fwb_ipf(1) Firewall Builder fwb_ipf(1)
NNAAMMEE
fwb_ipf - Policy compiler for ipfilter
SSYYNNOOPPSSIISS
ffwwbb__iippff [[--vvVVxx]] [[--dd wwddiirr]] --ff ddaattaa__ffiillee..xxmmll object_name
DDEESSCCRRIIPPTTIIOONN
ffwwbb__iippff is a firewall policy compiler component of Fire
wall Builder (see fwbuilder(1)). This compiler generates
code for ipfilter. Compiler reads objects definitions and
firewall description from the data file specified with
"-f" option and generates ipfilter configuration files and
firewall activation script.
All generated files have names that start with the name of
the firewall object. Firewall activation script has exten
sion ".fw" and is simple shell script that flushes current
policy, loads new filter and nat rules and then activates
ipfilter. IPFilter configuration file name starts with
the name of the firewall object, plus "-ipf.conf". NAT
configuration file name also starts with the name of the
firewall object, plus "-nat.conf". For example, if fire
wall object has name "myfirewall", then compiler will cre
ate three files: "myfirewall.fw", "myfirewall-pf.conf",
"myfirewall-nat.conf".
The data file and the name of the firewall objects must be
specified on the command line. Other command line parame
ters are optional.
OOPPTTIIOONNSS
-f FILE
Specify the name of the data file to be processed.
-d wdir
Specify working directory. Compiler creates
firewall activation script and ipfilter configura
tion files in this directory. If this parameter is
missing, then all files will be placed in the cur
rent working directory.
-v Be verbose: compiler prints diagnostic messages
when it works.
-V Print version number and quit.
-x Generate debugging information while working. This
option is intended for debugging only and may pro
duce lots of cryptic messages.
NNOOTTEESS
Support for ipf returned in version 1.0.1 of Firewall
Builder
Supported features:
o both ipf.conf and nat.conf files are generated
o negation in policy rules
o stateful inspection in individual rule can be
turned off in rule options dialog. By default com
piler adds "keep state" or "modulate state" to each
rule with action 'pass'
o rule options dialog provides a choice of icmp or
tcp rst replies for rules with action "Reject"
o compiler adds flag "allow-opts" if match on ip
options is needed
o compiler can generate rules matching on TCP flags
o compiler can generate script adding ip aliases for
NAT rules using addresses that do not belong to any
interface of the firewall
o compiler always adds rule "block quick all" at the
very bottom of the script to ensure "block all by
default" policy even if the policy is empty.
o Address ranges in both policy and NAT
Features that are not supported (yet)
o negation in NAT
o custom services
Features that won't be supported (at least not anytime
soon)
o policy routing
UURRLL
Firewall Builder home page is located at the following
URL: hhttttpp::////wwwwww..ffwwbbuuiillddeerr..oorrgg//
BBUUGGSS
Please report bugs using bug tracking system on Source
Forge:
hhttttpp::////ssoouurrcceeffoorrggee..nneett//ttrraacckkeerr//??ggrroouupp__iidd==55331144&&aattiidd==110055331144
SSEEEE AALLSSOO
ffwwbbuuiillddeerr((11)),, ffwwbb__iipptt((11)),, ffwwbb__ppff((11))
FWB fwb_ipf(1)
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
b8f881c2f8c6a4ed7ffcdb5cbad96565
>
files
>
19
