logs via a
       ulogd.  If set to 0, fiaif logs through the standard syslog facility.

       Syntax: LOG_LIMIT= <posint>
       Syntax: LOG_BURST= "<burstspec>"

       Specify how often dropped or rejected packets should  be  entered  into
       the system log.  Tune to avoid spamming of logs.

       LOG_LIMIT  is  the maximum  average matching rate.  If no <timespec> is
       provided, ´/second´ is assumed.

       LOG_BURST is the maximum  initial  number  of packets  to  match;  this
       number is incrememted by one every time  the  limit specified  above is
       not reached, up to this number.  Note  the  quotes  around  LOG_BURST´s

       Syntax: LOG_LEVEL= <byteint>

       This  specifies  the  loglevel,  for  logging to syslog or ulogd.  When
       using syslog, the number specifies the  priority,  see  syslog.conf(5).
       If  ENABLE_ULOG  is  true, LOG_LEVEL number specifies the netlink group
       (1-32), to which the line to be logged is is sent.

       Syntax: ENABLE_TC= <boolean>

       Enable or disable traffic shaping system wide.  Setting to 0  overrides
       the  TC_ENABLE  value  in  all  zone configurations.  To enable traffic
       shaping in a zone, TC_ENABLE must be set to 1 in fiaif.conf and in  the
       zone configuration as well.

       Syntax: MODULES= "<modulelist>"

       Specifies  iptables  modules  to  be loaded upon starting the firewall.
       The modules remain loaded as long as the firewall is deployed.

       Syntax: PRE_SCRIPT[N]= "<bashcommand>"
       Syntax: POST_SCRIPT[N]= "<bashcommand>"

       This pair of array parameters may contain shell commands to be executed
       before/after  fiaif creates the iptables rules.  The lines are executed
       in array-index sequence.

       Three chains per zone exists to support user-defined rules.  The  chain
       names      are:      USER_INPUT_<ZONE_NAME>     USER_OUTPUT_<ZONE_NAME>
       USER_FORWARD_<ZONE_NAME> Where the zone name is the name of  the  zone.
       Packets  will  go though these chains before hitting rules generated by
       INPUT, OUTPUT and  FORWARD  rules  in  the  zone  configuration  files.
       Remember  that only packets in the NEW state will hit these chains, and
       hence there is no need to test the state of a packet in these chains.

       Points to a file  with  IP  alias  specifications.  These  aliases  are
       available  to  all  zone  configuration files, and can be used in rules
       where the syntax [<ip>[/<mask>]=>[<ip>[/<mask>] is used, as replacement
       for either side. See IPSET in zone.conf(8) for more information.

       Syntax: TOS_FILE= "<fname>"

       Specify  the  name of the Type-Of-Service configuration file located in
       the configuration directory.  This file specifies manipulation  of  the
       TOS bits in TCP and UDP packets.  Traffic control examines these fields
       to determine into which class a packet should fall.

       The file contains a group (TOS) with values of the form:
              TOS_[XXX]= "<TOS-type> <protocol> <TOSportlist|ICMPtype>"

              TOS_MIN_DLY_UDP= "Minimize-Delay udp"
              TOS_NORM_SRVC_TCP= "Normal-Service tcp www,https"


              The configuration file for FIAIF
              A list of private networks as specified by RFC1918
              A list of reserved networks as specified by IANA.
              Specifies IP aliases to be used for all configuration files.


       Anders Fugmann <anders(at)>


       fiaif(8), zone.conf(8)