NAME
       rcf  -  the most complete and secure ipchains Firewall for
       Linux.

SYNOPSIS
       rcf [--help]

       rcf [--config config-file] [--modules modules-dir]
              [--update-config]

       rcf [--config config-file] [--modules modules-dir]
              [--groups groups-dir] [--show-config]
              [--test] [--debug yes|no] [--nosecurity-file-check]
              [--[private|public|dmz|mz]-interfaces-security
                   [open|relaxed|strict|paranoid]]
              [--[dmz|mz]-clusters-security
                   [relaxed|strict|paranoid]]
              [--[public|private|dmz|mz]-interfaces inter-
              faces...]
              [--action-interface-service-type option-value...]
              [--accept-all]

DESCRIPTION
       rcf (aka rc.firewall) is an ipchains-based firewall with
       support  for  over  50  network  services (including vtun,
       dhcp, nfs, smb,     napster, proxies, online games, etc.),
       masquerading,  port  for- warding,  and ip accounting. All
       services are self-contained mod-         ules which can be
       prioritized easily in the ipchains stack.  Pro-   tections
       include  spoofing,  stuffed  routing/masqerading,  DoS,
       smurf attacks, outgoing port scans, and many more. rcf
       also  sup-  ports  multiple  public,  private  (masqu'ed),
       dmz, and mz (non- masq'ed) networks and interfaces. Access
       rules  are  defined  per       interface and dmz/mz server
       groups.

       If  you  use  rcf  in  a  commercial  setting,  please
       refer  to <http://rcf.mvlan.net/#commercial>.

OPTIONS
       --help This summary of options.

       --config config-file
              Specify  an  alternate  path  for  the  config-file
              instead of /etc/firewall.conf.

       --modules modules-dir
              Specify  an  alternate  base  path for the firewall
              modules instead of /etc/firewall/modules.
       --groups groups-dir
              Specify an alternate path for the  firewall  groups
              directory   instead   of   the  default  /etc/fire-
              wall/groups.

       --update-config
              Update the  config-file  with  all  interface-based
              options.  This  is  essential  when  changing  pri-
              vate/public interfaces, adding/removing modules, or
              upgrading to a new version of rcf.

       --test Show  the  commands which would be executed by rcf.
              The ipchains(8) rules are not changed.

       --debug yes|no
              Turn ON or OFF debugging mode, over-riding the con-
              figured   value.   Debug  mode  will  log  as  many
              input/output/masquerade deny/accept packets as pos-
              sible to the kernel.info syslogd(8) category.

       --nosecurity-file-check
              When  verifying  the  system  security, don't check
              file permissions and owners.

       --[public|private|dmz|mz]-interfaces interfaces...
              Add network interface(s) to the configured set. The
              config-file options for this interface are not cre-
              ated automatically. If you want to implement  rules
              for  this  interface, you'll have to use additional
              command line options.

       --[public|private|dmz|mz]-interfaces-security
       [relaxed|strict|paranoid]
              relaxed mode allows outgoing  TCP  connections  and
              incoming/outgoing  UDP  traffic on high ports. This
              mode will allow port-scanning of remote hosts  from
              your  firewall.  Access  must  be  granted for each
              local service offered (web and ftp servers,  etc.).

              strict  mode allows outgoing TCP connections except
              to known  hacker-friendly  service  ports  (sunrpc,
              rlogin,  telnet,  etc.). All UDP traffic is denied.
              Access must be given for each UDP based service and
              local TCP services offered to remote users (web and
              ftp servers, etc.).

              paranoid mode denies all incoming/outgoing TCP  and
              UDP  traffic.  Each service (local and remote) must
              be granted access. Make sure you execute  rcf  with
              the  --update-config  parameter  after switching to
              paranoid mode. This will add several options to the
              configuration  file. You should review these before
              running rcf again.
       --accept-all
              Set the default ipchains(8) policy to accept, flush
              all  firewall  rules,  and  remove all chains. This
              effectively disables the firewall.

       --action-interface-service-type option-value...
              Add temporary entries to a config-file option. Use-
              ful  when you want to open-up a service on-the-fly.
              These settings will be lost the next time the fire-
              wall  is executed. Command line options with yes/no
              values  will  over-ride  the  config-file   options
              instead of adding to them.

              Examples:

              --enable-eth0-dhcp-clients yes

              --deny-eth1-blacklist-hosts 207.253.78.0/24

              --accept-eth1-telnet-clients first.host.com sec-
              ond.host.com

              --accept-eth1:1-tcp-rhostlports          1.2.3.0/24
              6112:6119, myfriend.com 81 8080

FILES
       /etc/firewall.conf
              Default  location of the rcf config-file. See fire-
              wall.conf(5) for further details.

       /etc/firewall/
              Default location of the rcf(8) groups, modules, and
              sbin directories.

ENVIRONMENT
       PATH   For  security  reasons, your PATH environment vari-
              able should not contain any  relative  directories.
              This means all directories must start with a slash.

FAQ
       The rcf Frequently Asked Questions (FAQ) are available at:

       <http://rcf.mvlan.net/dist/FAQ.html>

       <ftp://ftp.axess.com/mir-
       rors/jsmoriss.mvlan.net/linux/rcf/FAQ.html>

BUGS
       If you experience any problems using rcf, please subscribe
       to              our              mailing              list
       <http://lists.mvlan.net/mailman/listinfo/rcf-users>.    If
       you'd  like to contribute to the evolution of rcf, you can
       also      join      the      development      list      at
       <http://lists.mvlan.net/mailman/listinfo/rcf-dev>.

UPDATES
       Releases  of rcf are announced on Freshmeat <http://fresh-
       meat.net/projects/rcf/>.

       Development and production releases are  also  announced
       on  our  mailing     list    <http://lists.mvlan.net/mail-
       man/listinfo/rcf- announce>.

       The latest versions are always available from:

       <http://rcf.mvlan.net/>

       <ftp://ftp.axess.com/mir-
       rors/jsmoriss.mvlan.net/linux/rcf/>

AUTHOR
       Jean-Sebastien Morisset <jsmoriss@mvlan.net>

SEE ALSO
       firewall.conf(5) rcf-groups(5) rcf-modules(5)