



                            SafeFire Firewall

                               Version 1.2

              Copyright (C) 1999-2004 Link Guard Solutions Ltd.

                 ADMINISTRATION UTILITY GUIDE AND REFERENCE



Contents

    1. Introduction
    2. General Considerations
    3. Command line parameters



1. Introduction

    SafeFire Administration Utility (SFADM) is a command line tool for a
    viewing and updating statistic and configuration of SafeFire Firewall.

    The main idea of this tool is quite simple: using TCP/IP protocol,
    SFADM connects to the specified server and sends command provided in
    command line. Response is just printed on the standard output
    in a human readable form. Despite it's simplicity this tool open all
    power of the SafeFire Firewall Remote Control facility.



2. General Considerations

    Explanation provided below uses term 'server' for the
    running copy of the SafeFire Firewall

    SFADM provides two main work modes.

    First work mode is connection to local server. Local is the server
    which is running at the same PC where SFADM is running.

    Second work mode is remote mode. Remote mode allows to control
    server running at other PC.


3. Commands

    SFADM supports following commands in the command line:

        config
        shutdown
        log level
        stat conn
        stat traf
        stat filter
        stat mfilter
        stat alias
        stat shaper
        rule transaction open
        rule transaction close
        rule list
        rule dump
        rule add
        rule del
        mrule transaction open
        mrule transaction close
        mrule list
        mrule dump
        mrule add
        mrule del
        map list
        map dump
        map add
        map del
        pipe list
        pipe dump
        pipe add
        pipe replace
        pipe del
        plugin list
        plugin dump
        plugin add
        plugin del
        alias on/off
        alias [no]priv
        alias [no]forward
        alias [no]defrag
        alias [no]incoming
        assembly status
        assembly on/off
        assembly timeout <timeout>

    Each command described below:

    - config

        This command shows current general configuration of SafeFire
        Firewall.

    - shutdown

        This command performs shutdown of the SafeFire Firewall.

    - log level <level>

        This command sets log level of SafeFire Firewall to <level> (0..7).

    - stat conn

        This command shows current active connections through SafeFire
        Firewall.

    - stat traf

        This command shows a total amount of Kbytes and a number of packets
        processed by SafeFire Firewall.

        NOTE: This kind of statistic is provided by a NAT facility and
              therefore not available when NAT is disabled (see INSTALL.TXT
              for more details).

    - stat filter

        This command shows full information about packet filter rules, how
        many times they matched and amount of traffic processed by each
        rule.

        NOTE: This statistic is not available if a packet filter feature is
              disabled (see FILTER.TXT for details).

    - stat mfilter

        This command shows full information about MAC packet filter rules, how
        many times they matched and amount of traffic processed by each
        rule.

        NOTE: This statistic is not available if a MAC packet filter feature is
              disabled (see MFILTER.TXT for details).

    - stat alias

        This command shows the number if links established through NAT.

    - stat shaper

        This command shows statistical information about shaper usage, how many
        packets are routed through the shaper pipes, how many packets lost,
        the current speed of each shaper pipe.

    - rule transaction open

        Opens a transaction for packet filter rule changing. All changes
        made by rule add or rule dell commands after opening a transaction
        will be committed at once on rule transaction close command.

    - rule transaction close

        Closes a transaction for packet filter rule changing by committing
        all changes made by rule add or rule dell commands after
        rule transaction open command.

    - rule list

        This command lists all defined rules, including a special rule
        added by packet filter to meet a default policy setting. See
        FILTER.TXT for more details.

    - rule dump

        This command is almost an exact copy of 'rule list' command but
        shows rules in the format applicable for using in SFIRE.CFG or
        other SafeFire configuration files (see INSTALL.TXT for details of
        SafeFire configuration files).

    - rule add <rule>

        This command will add rule following command itself to the SafeFire
        packet filter. The complete description of syntax of rules you can
        find in FILTER.TXT, section '4. Rule description syntax'

    - rule del <number>

        This command will delete a particular rule pointed by a rule
        number. The rule number can be determined with 'rule list', 'rule
        dump' or 'stat filter' commands.

    - mrule transaction open

        Opens a transaction for MAC packet filter rule changing. All changes
        made by rule add or rule dell commands after opening a transaction
        will be committed at once on rule transaction close command.

    - mrule transaction close

        Closes a transaction for MAC packet filter rule changing by committing
        all changes made by rule add or rule dell commands after
        rule transaction open command.

