File: ferm.1

package info (click to toggle)
ferm 1.1-1
  • links: PTS
  • area: main
  • in suites: sarge
  • size: 308 kB
  • ctags: 173
  • sloc: perl: 1,111; makefile: 66
file content (1285 lines) | stat: -rw-r--r-- 41,821 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
.\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sh \" Subsection heading
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  | will give a
.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
.\" expand to `' in nroff, nothing in troff, for use with C<>.
.tr \(*W-|\(bv\*(Tr
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
'br\}
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.if \nF \{\
.    de IX
.    tm Index:\\$1\t\\n%\t"\\$2"
..
.    nr % 0
.    rr F
.\}
.\"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.hy 0
.if n .na
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "FERM 1"
.TH FERM 1 "2003-05-07" "ferm 1.1" "FIREWALL RULES MADE EASY"
.SH "NAME"
\&\fBferm\fR \- a firewall rule parser for linux
.SH "SYNOPSYS"
.IX Header "SYNOPSYS"
\&\fBferm\fR \fIoptions\fR \fIinputfiles\fR
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBferm\fR compiles ready to go firewall-rules from a structured
rule\-setup. These rules will be executed by the preferred kernel
interface, such as \fIipchains\fR\|(8) and \fIiptables\fR\|(8).
.PP
Besides just executing all rules in one command, the obvious gain
is the possibility to provide a structured description of a
firewall. No need anymore for tedious typing all firewalls into
custom scripts, you can now write logically and coherent rules
using a C\-style nesting structure, and let \fBferm\fR create all
rules for you.
.PP
\&\fBferm\fR will also aid in modularizing firewalls, because it
creates the possibility to split up the firewall into several
different files, which can be reloaded at will, so you can
dynamically adjust your rules.
.PP
\&\fBferm\fR, pronounced \*(L"firm\*(R", stands for \*(L"For Easy Rule Making\*(R".
.SH "STRUCTURE OF A FIREWALL FILE"
.IX Header "STRUCTURE OF A FIREWALL FILE"
The structure of a proper firewall file looks like  simplified
C\-code. Only a few syntactic characters are used in ferm\-
configuration files. Besides these special caracters, ferm
uses 'keys' and 'values', think of them as options and
parameters, or as variables and values, whatever.
.PP
With these words, you define the characteristics of your firewall.
Every firewall consists of two things: First, look if network
traffic matches certain conditions, and second, what to do
with that traffic.
.PP
You may specify conditions that are valid for the kernel
interface program you are using, probably \fIiptables\fR\|(8). For
instance, in iptables, when you are trying to match tcp
packets, you would say:
.PP
.Vb 1
\&    iptables --protocol tcp
.Ve
.PP
In ferm, this will become:
.PP
.Vb 1
\&    protocol tcp;
.Ve
.PP
Just typing this in ferm doesn't do anything, you need to tell
ferm (actually, you need to tell \fIiptables\fR\|(8) and the kernel) what
to do with any traffic that matches this condition:
.PP
.Vb 1
\&    iptables --protocol tcp -j ACCEPT
.Ve
.PP
Or, translated to \fBferm\fR:
.PP
.Vb 1
\&    protocol tcp accept;
.Ve
.PP
Noticed the \fB;\fR character? We're getting to that now, because there
are some special characters in \fBferm\fR that make life easy.
.PP
Here's a list of the special characters:
.IP "\fB;\fR" 8
.IX Item ";"
The effectuation character. This character defines the end of
a rule. Anything defined before this character will be put
into one or more rules.
.Sp
This character *makes* the rule. It gathers all the information, all
parameters and targets, special things or whatever, that currently
is 'valid', and tries to make a decent rule out of it. \fBferm\fR will
do nothing without this character!
.Sp
Example:
.Sp
.Vb 1
\&    proto tcp ACCEPT;
.Ve
.Sp
THis example shows a single rule, defined by two keys and one
value.
.IP "\fB{}\fR" 8
.IX Item "{}"
The nesting symbol defines a 'block' of rules.
.Sp
Anything defined before this block will
still be available within all rules inside this block. You can
nest blocks in blocks as far as you like. For every rule
defined in this block the values defined before this block
will apply. Usually you would define an often used parameter
as the protocol in front of this block, and anything special
inside it.
.Sp
You can put as many rules (using the <;> character) as you 
like insode this block. but there should always be one or
more, although you will get away with none. Not very
usefull except for when you frequently edit you config
file, and might want to leave a chain empty.
.Sp
Since the nesting block is left associative, it cannot be bound
to keys defined after the block.
.Sp
Example:
.Sp
.Vb 4
\&    chain INPUT proto tcp {
\&        syn DENY;
\&        ACCEPT;
\&    }
.Ve
.Sp
This block shows two rules inside a block, which will both be merged
with anything in front of it, so you will get two rules:
.Sp
.Vb 2
\&    iptables -A INPUT -p tcp -y -j DENY
\&    iptables -A INPUT -p tcp -j ACCEPT
.Ve
.IP "\fB%\fR" 8
.IX Item "%"
Further more, ferm now supports variables, so you can define your
favorite targets, interfaces etc. before you use them. It works
like this:
.Sp
.Vb 3
\&    set IF eth0
\&    set %IF ACCEPT
\&    set TARGET %IF
.Ve
.Sp
will result in this:
.Sp
.Vb 3
\&    %IF = eth0
\&    %eth0 = ACCEPT
\&    %TARGET = eth0
.Ve
.Sp
If you want to put multiple arguments into a variable, you should do
it like this:
.Sp
.Vb 1
\&    %IFS = "eth0,eth1,ppp0"
.Ve
.Sp
This way, ferm will recognize it being a list of values, and split it
whenever needed. If you use spaces, ferm won't recognize it and think
its just a value with spaces. The comma tells ferm to split it up
when needed.
