man fiaif.conf (Formats) - fiaif global configuration file

NAME

fiaif.conf - fiaif global configuration file

DESCRIPTION

fiaif.conf is the file that declares which zones should be set up in the firewall. A "zone" is a piece of the "IP universe" existing on the other side of a particular interface. A zone is defined in a file listing rules for the handling of IP traffic into, out of, and through the associated interface. The zonefile is described in zone.conf(8). General configuration parameters are also declared in this file.

fiaif.conf and the zonefiles are bash(1) scripts in which the values of variables used in the fiaif program are assigned. Although they are shell scripts, they should contain nothing but assignment statements.

Parameters in the configuration files are of three forms:

SIMPLE These parameters take only a single value. The value may be a number or a string.

GROUP These parameters are treated as a group, and all members of the group are processed in the same way. There are two parts to these parameters' names. The first part is the name of the group, and the second part is a mnemonic.

ARRAY Parameter values are declared in an array. Any number of values can be specified by incrementing the array index for each value.

DEFINITIONS

bashcommand -> [a shell command line]

dirpath -> [path to a directory (no trailing '/')]

fname -> [filename with no path]

modulename -> [the name of an iptables module]

portspec -> [a port number | a service in /etc/services]

posint -> [an integer >= 0]

TOStype -> [a Type-of-service name | a Type-of-service number]

zonename -> [the zone identifier from a zone file]

byteint -> 0..255

cidrmask -> 0..32

nullstring -> [nothing]

string -> [char]<string>|<nullstring>

boolean -> 0|1

burstspec -> <posint>|<posint>/<timespec>

IP4addr -> <byteint>.<byteint>.<byteint>.<byteint>

iptablesprotocol -> [a protocol number | a protocol name from /etc/protocols]

modulelist -> <nullstring>|<modulename> <modulelist>

netaddr -> <IP4addr>/<cidrmask>

netlist -> <nullstring>|<netaddr> <netlist>

pathlist -> <dirpath>|<dirpath>:<pathlist>

plist -> <nullstring>|<iptablesprotocol> <plist>

tablelist -> mangle filter nat

timespec -> second|minute|hour|day

TOSportlist -> <nullstring> | any | <TOSportlistOpt>

TOSportlistOpt -> <portspec> | <portspec>,<TOSportlist>

ICMPtype -> <ICMP type string>

zonelist -> <nullstring>|<zonename> <zonelist>

CONSTANT PARAMETERS

The values of these parameters should (almost certainly) not be altered.

TABLES

Syntax: TABLES= "<tablelist>"

A list of the packet processing tables in the Linux kernel. As of version 2.4.18, only three tables are available: mangle, filter, and nat.

RESERVED_NETWORKS

Syntax: RESERVED_NETWORKS= "<netlist>"|"<fname>"

A list of the reserved ipnumbers and masks, or a file containing this list, one <netaddr> per line. See http://www.iana.com for more information.

PRIVATE_NETWORKS

Syntax: PRIVATE_NETWORKS= "<netlist>"|"<fname>"

A list of the private ipnumbers and masks, or a file containing this list, one <netaddr> per line. See http://www.iana.com and rfc1918 for more information.

LOOPBACK_NET

Syntax: LOOPBACK_NET= "<netaddr>"

The network of the loopback interface. "127.0.0.1/8" in the distribution.

BIN_PATH

Syntax: BIN_PATH= "<pathlist>"

The search path for the iptables and tc binaries.

PARAMETERS

The values of these parameters should be altered. They define the firewall deployed by fiaif and customize it for local networks and security policy.

DONT_START

Syntax: DONT_START= <boolean>

If set to one, the firewall will not be started. DONT_START is set to 1 in the distributed fiaf.conf to prevent the inadvertant deployment of an unconfigured firewall from a download. Set the value to zero or delete the line to enable the firewall.

CONF_DIR

Syntax: CONF_DIR= "<directorypath>/"

The path to the configuration directory. CONF_DIR is set to "/etc/fiaif/" in the distribution.

SET_PROC_ERRORS

Syntax: SET_PROC_ERRORS= <boolean>

SET_PROC_WARNINGS

Syntax: SET_PROC_WARNINGS= <boolean>

When the command "fiaif test" is issued, a list of errors and warnings are displayed.

If SET_PROC_ERRORS is 1, FIAIF will attempt to correct the errors.

If SET_PROC_WARNINGS is 1, FIAIF will attempt to correct the warnings.

SAVE_STATE

Syntax: SAVE_STATE= <boolean>

If enabled, FIAIF will save all iptables rules to a file after these have been applied, if no errors were encountered while generating the rules. When FIAIF is started again, this file is used if and only if no modifications have been made to any configuration files. Rules are saved to /var/lib/fiaif/iptables.

Enabling this option greatly improves start time of FIAIF, but may cause problems if, for example, the ipnumber of a static interface changes, in which case /etc/init.d/fiaif force-reload should be used to rebuild ruleset from configuration files.

