fwb_ipf(1) Firewall Builder fwb_ipf(1) NNAAMMEE fwb_ipf - Policy compiler for ipfilter SSYYNNOOPPSSIISS ffwwbb__iippff [[--vvVVxx]] [[--dd wwddiirr]] --ff ddaattaa__ffiillee..xxmmll object_name DDEESSCCRRIIPPTTIIOONN ffwwbb__iippff is a firewall policy compiler component of Fire wall Builder (see fwbuilder(1)). This compiler generates code for ipfilter. Compiler reads objects definitions and firewall description from the data file specified with "-f" option and generates ipfilter configuration files and firewall activation script. All generated files have names that start with the name of the firewall object. Firewall activation script has exten sion ".fw" and is simple shell script that flushes current policy, loads new filter and nat rules and then activates ipfilter. IPFilter configuration file name starts with the name of the firewall object, plus "-ipf.conf". NAT configuration file name also starts with the name of the firewall object, plus "-nat.conf". For example, if fire wall object has name "myfirewall", then compiler will cre ate three files: "myfirewall.fw", "myfirewall-pf.conf", "myfirewall-nat.conf". The data file and the name of the firewall objects must be specified on the command line. Other command line parame ters are optional. OOPPTTIIOONNSS -f FILE Specify the name of the data file to be processed. -d wdir Specify working directory. Compiler creates firewall activation script and ipfilter configura tion files in this directory. If this parameter is missing, then all files will be placed in the cur rent working directory. -v Be verbose: compiler prints diagnostic messages when it works. -V Print version number and quit. -x Generate debugging information while working. This option is intended for debugging only and may pro duce lots of cryptic messages. NNOOTTEESS Support for ipf returned in version 1.0.1 of Firewall Builder Supported features: o both ipf.conf and nat.conf files are generated o negation in policy rules o stateful inspection in individual rule can be turned off in rule options dialog. By default com piler adds "keep state" or "modulate state" to each rule with action 'pass' o rule options dialog provides a choice of icmp or tcp rst replies for rules with action "Reject" o compiler adds flag "allow-opts" if match on ip options is needed o compiler can generate rules matching on TCP flags o compiler can generate script adding ip aliases for NAT rules using addresses that do not belong to any interface of the firewall o compiler always adds rule "block quick all" at the very bottom of the script to ensure "block all by default" policy even if the policy is empty. o Address ranges in both policy and NAT Features that are not supported (yet) o negation in NAT o custom services Features that won't be supported (at least not anytime soon) o policy routing UURRLL Firewall Builder home page is located at the following URL: hhttttpp::////wwwwww..ffwwbbuuiillddeerr..oorrgg// BBUUGGSS Please report bugs using bug tracking system on Source Forge: hhttttpp::////ssoouurrcceeffoorrggee..nneett//ttrraacckkeerr//??ggrroouupp__iidd==55331144&&aattiidd==110055331144 SSEEEE AALLSSOO ffwwbbuuiillddeerr((11)),, ffwwbb__iipptt((11)),, ffwwbb__ppff((11)) FWB fwb_ipf(1)