.IP "\fB()\fR" 8
.IX Item "()"
The array symbol. Using the parentheses, you can define
a 'list' of values that should be applied for the key to the
left of it.
.Sp
Example:
.Sp
.Vb 1
\&    proto ( tcp udp icmp )
.Ve
.Sp
this will result in three rules:
.Sp
.Vb 3
\&    ... -p tcp ...
\&    ... -p udp ...
\&    ... -p icmp ...
.Ve
.Sp
Only values can be 'listed', so you cannot do something like this:
.Sp
.Vb 1
\&    proto tcp ( ACCEPT LOG );
.Ve
.Sp
but you can do this:
.Sp
.Vb 1
\&    chain (INPUT OUTPUT FORWARD) proto (icmp,udp,tcp) DENY;
.Ve
.Sp
(which will result in nine rules!)
.Sp
Values can be separated either by spaces or commas. The
array symbol is both left\- and right\-associative, in contrast
with the nesting block, which is left-associative only.
.ie n .IP """ # """ 8
.el .IP "\f(CW # \fR" 8
.IX Item " # "
The comment symbol. Anything that follows this symbol up to
the end of line is ignored.
.PP
These symbols glue all the keywords into a structure, which
allows you to specify some keys only a few times, and let them
apply to any key/value pairs defined within an entire block, for
instance:
.PP
.Vb 5
\&    proto tcp {
\&        dport 22 ACCEPT;
\&        syn DPORT 0:1023 DENY;
\&        }
\&    ACCEPT;
.Ve
.PP
Now here, the 'proto tcp' is valid within the block, but not anymore
after is, resulting in:
.PP
.Vb 3
\&    ... -p tcp --dport 22 -j accept
\&    ... -p tcp -y --dport 0:1023 -j deny
\&    ... -j accept # note '-p tcp' is not in here!
.Ve
.PP
\&\fBSome important notes:\fR
.PP
\&\- Ferm inserts the rules 'chronologically', so the first rule will
be inserted before the second one.
.PP
\&\- Anything defined within a block is no longer valid when that block
ends.
.PP
\&\- Everything defined within the current block that is 'effectuated',
will be no longer defined immediately after that point.
.PP
\&\- Everything defined before a block is undefined when this block 
closes.
.PP
If you do not understand this, don't worry, it alle becomes clear
by itself.
.PP
Two types of keys exist:
.Sh "Firewall keys"
.IX Subsection "Firewall keys"
.RS 8
Firewall keys define a set of firewall packet matching
criteria that is supported by the kernel backend. They
look like 'name value' pairs or like 'switch'. For
instance:
.Sp
.Vb 1
\&    proto tcp
.Ve
.Sp
or:
.Sp
.Vb 1
\&    syn
.Ve
.Sp
A 'name value' pair lets you fill in a value for a certain
condition you would like to match packets against, switches
are like on/off light switches on the wall, if you specify
a switch, you turn paket matching for whatever the switch
stands, on. In the latter example, you turn SYN-packet
matching on for this rule.
.Sp
Both types can optionally be preceded by a \fB!\fR. This will
be handled that you don't want something to be matching
it:
.Sp
.Vb 1
\&    !syn
.Ve
.Sp
or:
.Sp
.Vb 1
\&    ! syn
.Ve
.Sp
Means you want packets which *don't* have the syn-flag set to
be matched. Or even:
.Sp
.Vb 1
\&    proto ! tcp
.Ve
.Sp
Means you want to match *anything but* packets from the tcp
protocol.
.Sp
Read \fIiptables\fR\|(8) or \fIipchains\fR\|(8) to see where the \fB!\fR can be used.
.Sh "Option keys"
.IX Subsection "Option keys"
Using \fBoption\fR keys alter the behaviour of \fBferm\fR; they
can be used to e.g. clear chains before use, or turn off certain
sanity checks.
.Sp
Example:
.Sp
.Vb 1
\&  option verbose
.Ve
.Sp
This option makes \fBferm\fR show a lot of information about what
it is doing.
.RE
.PP
The syntax is very simple, let's start with a simple
example:
.PP
.Vb 3
\&    chain input {
\&        proto tcp ACCEPT;
\&    }
.Ve
.PP
This will add a rule to the predefined input chain, matching
and accepting all tcp packets.  Ok, let's make it more complicated:
.PP
.Vb 3
\&    chain (input,output) {
\&        proto (udp,tcp) ACCEPT;
\&    }
.Ve
.PP
This will insert 4 rules, namely 2 in chain input, and 2 in
chain output, matching and accepting both udp and tcp packets.
Normally you would type this for \fIipchains\fR\|(8):
.PP
.Vb 4
\&   ipchains -A input -p tcp ACCEPT
\&   ipchains -A output -p tcp ACCEPT
\&   ipchains -A input -p udp ACCEPT
\&   ipchains -A output -p udp ACCEPT
.Ve
.PP
Note how much less typing we need to do? :\-)
.PP
Basically, this is all there is to it, although you can
make it quite more complex. Something to look at:
.PP
.Vb 4
\&   chain input policy ACCEPT {
\&       destination 10/8 port ! ftp goto mychain sport :1023 tos 4 settos 8 mark 2;
\&       destination 10/8 port ftp DENY;
\&   }
.Ve
.PP
My point here is, that *you* need to make nice rules, keep
them readable to you and others, and not make it into a mess.