    - mrule list

        This command lists all defined rules, including a special rule
        added by MAC packet filter to meet a default policy setting. See
        MFILTER.TXT for more details.

    - mrule dump

        This command is almost an exact copy of 'mrule list' command but
        shows rules in the format applicable for using in SFIRE.CFG or
        other SafeFire configuration files (see INSTALL.TXT for details of
        SafeFire configuration files).

    - mrule add <rule>

        This command will add rule following command itself to the SafeFire
        MAC packet filter. The complete description of syntax of rules you can
        find in MFILTER.TXT, section '4. Rule description syntax'

    - mrule del <number>

        This command will delete a particular rule from MAC packet filter
        pointed by a rule number. The rule number can be determined with
        'mrule list', 'mrule dump' or 'stat mfilter' commands.

    - map list

        This command lists all defined port mappings. See MAPPER.TXT for more
        details.

    - map dump

        This command is almost an exact copy of 'map list' command but
        shows port mappings in the format applicable for using in SFIRE.CFG or
        other SafeFire configuration files (see INSTALL.TXT for details of
        SafeFire configuration files).

    - mrule add <mapper>

        This command will add port mapping following command itself to the
        SafeFire Firewall. The complete description of syntax of port mappings
        you can find in MAPPER.TXT, section '4. Port mapping description syntax'

    - map del <number>

        This command will delete a particular port mapping from SafeFire Firewall
        pointed by a port mapping number. The port mapping number can be determined
        with 'map list' or 'map dump' commands.

    - pipe list

        This command lists all defined shaper pipes.

    - pipe dump

        This command is almost an exact copy of 'pipe list' command but
        shows pipe in the format applicable for using in SFIRE.CFG or
        other SafeFire configuration files (see INSTALL.TXT for details of
        SafeFire configuration files).

    - pipe add <pipe>

        This command will add shaper pipe following command itself to the
        SafeFire shaper. The complete description of syntax of pipes you can
        find in SHAPER.TXT, section '4. Pipe description syntax'

    - pipe replace <pipe>

        This command will replace shaper pipe following command itself in the
        SafeFire shaper. The complete description of syntax of pipes you can
        find in SHAPER.TXT, section '4. Pipe description syntax'

    - pipe del <number>

        This command will delete a particular pipe from traffic shaper pointed
        by a pipe number. The pipe number can be determined with 'pipe list',
        'pipe dump' or 'stat shaper' commands. The pipe used in Packet filter or
        MAC packet filter rules cant be deleted.

    - plugin list

        This command lists all defined external plugins.

    - plugin dump

        This command is almost an exact copy of 'plugin list' command but
        shows plugins in the format applicable for using in SFIRE.CFG or
        other SafeFire configuration files (see INSTALL.TXT for details of
        SafeFire configuration files). This wont include plugin variables.

    - plugin add <plugin>

        This command will add external plugin following command itself to the
        SafeFire. The complete description of syntax of plugins you can
        find in PLUGINS.TXT, section '3. External plugins configuration'

    - plugin del <number>

        This command will delete a particular plugin from SafeFire pointed
        by a plugin number. The plugin number can be determined with 'plugin
        list' or 'plugin dump' commands. The plugin used in Packet filter or
        MAC packet filter rules cant be deleted.

    - alias on/off

        This command will enable (alias on) or disable (alias off) NAT module
        of SafeFire Firewall

    - alias [no]priv

        This command will reduce (alias priv) set of internal IP addresses
        which will be translated to three ranges (see RFC1918):
                            10.0.0.0     ->   10.255.255.255
                            172.16.0.0   ->   172.31.255.255
                            192.168.0.0  ->   192.168.255.255
        or cancel this reduction (alias nopriv).

    - alias [no]forward

        This command will enable (alias forward) or disable (alias noforward)
        forwarding of packets ignored by NAT.

    - alias [no]defrag

        This command will enable (alias defrag) or disable (alias nodefrag)
        assembling packets before translation.

    - alias [no]incoming

        This command will enable (alias incoming) or disable (alias noincoming)
        incoming connections (e.g. to ftp, telnet or web servers) through the
        aliasing mechanism.

    - assembly status

        Shows whether the fragmented packets assembly is on or off and
        assembling timeout (in seconds).

    - assembly on/off

        Switch on/off fragmented packets assembling.

    - assembly timeout <timeout>

        Set packet assembling timeout (in seconds).

EOF