ZONES

Syntax: ZONES= "<zonelist>"

A list of the zones to be set up. There must be a zone file in the configuration directory matching each zone named in this list.

Example:

ZONES=" INT EXT"

CONF_[XXX]

Syntax: CONF_[XXX]= "<fname>"

A group (CONF) containing the names of the zone files. It should match closly the names listed in the ZONES parameter. The zone files must be in the directory specified in CONF_DIR.

Example:

CONF_INT=" zone.internal"

CONT_EXT=" zone.external"

TEST_FILE

Syntax: TEST_FILE= "<dirpath>/<fname>"

The absolute pathname of the file to which commands are written when fiaif is run with the 'test' option. Set to "/tmp/fiaif.out" in the distribution.

DEBUG

Syntax: DEBUG= <boolean>

If set to 1, fiaif will not drop any packets, but all rules are still applied, and the results will be in the syslog. Use this as a debugging tool if you are experiencing problems while setting up the zones. Set to zero for fiaif to work normally.

VERBOSE

Syntax: VERBOSE= <boolean>

Set this variable to 1 to have fiaif log all dropped or redirected packets in the syslog. If no logging is wanted, set it to 0. See LOG_LIMIT and LOG_BURST for details on when logging occurs.

LOG_PREFIX

Syntax: <string>

Specify the prefix to use when logging packets to system log or though ulogd.

ENABLE_ULOGD

Syntax: ENABLE_ULOGD= <boolean>

If set to 1 (and the ulogd is running on the system), fiaif logs via a ulogd. If set to 0, fiaif logs through the standard syslog facility.

LOG_LIMIT

Syntax: LOG_LIMIT= <posint>

LOG_BURST

Syntax: LOG_BURST= "<burstspec>"

Specify how often dropped or rejected packets should be entered into the system log. Tune to avoid spamming of logs.

LOG_LIMIT is the maximum average matching rate. If no <timespec> is provided, '/second' is assumed.

LOG_BURST is the maximum initial number of packets to match; this number is incrememted by one every time the limit specified above is not reached, up to this number. Note the quotes around LOG_BURST's value.

LOG_LEVEL

Syntax: LOG_LEVEL= <byteint>

This specifies the loglevel, for logging to syslog or ulogd. When using syslog, the number specifies the priority, see syslog.conf(5). If ENABLE_ULOG is true, LOG_LEVEL number specifies the netlink group (1-32), to which the line to be logged is is sent.

ENABLE_TC

Syntax: ENABLE_TC= <boolean>

Enable or disable traffic shaping system wide. Setting to 0 overrides the TC_ENABLE value in all zone configurations. To enable traffic shaping in a zone, TC_ENABLE must be set to 1 in fiaif.conf and in the zone configuration as well.

MODULES

Syntax: MODULES= "<modulelist>"

Specifies iptables modules to be loaded upon starting the firewall. The modules remain loaded as long as the firewall is deployed.

PRE_SCRIPT[N]

Syntax: PRE_SCRIPT[N]= "<bashcommand>"

POST_SCRIPT[N]

Syntax: POST_SCRIPT[N]= "<bashcommand>"

This pair of array parameters may contain shell commands to be executed before/after fiaif creates the iptables rules. The lines are executed in array-index sequence.

Three chains per zone exists to support user-defined rules. The chain names are: USER_INPUT_<ZONE_NAME> USER_OUTPUT_<ZONE_NAME> USER_FORWARD_<ZONE_NAME> Where the zone name is the name of the zone. Packets will go though these chains before hitting rules generated by INPUT, OUTPUT and FORWARD rules in the zone configuration files. Remember that only packets in the NEW state will hit these chains, and hence there is no need to test the state of a packet in these chains.

ALIASES

Points to a file with IP alias specifications. These aliases are available to all zone configuration files, and can be used in rules where the syntax [<ip>[/<mask>]=>[<ip>[/<mask>] is used, as replacement for either side. See IPSET in zone.conf(8) for more information.

TOS_FILE

Syntax: TOS_FILE= "<fname>"

Specify the name of the Type-Of-Service configuration file located in the configuration directory. This file specifies manipulation of the TOS bits in TCP and UDP packets. Traffic control examines these fields to determine into which class a packet should fall.

The file contains a group (TOS) with values of the form: TOS_[XXX]= "<TOS-type> <protocol> <TOSportlist|ICMPtype>"

Examples: TOS_MIN_DLY_UDP= "Minimize-Delay udp"

TOS_NORM_SRVC_TCP= "Normal-Service tcp www,https"

FILES

/etc/fiaif/fiaif.conf The configuration file for FIAIF /etc/fiaif/private_networks A list of private networks as specified by RFC1918 /etc/fiaif/reserved_networks A list of reserved networks as specified by IANA. /etc/fiaif/aliases Specifies IP aliases to be used for all configuration files.

AUTHOR

Anders Fugmann <anders(at)fugmann.net>

SEE ALSO