.PP
It would aid the reader if the resulting firewall rules were placed here for
reference. Also, you could include the nested version with better
readability.
.PP
Try using comments to show what you are doing:
.PP
.Vb 3
\&    # this line enables transparent http-proxying for the internal network:
\&    proto tcp if eth0 daddr ! 192.168.0.0/255.255.255.0
\&        dport http REDIRECT 3128;
.Ve
.PP
You will be thankfull for it later!
.PP
.Vb 5
\&    chain input policy ACCEPT {
\&        interface (eth0,ppp0) {
\&            # deny access to notorius hackers, return here if
\&            # no match was found to resume normal firewalling
\&            goto badguys;
.Ve
.PP
.Vb 4
\&            protocol tcp goto fw_tcp;
\&            protocol udp goto fw_udp;
\&        }
\&    }
.Ve
.PP
The more you nest, the better it looks. Make sure the order you
specify is correct, you would not want to do this:
.PP
.Vb 4
\&    chain forward {
\&        proto ! udp DENY;
\&        proto tcp dport ftp ACCEPT;
\&    }
.Ve
.PP
because the second rule will never match. Best way is to specify
first everyting that is allowed, and then deny everything else.
Look at the examples for more good snapshots. Most people do
something like this:
.PP
.Vb 7
\&    proto tcp {
\&        dport (
\&            ssh http ftp
\&        ) ACCEPT;
\&        dport 1024:65535 ! syn ACCEPT;
\&        DROP;
\&    }
.Ve
.Sh "keywords"
.IX Subsection "keywords"
To make life easy, \fBferm\fR allows you to use shorthands for
most keywords. A list of shorthand notations is available at the end
of this section.
.PP
What kind of value you provide for a keyword depends on the 
keyword entirely, e.g. 'protocol' expects 'tcp', 'udp' or 'icmp',
\&'log\-prefix' expects a value like '\*(L"whoops, someone rang the
doorbell\*(R"' and 'destination\-port' can accept values like 'http',
\&'80' or '0:1023'. Take a look at the kernel backend program
manual for possible values and how they look like.
.PP
Note you may put a value in single quotes or double quotes,
if this may be required because a value contains spaces:
.PP
.Vb 1
\&    log-prefix "Dropped tcp package: "
.Ve
.PP
Please keep in mind that some characters have special meaning,
so it might be wise to refrain from using any other character
then letters and digits and spaces unless you need them and
know what you're doing. Take a look at \fB\s-1VARIABLES\s0\fR and
\&\fB\s-1SHELL\s0 \s-1ESCAPES\s0\fR for more information about that.
.IP "\fBchain [chain\-name]\fR" 8
.IX Item "chain [chain-name]"
Specifies a chain that this rule will be inserted to. this
is a required key for any rule. Chains can be
built in, like \f(CW\*(C`input\*(C'\fR, \f(CW\*(C`output\*(C'\fR or \f(CW\*(C`forward\*(C'\fR, or user-defined
chains.
.IP "\fBinterface [interface\-name]\fR" 8
.IX Item "interface [interface-name]"
Define the interface name, your outside network card, like eth0,
or dialup like ppp1, or whatever device you want to match for
passing packets. It is equivalent to the \f(CW\*(C`\-i\*(C'\fR switch in
\&\fIipchains\fR\|(8) and \fIiptables\fR\|(8).
.IP "\fBouterface [interface\-name]\fR" 8
.IX Item "outerface [interface-name]"
Same as interface, only for matching the outgoing interface
for a packet, as in \fIiptables\fR\|(8). \fIipchains\fR\|(8) hasn't got this
parameter.
.IP "\fBprotocol [protocol\-name|protocol\-number]\fR" 8
.IX Item "protocol [protocol-name|protocol-number]"
Currently supported by the kernel are tcp, udp and icmp, or
their respective numbers.
.IP "\fBport [port\-spec]\fR" 8
.IX Item "port [port-spec]"
Specify a port number, name or range
.IP "\fBaddr [address\-spec]\fR" 8
.IX Item "addr [address-spec]"
Specify a network address, a hostname or ip\-number.
.IP "\fBsource|destination\fR" 8
.IX Item "source|destination"
Specify that the values provided for \fBport\fR and \fBaddr\fR
above should be either \fBsource\fR or <destination> ports
and addresses. This works like a toggle, which can be left on
for the entire configuration file. So, if you say \fBsource\fR once,
all occurences of \fBport\fR will be \fBsource port\fR's, as well as for
addresses.
.IP "\fBsaddr|daddr [address\-spec]\fR" 8
.IX Item "saddr|daddr [address-spec]"
Specify an address specifically for the \fBsource\fR or \fBdestination\fR
side, read it as a shorthand for \fBsource address\fR and \fBdestination
address\fR, although it does not 'toggle' the \fBsource|destination\fR
state, which is remembered.
.IP "\fBsport|dport [port\-spec]\fR" 8
.IX Item "sport|dport [port-spec]"
Specify a port number, name or range for the \fBsource\fR or \fBdestination\fR
side, read it as a shorthand for \fBsource port\fR and \fBdestination
port\fR>, although it does not 'toggle' the \fBsource|destination\fR
state, which is remembered. Ports can be specified for tcp and udp,
as well as icmp, only in that case it means 'icmp\-type' and only
works when you specify the type numerically.
.Sp
Note that you need to specify a protocol, before you can use
ports, that is because not all protocols support the ideas
of ports.
