filter_backends(7) [debian man page]
FILTER
BACKENDS(7) Miscellaneous Information Manual FILTER BACKENDS(7) NAME
filter_backends - output drivers for the filtergen packet filter compiler INTRODUCTION
This document describes the status and feature-set of the currently available filtergen backends. IPTABLES
Most development is done first against the iptables driver. It supports reject, masquerading, transparent proxying, logging (with text) and sub-groups, all of which should work fine (though the latter has only recently been fixed). IPCHAINS
The ipchains driver supports all of the above features, too. Its state model is much weaker though, of course. The forwarding support should work OK, though it is not possible to support "local"-only packets. IPFILTER
The ipfilter backend is incomplete. It supports accept, drop, reject and logging, but not masq, transproxy or sub-groups. It should be easy for someone with knowledge of ipfilter to add support for the other features. Options for OpenBSD "pf" features and syntax would be nice, too. It has received no testing; I don't even know if the generated filters are syntactically correct. CISCO
The cisco driver is in roughly the same sort of state as the ipfilter one. Additionally, because of the limitations of IOS ACLs, it sup- ports only a limited set of features. It cannot support reject or transparent proxying, and may not be able to support masquerading either. An option for reflexive (stateful) ACLs would be very useful. I understand that Cisco PIX firewalls use a variant of this syntax -- it would be very nice to support them too. SEE ALSO
filtergen(8), filter_syntax(5) January 7, 2004 FILTER BACKENDS(7)
Check Out this Related Man Page
FGADM(8) System Manager's Manual FGADM(8) NAME
fgadm - filtergen command program SYNOPSIS
fgadm [ check | reload | save | stop ] DESCRIPTION
fgadm is a simple command interface for managing filtergen(8) based packet filters. USAGE
fgadm can be used to stop existing filters (thus turning them off), reload new packet filters, save currently running filters for longevity, and to check filter scripts for errors before reloading. The following commands are accepted by fgadm: check Check the filter script /etc/filtergen/rules.filter for errors. The generated filter will be printed on standard output, and errors printed to standard error. reload Replace the current live packet filter with the one in /etc/filtergen/rules.filter. The script will be tested for errors before reloading. save The current live packet filter will be saved in a distribution-friendly way. On Red Hat systems, this will save the iptables or ipchains firewall that is currently loaded into the kernel to load at boot with the iptables or ipchains initscript. stop This command will flush the current live packet filter out and put it in a default accept mode, thus no firewalling will be in place. This is useful to abort firewalls in an emergency. EXAMPLES
One may find the following sequence of commands useful for making firewall changes on live servers: # at now + 2 min warning: commands will be executed using (in order) a) $SHELL b) login shell c) /bin/sh at> fgadm stop at> ^D<EOT> job 53 at 2004-06-07 17:25 # fgadm check # fgadm reload # atq 53 # atrm 53 # fgadm save FILES
/etc/filtergen/rules.filter Packet filter descriptions are read from this file when fgadm is used. /etc/filtergen/fgadm.conf This file alters the behaviour of filtergen as called from fgadm. BUGS
fgadm save does not work on Debian systems with iptables due to a lack of common sense in the iptables package. SEE ALSO
filtergen(8), filter_syntax(5), filter_backends(5) AUTHOR
fgadm was written by Jamie Wilkinson <jaq@spacepants.org> for the filtergen package, to ease maintenance of filtergen-based firewalls. June 7, 2004 FGADM(8)