Q: What is FIAIF?
A: In short, FIAIF is a set of scripts that, based on the 
configuration files, calls iptables to setup a firewall on the
machine. You should read the introduction to learn more.

Q: What is FIAIF an abbreviation for?
A: FIAIF Is An Intelligent Firewall.

Q: What is the official address of the official web-page for fiaif?
A: The address is: http://www.faif.net.

Q: Is there a mailing list for FIAIF?
A: Yes, look under "Mailing list" on FIAIF webpage.

Q: How much does FIAIF cost to use in a production environment?
A: FIAIF is written under the GPL license, so it costs you nothing.

Q: Will you setup FIAIF for me?
A: No, but I will be happy to help you in the process.
If you need support or advice on a professional level, 
you could hire me as a consultant.

Q: Do I need extensive iptables knowledge?
A: No, but you need to know how basic firewalling and networking
theory, in order to exploit FIAIF to the fullest. 

Q: I have multiple network interfaces, can FIAIF handle this?
A: This is what FIAIF was wrote to do. So the answer is certainly 
yes.
 
Q: Can I forward requests to machine behind the firewall
when using SNAT/MASQUERADING?
A: Insert a REDIRECT rule in the zone the packet hits first. 
Then allow the packet to be forwarded, by adding a FORWARD line in the 
zone for which the packet is destined.

Q: How do I setup a transparent proxy (using squid), and redirect all outgoing
http-requests to this?
A: In the zone from which the http requests originates, put in the
line: 'REDIRECT_PROXY="tcp 80 0.0.0.0/0=>0.0.0.0/0 127.0.0.1 3128"'
(Replacing 127.0.0.1 with th ip address of the server running the
squid proxy, if not the same as the firewall). Then make sure you have
the following settings in squid.conf:  
    'httpd_accel_host virtual', 'httpd_accel_port 80',
    'httpd_accel_with_proxy on' and 'httpd_accel_uses_host_header
    on'. 
Please also make sure that squid listens on a real ip and not 
127.0.0.1, as this will not work.

Q: Can I forward requests to the firewall itself to another machine in
the same zone as the request was made from. 
A: Yes, this functionality has been implemented in FIAIF verson 1.4.3-0pre2

Q: Can I make a REDIRECT_RULE to redirect to localhost?
A: Yes, this functionality has been implemented in FIAIF verson 1.4.3-0pre2

Q: Does FIAIF handle VPN setups?
A: Yes, but it is limited to how much iptables can handle. 
To get IPsec up and running you must make sure you are 
forwarding (both ways) protocol 50 (ESP), protocol 51 
(AH) and UDP sport 500 / dport 500 (IKE). Also IPSec only works with
NAT if in tunnel mode. Transport mode does not work with NAT'ing
firewalls.

Q: I'm having problem with ftp to external sites. Please help.
A: You need to insert ip_conntrack_ftp and ip_nat_ftp modules into the
kernel. The easiest way to do this is to specify
'MODULES="ip_conntrack_ftp ip_nat_ftp"' in /etc/fiaif/fiaif.conf

Q: Why is the system log spammed with ACK,FIN and like entries?
A: Due to a "feature" in the linux firewalling code, connections are
closed as soon as one end sends a FIN packet. The RFC states that 
you may or may not respond to this packet. Therefore when the answer
"ACK,FIN" arrives, it is no longer related to any established
connections. you can saftly disregard these entries. 

Q: How do I avoid dropped packets to be logged to every console?
A: To avoid this, try issuing the command 'dmesg -n 1'. For more
information see dmesg(8).

Q: I have two Internet connections. Can I use FIAIF to handle this?
A: Yes and no. FIAIF handles only the firewall rules and traffic
shaping - not routing decisions. First use 'ip' from iproute2 package,
and setup the routing. When you got the routing setup correctly,
configure FIAIF to control access to the system and networks. 

Q: If FIAIF does not handle routing, when where should I go to 
find more information on this?
A: Try the "Linux 2.4 Advanced Routing HOWTO" 
(http://www.linuxguruz.org/iptables/howto/2.4routing.html), and
"Linux Advanced Routing & Traffic Control" (http://lartc.org/).

Q: Will FIAIF ever be able to handle routing setup?
A: Maybe - It depends on how much time I get, and if I have something
to test in on. If someone would be willing to donate me a second 
internet connection, the I would be happy to try.

Q: Something does not work, what do I do?
A: Check that your system works without FIAIF. Lots of problems are
generally because of routins setup faults. FIAIF will not configure
anything else that iptables and traffic-shaping. 

Q: Something still does not work, what do I do?
A: First recheck your configuration files, then post a mail to the
list. Before posting, read the "Mailing List" section on the FIAIF webpage.

Q: Will functionality 'foo' ever be implemented?
A: Maybe. If it can be done in a generic manner, and
there is a reason for the functionality, then the answer is usually
yes. Remember that FIAIF can be extended with custom scripts very
easily by using the PRE and POST scripts.

Q: What major companies are using FIAIF?
A: That I will not tell you. The reason is that if a hacker know the
make of a firewall it can help him to break it in case of
undiscovered/unresolved bugs. 

Q: Will this FAQ be extended to include more entries?
A: Depends on you. If you have questions you would like to have
answered here, please send them to me and they will be added (if appropiate).