.Sp
Here are some examples of valid addresses:
.Sp
.Vb 3
\&    192.168/8 (identical to the next one:)
\&    192.168.0.0/255.255.255.0
\&    my.domain.com
.Ve
.Sp
And some examples of valid ports/ranges:
.Sp
.Vb 5
\&    80
\&    http
\&    ssh:http
\&    0:1023        which is equivalent to     :1023
\&    1023:65535    which is equivalent to     1023:65535
.Ve
.IP "\fBicmptype [type]\fR" 8
.IX Item "icmptype [type]"
To specify an icmp message type. Can be numbers, but refer
to the manual of the kernel program to retreive a list,
for ipchains use "ipchains \f(CW\*(C`\-h\*(C'\fR icmp". Examples: ping, pong.
.IP "\fBtos [value]\fR" 8
.IX Item "tos [value]"
Matches a packet on the specified TOS\-value. See settos for
values.
.IP "\fBsettos [value]\fR" 8
.IX Item "settos [value]"
Set the tcp package Type Of Service bit to this value.
This will be used by whatever traffic scheduler is willing to,
mostly your own linux\-machine, but maybe more. The original
tos-bits are blanked and overwritten by this value. Possible
values are (look in the shorthands for more, and easier
values) :
.Sp
02 04 08 10
.IP "\fBsetftos [value]\fR" 8
.IX Item "setftos [value]"
Set \s-1TOS\s0 field in packet header to value. This value can be
in decimal (ex: 32) or in hex (ex: 0x20)
.IP "\fBmark [value]\fR" 8
.IX Item "mark [value]"
matches packets based on their mark-value
.IP "\fBsetmark [value]\fR" 8
.IX Item "setmark [value]"
Sets the mark-value for a packet, use with the \s-1MARK\s0 target in iptables
.IP "\fBsyn\fR" 8
.IX Item "syn"
Specify that the \s-1SYN\s0 flag in a tcp package should be matched,
which are used to build new tcp connections. You can identify
incoming connections with this, and decide wether you want
to allow it or not. Packets that do not have this flag are
probably from an already established connection, so it's
considered reasonably safe to let these through.
.IP "\fBfragment\fR" 8
.IX Item "fragment"
Specify that only fragmented \s-1IP\s0 packets should be matched.
When packets are larger that the maximum packet size your
system can handle (called Maximum Transmission Unit or \s-1MTU\s0)
they will be chopped into bits and sent one by one as single
packets. See \fIifconfig\fR\|(8) if you want to find the \s-1MTU\s0 for
your system (the default is usually 1500 bytes).
.Sp
Fragments are frequently used in \s-1DOS\s0 attacks, because there
is no way of finding out the origin of a fragment packet.
.IP "\fBpolicy [policy]\fR" 8
.IX Item "policy [policy]"
Specifies the default policy for the current chain. Can be
either of the standard actions (\s-1ACCEPT\s0, \s-1DENY\s0, \s-1REJECT\s0, \s-1MASQ\s0
and \s-1REDIRECT\s0). A packet that matches no rules will be treated
as specified by the policy. You can't specify chain names
here. Only the predefined (built\-in) chains have policies.
.Sp
To avoid ambiguity, always specify the policies of all
predefined chains explicitly.
.IP "\fBlog\fR" 8
.IX Item "log"
Log all packets that match this rule in the kernel log. Be
carefull with log flooding. Note the difference with \fB\s-1LOG\s0\fR
in iptables! See \fB\s-1LOG\s0\fR as well. In iptables, this makes a
copy of the current rule, and inserts it with the \s-1LOG\s0 target
instead of any other specified target. 
.Sp
See also \fBlog\-[level|prefix|tcp\-sequence|tcp\-options|ip\-options]\fR
.IP "\fBgoto [chain]\fR" 8
.IX Item "goto [chain]"
Specify that matching packets should jump to this chain, only user
defined chains are valid jump targets.
.IP "\fBreverse\fR" 8
.IX Item "reverse"
Instructs the kernel to use this rule twice, the second time with
source and destination swapped. Unfortunately, this doesn't work
with iptables.
.IP "\fB\s-1LOG\s0\fR" 8
.IX Item "LOG"
Identical to the '\s-1LOG\s0' target in iptables, logs any packet that
matches, but doesn't do anything else to it. Only valid for
iptables, otherwise use 'log'. See \fBlog\fR and also
\&\fBlog\-[level|prefix|tcp\-sequence|tcp\-options|ip\-options]\fR.
.IP "\fB\s-1ACCEPT\s0\fR" 8
.IX Item "ACCEPT"
Accepts matching packets.
.IP "\fB\s-1REJECT\s0\fR" 8
.IX Item "REJECT"
Rejects matching packets.
.IP "\fB\s-1DENY\s0\fR" 8
.IX Item "DENY"
Denies matching packets.
.IP "\fB\s-1MASQ\s0 toports [port|portrange]\fR" 8
.IX Item "MASQ toports [port|portrange]"
Masquerades matching packets. Optionally followed by a port or
port-range for iptables. Specify as \*(L"123\*(R", \*(L"123\-456\*(R" or \*(L"123:456\*(R".
The port range parameter specifies what local ports masqueraded
connections should originate from. Note you need to specify the
\&'to' word here.
.IP "\fB\s-1RETURN\s0\fR" 8
.IX Item "RETURN"
Returns to the parent chain where the current chain was called
if the packet matches.
