fwb_ipf(1) Firewall Builder fwb_ipf(1)NAMEfwb_ipf - Policy compiler for ipfilter
SYNOPSISfwb_ipf [-vVx] [-d wdir] [-o output.fw] [-i] -f data_file.xml
object_name
DESCRIPTIONfwb_ipf is a firewall policy compiler component of Firewall Builder
(see fwbuilder(1)). This compiler generates code for ipfilter. Compiler
reads objects definitions and firewall description from the data file
specified with "-f" option and generates ipfilter configuration files
and firewall activation script.
All generated files have names that start with the name of the firewall
object. Firewall activation script has extension ".fw" and is simple
shell script that flushes current policy, loads new filter and nat
rules and then activates ipfilter. IPFilter configuration file name
starts with the name of the firewall object, plus "-ipf.conf". NAT
configuration file name also starts with the name of the firewall
object, plus "-nat.conf". For example, if firewall object has name
"myfirewall", then compiler will create three files: "myfirewall.fw",
"myfirewall-pf.conf", "myfirewall-nat.conf".
The data file and the name of the firewall objects must be specified on
the command line. Other command line parameters are optional.
OPTIONS-f FILE
Specify the name of the data file to be processed.
-o output.fw
Specify output file name
-d wdir
Specify working directory. Compiler creates firewall acti‐
vation script and ipfilter configuration files in this direc‐
tory. If this parameter is missing, then all files will be
placed in the current working directory.
-v Be verbose: compiler prints diagnostic messages when it works.
-V Print version number and quit.
-i When this option is present, the last argument on the command
line is supposed to be firewall object ID rather than its name
-x Generate debugging information while working. This option is
intended for debugging only and may produce lots of cryptic mes‐
sages.
NOTES
Support for ipf returned in version 1.0.1 of Firewall Builder
Supported features:
o both ipf.conf and nat.conf files are generated
o negation in policy rules
o stateful inspection in individual rule can be turned off in rule
options dialog. By default compiler adds "keep state" or "modu‐
late state" to each rule with action 'pass'
o rule options dialog provides a choice of icmp or tcp rst replies
for rules with action "Reject"
o compiler adds flag "allow-opts" if match on ip options is needed
o compiler can generate rules matching on TCP flags
o compiler can generate script adding ip aliases for NAT rules
using addresses that do not belong to any interface of the fire‐
wall
o compiler always adds rule "block quick all" at the very bottom
of the script to ensure "block all by default" policy even if
the policy is empty.
o Address ranges in both policy and NAT
Features that are not supported (yet)
o negation in NAT
o custom services
Features that won't be supported (at least not anytime soon)
o policy routing
URL
Firewall Builder home page is located at the following URL:
http://www.fwbuilder.org/
BUGS
Please report bugs using bug tracking system on SourceForge:
http://sourceforge.net/tracker/?group_id=5314&atid=105314
SEE ALSOfwbuilder(1), fwb_ipt(1), fwb_pf(1)FWBfwb_ipf(1)
