1fwb_ipf(1) Firewall Builder fwb_ipf(1)
2
6 fwb_ipf - Policy compiler for ipfilter
7
9 fwb_ipf [-vVx] [-d wdir] [-o output.fw] [-i] -f data_file.xml
10 object_name
11
14 fwb_ipf is a firewall policy compiler component of Firewall Builder
15 (see fwbuilder(1)). This compiler generates code for ipfilter. Compiler
16 reads objects definitions and firewall description from the data file
17 specified with "-f" option and generates ipfilter configuration files
18 and firewall activation script.
19 All generated files have names that start with the name of the firewall
21 object. Firewall activation script has extension ".fw" and is simple
22 shell script that flushes current policy, loads new filter and nat
23 rules and then activates ipfilter. IPFilter configuration file name
24 starts with the name of the firewall object, plus "-ipf.conf". NAT
25 configuration file name also starts with the name of the firewall
26 object, plus "-nat.conf". For example, if firewall object has name
27 "myfirewall", then compiler will create three files: "myfirewall.fw",
28 "myfirewall-pf.conf", "myfirewall-nat.conf".
29 The data file and the name of the firewall objects must be specified on
31 the command line. Other command line parameters are optional.
32
36 -f FILE
37 Specify the name of the data file to be processed.
38 -o output.fw
41 Specify output file name
42 -d wdir
45 Specify working directory. Compiler creates firewall acti‐
46 vation script and ipfilter configuration files in this direc‐
47 tory. If this parameter is missing, then all files will be
48 placed in the current working directory.
49 -v Be verbose: compiler prints diagnostic messages when it works.
52 -V Print version number and quit.
55 -i When this option is present, the last argument on the command
58 line is supposed to be firewall object ID rather than its name
59 -x Generate debugging information while working. This option is
62 intended for debugging only and may produce lots of cryptic mes‐
63 sages.
64
67 Support for ipf returned in version 1.0.1 of Firewall Builder
68 Supported features:
70 o both ipf.conf and nat.conf files are generated
74 o negation in policy rules
77 o stateful inspection in individual rule can be turned off in rule
80 options dialog. By default compiler adds "keep state" or "modu‐
81 late state" to each rule with action 'pass'
82 o rule options dialog provides a choice of icmp or tcp rst replies
85 for rules with action "Reject"
86 o compiler adds flag "allow-opts" if match on ip options is needed
89 o compiler can generate rules matching on TCP flags
92 o compiler can generate script adding ip aliases for NAT rules
95 using addresses that do not belong to any interface of the fire‐
96 wall
97 o compiler always adds rule "block quick all" at the very bottom
100 of the script to ensure "block all by default" policy even if
101 the policy is empty.
102 o Address ranges in both policy and NAT
105 Features that are not supported (yet)
110 o negation in NAT
113 o custom services
116 Features that won't be supported (at least not anytime soon)
121 o policy routing
124
129 Firewall Builder home page is located at the following URL:
130 http://www.fwbuilder.org/
131
134 Please report bugs using bug tracking system on SourceForge:
135 http://sourceforge.net/tracker/?group_id=5314&atid=105314
137
141 fwbuilder(1), fwb_ipt(1), fwb_pf(1)
142FWB fwb_ipf(1)