.IP "\fB\s-1REDIRECT\s0 [to|toports] [port|portrange]\fR" 8
.IX Item "REDIRECT [to|toports] [port|portrange]"
Allows transparent proxying when rule matches, the port that is
redirected to must immediately follow this keyword. The target
may also be an IP-number in case you are using \fIiptables\fR\|(8), so
something like \*(L"\s-1REDIRECT\s0 192.168.0.5:21\*(R" is valid there.
.IP "\fBSNAT|DNAT to [ip\-address|ip\-range|ip\-port\-range]\fR" 8
.IX Item "SNAT|DNAT to [ip-address|ip-range|ip-port-range]"
Allows source/destination address translation, only valid for
\&\fIiptables\fR\|(8), requires an ip\-number, range or ip/port value.
.IP "\fB\s-1TOS\s0\fR" 8
.IX Item "TOS"
Changes the packets TOS-field according to the set-tos parameter
specified, only valid for iptables.
.IP "\fB\s-1FTOS\s0\fR" 8
.IX Item "FTOS"
Set \s-1TOS\s0 field in packet header with setftos parameter.
.IP "\fB\s-1TTL\s0\fR" 8
.IX Item "TTL"
The ttl-target is for changing ttl values
.IP "\fBtable [table\-name]\fR" 8
.IX Item "table [table-name]"
Selects this table for the rule. Valid table names are \*(L"filter\*(R",
\&\*(L"nat\*(R" and \*(L"mangle\*(R". If you don't specify any table, the default
table \*(L"filter\*(R" is used.
.IP "\fBreject-with [value]\fR" 8
.IX Item "reject-with [value]"
Rejects a packet with an \s-1ICMP\s0 value type message.
.IP "\fBlimit [value]\fR" 8
.IX Item "limit [value]"
Limits these type of packets to a maximim.
.IP "\fBiplimitabove [value]\fR" 8
.IX Item "iplimitabove [value]"
Limits a certain \s-1IP\s0 list a number of connections.
.IP "\fBiplimitmask [value]\fR" 8
.IX Item "iplimitmask [value]"
Specifies the mask to use for iplimitabove.
.IP "\fBpsdweightthreshold [value]\fR" 8
.IX Item "psdweightthreshold [value]"
Specifies the port scan weight threshold
.IP "\fBpsddelaythreshold [value]\fR" 8
.IX Item "psddelaythreshold [value]"
Specifies the delay weight for port scans
.IP "\fBpsdloportsweight [value]\fR" 8
.IX Item "psdloportsweight [value]"
Specifies the weight for low ports in the port scan detection algorithm
.IP "\fBpsdhiportsweight [value]\fR" 8
.IX Item "psdhiportsweight [value]"
Specifies the weight for high ports in the port scan detection algorithm
.IP "\fBttl [value]\fR" 8
.IX Item "ttl [value]"
Matches the ttl for value
.IP "\fBttl\-[eq|lt|gt] [value]\fR" 8
.IX Item "ttl-[eq|lt|gt] [value]"
Matches the ttl value when equal, smaller or larger than value
.IP "\fBttl\-[set|dec|inc] [value]\fR" 8
.IX Item "ttl-[set|dec|inc] [value]"
Sets, decreases or increases the ttl value
.IP "\fBlength [[value]|[value:value]]\fR" 8
.IX Item "length [[value]|[value:value]]"
Specify a certain packet length to match, may be a range of lengths
.IP "\fBburst [value]\fR" 8
.IX Item "burst [value]"
Limits bursts of these packets.
.IP "\fBmac [value]\fR" 8
.IX Item "mac [value]"
Matches packets originating from these mac\-addresses.
.IP "\fBstate [value]\fR" 8
.IX Item "state [value]"
Matches packets with this state. The value may be specified as
a normal ferm\-list: \*(L"(\s-1ESTABLISHED\s0,RELATED)\*(R" but \*(L"\s-1NEW:RELATED\s0\*(R",
and single values are also allowed.
.IP "\fBtcp-flags [!] [flagmask] [flagmatch]\fR" 8
.IX Item "tcp-flags [!] [flagmask] [flagmatch]"
Specify tcp\-flags, the \fB!\fR is optional and has to precede the mask,
mask and match are mandatory. The list of mask or match flags may
be specified as a normal ferm\-list: \*(L"(\s-1SYN\s0,ACK,RST)\*(R", but \*(L"\s-1SYN:ACK:RST\s0\*(R"
and single values are also allowed.
.IP "\fBtcp-option [value]\fR" 8
.IX Item "tcp-option [value]"
Specify a tcp-option for this rule.
.IP "\fBlog\-[level|prefix]\fR" 8
.IX Item "log-[level|prefix]"
Specifies several the log level and syslog prefix string.
.IP "\fBlog\-|tcp\-sequence|tcp\-options|ip\-options]\fR" 8
.IX Item "log-|tcp-sequence|tcp-options|ip-options]"
Specifies several extra tcp/ip options.
.IP "\fB[u|g|p|s]id\-owner [value]\fR" 8
.IX Item "[u|g|p|s]id-owner [value]"
Matches packets originating from this User, Group, Pid or Session \s-1ID\s0.
.IP "\fBset [name] [value]\fR" 8
.IX Item "set [name] [value]"
Set variable \*(L"name\*(R" to value \*(L"value\*(R", you can dereference the variables
by \*(L"%name\*(R". You may also put variables within \fBset\fR statements.
.SH "VARIABLES"
.IX Header "VARIABLES"
ferm also supports internal variables. This may come in handy if you
wish to define often used parameters in advance, making the ferm
configuration files even more easy to understand. 
