Homepage di Giacomo.

IPFIRE startup.

IPFIREwall can be started from any command line prompt. When launched, IPFIRE reads a configuration file named options and located in the subdirectory IPFIRE of the user's home folder. There the default configuration options reside and they are applied if no correction is given by specifying command line directives. A list of argument options follows:

Unprivileged user options.

Enables blacksite rules. User can add a line to the file named blacksites and located in IPFIRE directory indicating the name of an Internet site, and firewall will block any connection towards that node. It is necessary for this to work that output UDP connections towards dns service (port 53) are enabled. See rule fields explanation or rule adding for further information. From version 0.98.4 on, it is possible to manage the blocked sites by an interactive menu called by pressing Control+B on the main menu. This option must be followed by an integer in seconds indicating the refresh time of name resolving. Every INTEGER seconds, resolver wakes up and reloads blacklist rules in kernel rewriting also configuration file blacklist. A reasonable interval is represented by some hours. Default value is 4 hours if none is indicated. Sites changing rapidly their mapping IP-name will require a lower value for the refresh interval. Try this function out and discover the optimal setting for your environment.
A tipical line in blacksites file might be:
www.badsite.com .

Disables dns resolution and so updating of blacklisted sites.

Indicates the logging level of the user interface. The INTEGER can be in the rank between 0 and 7. If loglevel is less than 6, translation operations are not shown in user interface. Else if loglevel is less than 5, only implicit responses and denial verdicts are logged. Else if INTEGER is less than 3, only the implicit responses are logged by the firewall. Rather than acting on this parameter, the administrator should act on the loguser parameter, which configures the level of the kernel - user communication.

-allowed alternative_namefile
Specify an alternative file to use to read the permission rules. They will be also saved on this file.

-blacklist namefile
Specify an alternate file for denial rules database.

-blacksites namefile
Specify an alternate file to look for the list of blocked Internet sites.

-translation namefile
Specify an alternate file to look for the list of translation rules. Only root can apply translation rules.

User interface will not do any pinting on console of information received from kernel space. Such information is anyway sent on netlink socket.

daemon or -daemon
Detach userspace firewall interface from local console and run in background, continuing to print output to terminal.

quiet_daemon or -quiet_daemon
Detach userspace firewall interface from local console and run in background, stopping to print output to terminal.

The port numbers are resolved to the name of the corresponding service. Services are read by getservbyname() from the system file /etc/hosts , and dynamically loaded into memory. In this way, all the calls to the resolving function lookup in memory allocated vector, not in the file, thus assuring a high performance in the resolving process. As a result, you will read on the console the name of the service, e.g. www instead of the port number (80.

Leaves the information about ports in its numeric form.

-lang filename
IPFIREwall supports multilanguage. It is important that the translation file be located inside the IPFIRE subdirectory in each user's home, in the folder languages.
The current translation available is the italian one. One can have a look at the file it in IPFIRE/languages directory to see how it is written and how easy it is to write a language file. The first part of each line contains the exact english phrase. The translation follows, separated by a single = character.
If you want to write a translation for IPFIREwall in your language, make sure not to change the english part preceding the =, and write the language specific part as you like. Then contact the author to have the language officially included in the distribution. We underline once again that filename must represent the exact name of the file containings the couples english_line=otherlanguage_line located in the home directory/IPFIRE/languages.

Administrative options.

This option tells firewall not to delete rules from lists when user interface exits. This is useful for loading firewall at startup with administrator's rules and leaving then users to apply their policies and watch network traffic. Normal users' rules will be added at the tail of already loaded kernel lists at startup, and deleted when interface goes off. Note that IPFIRE is born to run on a linux desktop environment, and so only one user interface can be loaded at time.

flush or -flush
Starts up user interface only with the aim of removing rules previously loaded. This can happen when system goes down or when root decides to stop firewall.

-kloglevel INT
Sets kernel log level of system logging (i.e. syslog, or messages). It's not used for now, and so leave it be. Anyway, INT can be between 0 and 7 (3 bits).

-loguser INT
This is an important issue: it sets the logging level of the messages going from the kernel to the userspace firewall interface. If all the packets were logged, the kernel would send up to the userspace a lot of packets in a short time, overloading the IPFIREwall interface and, at a consequence, the whole system. The best setting is 1: it's called smart logging and, with this option set, only the packets which are not already been sent to the userspace reach the interface console and are displayed. Anyway,
INT = 0 means no packet will be sent to user (no logging, fast).
INT = 1 means smartlog: only new packets are sent.
INT >= 6: all packets and information is sent to user.
INT >= 4: negative verdicts are sent.
INT >= 5: positive and negative responses are sent
INT >= 2: implicit responses are sent.
Remember that only the options 1 and 6 have been tested.
See here for further implications about logging.

-logfile namefile
Log to the file namefile instead of default in options file.
The log file will be cleared before any new information is written.

All rules in the firewall will be treated as stateful ones, regardless of the fact they have the field state set or not.

This option allows the unprivileged users to insert their own rules into kernel firewall. It is usally combined with the load flag.

This option explicitly disallows unprivileged users to insert their own rules into the kernel firewall.

load or -load
This flag causes the interface to load the rules into firewall and then exit immediately. It is useful to startup the firewall and then leave to the users users the chance to add their own rules. For this to work, the user option must be set in the configuration file or explicitly specified in the command line.

rc or -rc
This flag is the same as load, but just little information is printed at startup. If you don't want too much information be displayed on the terminal at load time, such as when you launch ipfire-wall from an rc script during system boot process, specify the keyword rc instead of the load one.

When the user interface exits, it unloads the kernel module. This is useful at shutdown time, when the system is restored to its state before the firewall was loaded. If the user interface goes off and the module remains loaded in kernel space, the rules will be flushed (unless -noflush was given), and the responses will always be unknown (0) from then on. So, the default policy will be applied if no matching rule is found. See modifying default policy for details.
NOTE: if you happen to turn off the user interface (as root) and should you observe that your network does not work any more, it is likely that you have closed the IPFIRE-wall user interface leaving the kernel module loaded!
If this happens and you are unhappy with it, you must unload the module from the running kernel:
modprobe -r ipfi Your networking subsystem will restart to work as before IPFIREwall was loaded.

Note that command line options can be given with "-" or "/" as first character. Options with a meaning concerning the state of the program can be given without leading "-" or "/", as load.
Command line options overwrite default options and directives loaded from configuration file options.

Valid XHTML 1.0!

Top of page
Back to index
Next page (Configuration files).