FIAIF is an Intelligent Firewall.
Unlike many other scripts, FIAIF can be truly customized allowing multiple interfaces (or rather zones). There is no limit on the number of zones. All configuration is done through configuration files. There is no need to understand the script behind it all.
The script makes heavy use of state-full firewalling, and all RELATED and ESTABLISHED packets are accepted on all chains. If you wish to block something out, don't accept it in the first place.
The script is written in BASH. Though this is not the optimal programming language to use, it means that you do not need to install extra interpreters on your firewall. This allows you to have a minimalistic installation on your firewall.
Here are some key features of "FIAIF is an Intelligent Firewall":
· TOS bit can be set per protocol/port basis. (To be used by traffic shaping).
· Limit syslog logging.
· Specification of multiple zones - One or more per interface.
· Load specific connection tracking modules (FTP, IRC etc.).
· Examination of /proc/sys/net setting, for possibly dangerous system configurations.
· Setup of linux runtime parameters.
· Run userdefined commands before and after applying the firewall.
· Syslog scanning, giving more human readable output based on setup.
· Handling of dynamic IP's (DHCP).
· Interfaces with multiple IP addresses.
· Allow/drop and/or reject packets hitting the firewall from the zone.
· Restrict the type of packets originating from the firewall itself.
· Restrict packets coming from other zones.
· Ban IP's within the zone.
· Ban MAC addresses within the zone.
· Watch traffic from a specific IP.
· Limit number of specific packets, e.g. to avoid DoS attack.
· Port forwarding, changing the destination IP and port, allowing e.g. a transparent proxy.
· Traffic Shaping per interface.
· Ulogd logging support.
· Packet marking, for e.g. advanced routing.
· Definition of IP aliases, to ease maintenance and improve readability of configuration files.
· Linux kernel >= 2.4.4 with - All iptables options enabled, either compiled in or as modules.
· Bash >= 2.04 - The variable expansion in bash is heavily used.
· iptables >= 1.2.6a.
What's New in This Release:
· This release adds HSFC-based traffic shaping, which is optimized for VoIP setups.
· A problem where DHCP requests were getting dropped by the firewall has been fixed, as well as ACCEPT_LOG, which was not accepting packets correctly.