.PP
Setting variables is very easy with the \fBset\fR command. Here's some
examples:
.PP
.Vb 2
\&    set EXTERAL_IP "111.22.33.44"
\&    set INTERNAL_IP '10.0.0.1'
.Ve
.PP
Both these statements set the variable to what is in between the quotes,
you may afterwards refer to them like this:
.PP
.Vb 1
\&    chain input daddr ! %EXTERNAL_IP DROP;
.Ve
.PP
The value of the variable will then be inserted into the rule and
passed to the firewall program.
.PP
the \fBset\fR command can actally be abused even more, since the following
statements also work:
.PP
.Vb 3
\&    set A "1"
\&    set B %A
\&    set %A "2"
.Ve
.PP
After these statements, variable \f(CW%A\fR yields value \*(L"1\*(R", variable \f(CW%B\fR holds 
the value \*(L"1\*(R", and the variable \f(CW%1\fR holds the value \*(L"1\*(R" also.
.PP
More importantly, these variables can be used to store arrays or lists
of values:
.PP
.Vb 1
\&    set DNSSERVERS "111.2.33.1,111.2.33.2"
.Ve
.PP
When this variable is inserted into a configuration file, the rule that
it applies to will automatically be split up into two different firewall
rules for each \s-1IP\s0 number given in the list.
.PP
Here's some even more complicated stuff that works:
.PP
.Vb 3
\&    set INTERNALINTERFACES "eth0,eth1,eth2"
\&    set EXTERNALINTERFACES "ppp0,tunl0"
\&    set INTERFACES "%INTERNALINTERFACES,%EXTERNALINTERFACES,lo"
.Ve
.PP
\&\fB\s-1NOTE\s0\fR: Beware of mixing '' string values within new string
values, because the trailing ' might be concatenated with
another one in the variable that you are including it. Take
a look at this:
.PP
.Vb 3
\&    set IF1 'eth0'
\&    set IF2 'eth1'
\&    set IFS '%IF1,%IF2'
.Ve
.PP
Variable \s-1IFS\s0 will now contain the value ''eth0','eth1'' and that is
probably not what you want. Better do this:
.PP
.Vb 3
\&    set OF1 "eth0"
\&    set OF2 "eth1"
\&    set OFS "%OF1,%OF2"
.Ve
.PP
Which will result in variable \s-1OFS\s0 holding the value \*(L"eth0,eth1\*(R",
which will be split up correctly, namely into \*(L"eth0\*(R" and \*(L"eth1\*(R".
.SH "SHELL ESCAPES"
.IX Header "SHELL ESCAPES"
Ferm supports shell escaping in two ways. First, you may insert a
shell escaped string into a \fBset\fR command, second, you may insert
a shell escaped string into any place of a value.
.PP
There is a fundamental difference in this. Ferm will handle shell
escapes itself when they are used in a \fBset\fR construction, so the
variable then contains the value that was returned from the shell
escape. You may later refer to this value again without the command
being executed again.
.PP
When you use a shell escaped string as a value without it being
in a \fBset\fR statement, the exact string is just copied in the
generated rule, and when parsing is finished, ferm will call
the shell with the entire rule, and thus the shell escaped string.
Only at this moment, the shell will execute the string and insert
the value back into the kernel interface program. Thus, ferm will
never see the real value of that.
.PP
Examples:
.PP
.Vb 2
\&    set DNSSERVERS `grep nameserver /etc/resolv.conf | awk '{print $2}'`
\&    chain input proto tcp saddr %DNSSERVERS ACCEPT;
.Ve
.PP
This way, ferm will interpret the value for \s-1DSSERVERS\s0 itself, put
a separating comma between multiple values if needed, and store
this information in the variable \s-1DNSSERVERS\s0. The output will be
like:
.PP
.Vb 2
\&    iptables -t filter -A INPUT -p tcp -s 192.168.0.1 -j ACCEPT
\&    iptables -t filter -A INPUT -p tcp -s 192.168.0.2 -j ACCEPT
.Ve
.PP
Otherwise, when you include a shell escape as a regular value
in between other ferm\-statements:
.PP
.Vb 1
\&    chain input proto tcp saddr `grep nameserver /etc/resolv.conf | awk '{print $2}'` ACCEPT;
.Ve
.PP
The shell escape is not parsed directly, but passed along with the, e.g.
