IPFIREwall

Index
Homepage di Giacomo.

IPFIRE MAIN MENU.

IPFIREwall at startup prints some information on the console, as you can see in the following figure:

Startup information

as you can observe, the program first loads the firewall modules into kernel, then prints its name, version, and codename, i.e. a symbolic name that identifies a peculiar release or version.

Main menu

Pressing the key corresponding to the option you are interested in, the firewall gives the requested information or performs the action involved. At the right of the main menu, it is possible to know the number of the permission rules currently loaded inside the firewall (user own rules), the number of the denial rules and of that of the translation ones (the super user only is allowed to modify this parameter). It is also indicated if the NAT or the MASQUERADING are enabled, and it is also told about the stateful connection being enabled or not.

The colour schema and its general meaning.

In the interface's way of presenting information, the red color is associated with the denial rules or with an error condition, while the green color indicates a match with a permission rule or an operation successfully completed. The violet is finally associated with informational or warning messages, while yellow is involved in translation-related operations or rules.

Options.

P
Print the user rules, that is the rules which are loaded from the configuration files specific to the current user who's running the IPFIREwall interface.

F3 [or 3]
Prints all the rules loaded into the firewall, i.e. the user ones and the administrator rules setup at the IPFIREwall initialization, typically at the computer startup.

I/CANC
This command calls a submenu where the user will be asked for the parameters to be setup during the creation of a new rule to be added in the firewall. This procedure will be, sooner or later, replaced by a graphical user interface supposed to be written by Mauro Francesconi.
If the CANC key is pressed, the user will be prompted to insert the position of the rule he wants to delete from the list.
First of all, he selects one of the lists in which the rules are stored, which can be the permission or denial one (or, in the administrative mode, the translation ruleset).
To be sure about the rule one wants to remove, it is suggested that one first prints out the whole ruleset, pressing the key P to watch the entire list. Anyway, any operation of adding/removing requires a final ezplicit confirmation. A rule can be added at the tail of the list or at a specific position. Remember that the options which require one single key to be pressed don't need the enter key to be pressed after them, while the options or input values which require a more complicated typing have to be confirmed with the enter key. Finally, remember that, when inserting new rules, the direction is always mandatory, while the other fields can be left empty. At the end of the new rule setup, the user is asked for a short name to characterize the entry just created. This label is supposed to act as a mnemonic for the rule itself.

F5 [or 5]
Prints the state tables in kernel space . Connections which are classified as being in a particular state are shown together with a kernel counter associated to them and their remaining time to live.

F4 [or 4]
Prints the SOURCE NAT connections active in the kernel space . The meaning is the same as that explained above for the state tables.

F6 [or 6]
Prints the DESTINATION NAT connections active in the kernel space . The meaning is the same as that explained above for the state tables and the source NAT tables.

V/S
Toggle between Verbose and Silent modality. Remember that verbose modality is expensive especially on raw consoles (not X consoles), so switching off printing might improve speed. A key factor for improving efficiency is to set logging between kernel/user to 1. See Logging levels and implications for details.
In the latest versions of IPFIREwall, pressing V/S disables the communication between kernel and user space, once again improving efficiency.

F7 [or 7]
Prints kernel statistics. The ones printed out are the statistics received from the kernel space and are maintained and updated by the kernel counters. They are up to date and surely correct. See the foot notes.

L
Prints statistics from the userspace point of view. They might not be up to date and can give inexact values. See the foot notes.

C
Prints the configuration options loaded into firewall.
One can see the names of the files which store the rulesets, the services currently available (or disabled), such as the port name resolution or the mailer options, the NAT/MASQUERADE options (enabled/disabled), and the tables numerousness and dimension in the kernel space.
We must underline that, because of the state machine implementation, the time to live of each table in the kernel is now fixed and depends on the the state of each table itself. The value of such timeout is taken from the netfilter code, and it is not changeable by the user for now. See the readme which comes with the IPFIREwall distribution for details about the connection states and their associated timers.

F11 [or F (uppercase)]
Flushes all rules loaded in kernel firewall. Each user can flush its own rules, unless he is administrator.

CONTROL AND R
Rules are reloaded into firewall after being read from files.

CONTROL AND S
Rules are saved to files.

CONTROL AND W
Calls the name refresher to resolve the internet names into their address and update the denial rules blocking the web sites by their names. This option is obviously working if IPFIREwall has been started with the -dns N option, where N is the number of seconds between two subsequent refreshes.

CONTROL AND B
Starts a simple submenu by means of which the user can easily print the list, add or remove Internet addresses to be blocked by the firewall.
This option is obviously working if IPFIREwall has been started with the -dns N option, where N is the number of seconds between two subsequent refreshes.

ESC or Q
Turns off the userspace interface to IPFIREwall-kernel.

B
Turns off the port resolution into the names of the corresponding services.

U
Turns on the port resolution into the names of the corresponding services.

F1
Prints a HELP message.

?
Prints information about author, version...


Note that the commands are case insensitive: P or p takes to the same effect. As a rule of thumb, the function keys are associated with requests to the kernel space, the Control keys are associated with options which are seldom used.
The statistics keys produce information concerning the filtering and the packet processing. The userspace statistics (invoked by L) are related to the current session, and not to the whole kernel processing since the IPFIREwall module loading time.
Packets said to be lost are lost during the kernel user communication, probably because of the heavy network traffic or the low resources on local machine. Such packets are not anyhow lost in kernel space! The reason why this loss can happen is due to the lack of a queue in the implementation of the communication between user and kernel spaces.
Finally, notice that if you give commands to the ipfire-wall interface from another host running the windows operating system (R) in conjunction with the putty console as the secure shell, the function keys might not work as expected. In this case, instead of pressing the Function keys themselves, press the corresponding numeric keys (3 for F3, 5 for F5, 6 for F6, 7 for F7..., but 'F' (uppercase) for F11 (flush ruleset) ).

Valid XHTML 1.0!

Top of page
Back to index
Next page (Understanding interface output).
Previous page (Configuration files).