\&\fBiptables\fR command, and subsequently, the shell will insert whatever
that value may become itself:
.PP
.Vb 1
\&    iptables -t filter -A INPUT -p tcp -d `grep nameserver /etc/resolv.conf | awk '{print $2}'` -j ACCEPT
.Ve
.PP
Note that if the shell escape here yields more lines, something could
go wrong here easily. You are warned! Better not make ferm \s-1SUID\s0 too
I guess ;\-)
.SH "SHORTHANDS"
.IX Header "SHORTHANDS"
Here's a complete list of possible shorthands, just
to reduce the amount of typing:
.IP "interface:" 4
.IX Item "interface:"
if
.IP "outerface:" 4
.IX Item "outerface:"
of
.IP "protocol:" 4
.IX Item "protocol:"
proto
.IP "source:" 4
.IX Item "source:"
src
.IP "destination:" 4
.IX Item "destination:"
dest
.IP "fragment:" 4
.IX Item "fragment:"
frag
.IP "\s-1ACCEPT:\s0" 4
.IX Item "ACCEPT:"
accept
.IP "\s-1DENY:\s0" 4
.IX Item "DENY:"
deny, \s-1DROP\s0, drop
.IP "\s-1REJECT:\s0" 4
.IX Item "REJECT:"
reject
.IP "\s-1MASQ:\s0" 4
.IX Item "MASQ:"
masq
.IP "\s-1RETURN:\s0" 4
.IX Item "RETURN:"
return
.IP "\s-1REDIRECT:\s0" 4
.IX Item "REDIRECT:"
redirect, \s-1PROXY\s0, proxy
.IP "\s-1MARK:\s0" 4
.IX Item "MARK:"
mark
.IP "\s-1QUEUE:\s0" 4
.IX Item "QUEUE:"
queue
.IP "\s-1SNAT:\s0" 4
.IX Item "SNAT:"
snat
.IP "\s-1DNAT:\s0" 4
.IX Item "DNAT:"
dnat
.IP "goto:" 4
.IX Item "goto:"
to, jump
.IP "icmptype" 4
.IX Item "icmptype"
icmp-type
.IP "reverse:" 4
.IX Item "reverse:"
bidirectional, swap
.IP "tcp\-option:" 4
.IX Item "tcp-option:"
tcpoption
.IP "mac:" 4
.IX Item "mac:"
mac\-source, macsource
.IP "iplimitabove:" 4
.IX Item "iplimitabove:"
ip-limit-above
.IP "iplimitmask" 4
.IX Item "iplimitmask"
ip-limit-mask
.IP "burst:" 4
.IX Item "burst:"
limit\-burst, limitburst
.IP "uid\-owner:" 4
.IX Item "uid-owner:"
uidowner, uid
.IP "gid\-owner:" 4
.IX Item "gid-owner:"
gidowner, gid
.IP "pid\-owner:" 4
.IX Item "pid-owner:"
pidowner, pid
.IP "sid\-owner:" 4
.IX Item "sid-owner:"
sidowner, sid
.IP "psdweightthreshold:" 4
.IX Item "psdweightthreshold:"
psd-weight-threshold
.IP "psddelaythreshold:" 4
.IX Item "psddelaythreshold:"
psd-delay-threshold
.IP "psdloportsweight:" 4
.IX Item "psdloportsweight:"
psd-lo-ports-weight
.IP "psdhiportsweight:" 4
.IX Item "psdhiportsweight:"
psd-hi-ports-weight
.IP "log\-level:" 4
.IX Item "log-level:"
loglev
.IP "log\-prefix:" 4
.IX Item "log-prefix:"
logprefix
.IP "log\-tcp\-sequence:" 4
.IX Item "log-tcp-sequence:"
logseq
.IP "log\-tcp\-options:" 4
.IX Item "log-tcp-options:"
logtcpopt
.IP "log\-ip\-options:" 4
.IX Item "log-ip-options:"
logipopt
.IP "reject\-with:" 4
.IX Item "reject-with:"
rejectwith
.IP "setmark" 4
.IX Item "setmark"
set-mark
.IP "tos/settos\-values:" 4
.IX Item "tos/settos-values:"
The following Type Of Services values may be given:
.Sp
.Vb 1
\&    mincost min-cost 2 02 0x02
.Ve
.Sp
.Vb 1
\&    reliability reliable 4 04 0x04
.Ve
.Sp
.Vb 1
\&    max-throughput maxthroughput 8 08 0x08
.Ve
.Sp
.Vb 1
\&    lowdelay interactive min-delay 10 0x10
.Ve
.Sp
.Vb 1
\&    clear 0 00 0x00
.Ve
.IP "setftos" 4
.IX Item "setftos"
set-ftos
.SH "OPTIONS"
.IX Header "OPTIONS"
Options can be specified with the \*(L"option\*(R" keyword, which
can be defined anywhere within the document. Although
that may be fine, you almost allways want to define
them at the beginning of your document, because the
behaviour changes at the moment they are specified.
.PP
All options can also be specified on the command line, which
has a few more available. The equivalent for the commandline
options that are also available in the firewall file is mentioned
in the firewall file options section.
.Sh "Command line options"
.IX Subsection "Command line options"
.IP "\fB\-\-noexec\fR" 12
.IX Item "--noexec"
Do not execute the \fIipchains\fR\|(8) or \fIiptables\fR\|(8) commands, but
skip instead. This way you can parse your data, use \fB\-\-lines\fR
to view the output.
.IP "\fB\-\-lines\fR" 12
.IX Item "--lines"
Show the firewall lines that were generated from the rules. They
will be shown just before they are executed, so if you get error
messages from \fIipchains\fR\|(8) etc., you can see which rule caused
the error.
.IP "\fB\-\-verbose\fR" 12
.IX Item "--verbose"
Shows some more details of the stages of execution of the program.
.IP "\fB\-\-debug\fR" 12
.IX Item "--debug"
Shows even more details of what ferm is doing while parsing
the rules. The debug info is put between the output for
clearity and commented.
.IP "\fB\-\-help\fR" 12
.IX Item "--help"
Show a brief list of available commandline options.
.IP "\fB\-\-version\fR" 12
.IX Item "--version"
Shows the version number of the program.
.IP "\fB\-\-use [ipchains|iptables|ipfwadm]\fR" 12
.IX Item "--use [ipchains|iptables|ipfwadm]"
Use this kernel program to implement the rules into the kernel.
Also available as firewall file option \*(L"option [...]\*(R". This option
must be set, either on the commandline or in a ferm config file.
.IP "\fB\-\-location [/path/to/filename]\fR" 12
.IX Item "--location [/path/to/filename]"
Explicitly define the exact name and location of the
kernel backend program, for the paranoid people out there.
.IP "\fB\-\-automod\fR" 12
.IX Item "--automod"
Automatically insert the correct module parameter when using iptables,
making the \fBmodule\fR parameter unnecessary
.Sh "Firewall file options"
.IX Subsection "Firewall file options"
.IP "\fBoption clearall\fR" 8
.IX Item "option clearall"
Clears the entire firewall, deletes all user chains and flushes
the built in chains. Does not alter policies.
.IP "\fBoption flushall\fR" 8
.IX Item "option flushall"
Flushes all chains but does not delete them.
.IP "\fBoption flushchains\fR" 8
.IX Item "option flushchains"
Flushes any chain which is defined in the setup, even
built-in chains are flushed when referred.
.IP "\fBoption createchains\fR" 8
.IX Item "option createchains"
Creates any chain which is referred to, even when no rule is
specified for the chain, but is only referred by with a 
\&\*(L"goto\*(R" keyword.
.IP "\fBoption automod\fR" 8
.IX Item "option automod"
Automatically insert the correct module parameter when using iptables,
making the \fBmodule\fR parameter unnecessary
.IP "\fBoption [iptables|ipchains|ipfwadm]\fR" 8
.IX Item "option [iptables|ipchains|ipfwadm]"
Define which kernel program you have to use to install rules.
This one is required, since on some systems, they can both
be present, or you want to use a wrapper for an older version.
Currently defaults to ipchains.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIipchains\fR\|(8), \fIipfwadm\fR\|(8), \fIiptables\fR\|(8)
.SH "NOTES"
.IX Header "NOTES"
A good firewall is not the only step in security, even the
firewall may be insecure, or someone breaks into your house
and steals the hard disk out of your \s-1PC\s0. Do not rely on this
firewall tool for the use of mission critical or confidential
data. It is not fit for such a purpose!
.PP
Instead, use this tool to expand your current use of \fIipchains\fR\|(8)
and routing, create a flexible firewall and look out for
anything suspicious. Be carefull with open ports and servers,
always get the latest, patched versions. Read more about
firewalls before experimenting, you are warned! You might
also read the \s-1COPYING\s0 file provided with the package or
visit www.gnu.org to find more about the license.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
The package comes with a directory full of goodies (examples)
that you can try, adjust for your system or just read if
you want to understand the syntax and it's possibilities.
Look in the \*(L"examples\*(R" directory.
.SH "REQUIREMENTS"
.IX Header "REQUIREMENTS"
.Sh "Operating system"
.IX Subsection "Operating system"
The Operating system currently supported is only linux, although
it may be possible to port this program to support FreeBSD or
\&\s-1SOLARIS\s0 firewall systems, provided they supply a similar
firewalling scheme. (Does anybody known about that?)
.Sh "Software/packages"
.IX Subsection "Software/packages"
Required are 2 packages: Perl5, under which this \fBferm\fR
runs, and one of the kernel firewall programs, suited for
your system and kernel version.
.Sh "Kernel"
.IX Subsection "Kernel"
The respective required kernel versions for each of the kernel
firewall programs (\fIipchains\fR\|(8), \fIipfwadm\fR\|(8) or \fIiptables\fR\|(8)) is also
needed. This means you have to have a kernel which can use the
firewalling thing, something you might have to compile a kernel
for, or set some switches in /proc. Look at the man pages of
those kernel programs for more information.
.SH "RESTRICTIONS"
.IX Header "RESTRICTIONS"
\&\fBferm\fR allows almost anything the used firewall program
allows, so go ahead and specify complex port ranges, icmp
by number or worse. Just be warned.
.PP
Although quite sophisticated, the kernel interface programs
\&\fIipchains\fR\|(8) and \fIiptables\fR\|(8) are very limited in some respects.
\&\fBferm\fR is only an interface to improve the handling of
these programs, and is therefore limited by the possibilities
of these programs.
.PP
\&\fIIpfwadm\fR\|(8) is extremely limited in rule\-building, upgrade or
succomb in it. Nothing \fBferm\fR can do about it.
.SH "BUGS"
.IX Header "BUGS"
The \fIipfwadm\fR\|(8) interface is really limited due to being unable to
test it and having no experience with it at all. I'll be
concentration on \fIiptables\fR\|(8), which supports much more options
and will be quite more flexible.
.PP
Several nasty cleanups are not done well, which may result
in surviving data. Tried to remove all of them but suspect
more of them to occur.
.PP
The \-\-log\-prefix construct does not allow certain characters to
be put between "". Make sure you don't use the bracket {} and []
characters, the ! and , are also not correctly parsed.
.SH "TODO"
.IX Header "TODO"
* Improve \fIipfwadm\fR\|(8) handling or removing it altogether
.PP
* Add more examples, with modularized snipplets (include option)
.PP
* Make rpm's for \s-1RH\s0 and SuSE, or better: get you to do that!
.PP
* Review the second half of the manual page
.PP
* Make ferm bug you more about errors, i.e. increase validity
  checking to high levels
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright (C) 2001\-2003, Auke Kok <auke.kok@planet.nl>
.SH "LICENSE"
.IX Header "LICENSE"
\&\fBferm\fR is released under the Gnu Public License, see the
\&\s-1COPYING\s0 file that came with the package or visit www.gnu.org.
.PP
This is free software; see the source for copying conditions.
There is \s-1NO\s0 warranty; not even for \s-1MERCHANTABILITY\s0 or \s-1FITNESS\s0
\&\s-1FOR\s0 A \s-1PARTICULAR\s0 \s-1PURPOSE\s0.
.SH "AUTHOR"
.IX Header "AUTHOR"
Auke Kok (auke.kok@planet.nl)