
		    Filter Manager 2.0

Filter Manager (fm) is a tool for managing a PC running the Filter
portion of the Drawbridge filtering package. It allows you to load
new tables into the Filter and inspect them.

System Requirements
-------------------

fm has only been compiled under gcc for Solaris 2.3 but should compile
without much problem on any Unix system. fm is endian independent.

How To Install
--------------

You can either build fm with a "make <platform>" in the fm directory or
just copy the Solaris 2.3 executable that is included. The supported
platforms are documented in the makefile. If you just type "make" the
makefile will attempt to build for Solaris (2.X). Note that the code
for fm is ANSI C so you will need an ANSI C compiler to compile it (it
has only been tested under the GNU C Compiler so far). The executable
can be installed anywhere and does not need any support files.

How To Use
----------

o Introduction

fm is an interactive program modeled after lpc. It provides more
feedback and help than your typical Unix tool however. It takes
no command line switches and is suitable for scripting.

o Commands

Once you have started fm, you can use "help" or "?" to get help. The
following is a list of supported commands:

        set (verbose|target|password) <args>
        load (network|classes|allow|reject) <filename>
        show (host|class|allow|reject|target|verbose|password) [<args>]
        query (host|class|allow|reject|stats) [<args>]
        upload (networks|classes|allow|reject)
        write
        release (classes|allow|reject|network) [<args>]
        reboot
        clear
        reset
	newpwd <password>
        quit

A "#" at the beginning of a line comments the entire line. Also,
"!" can be used as a shell escape. If you type "help <command>", fm will
print help about that particular <command>.

o Caveats

When Filter is first run, it will not have any tables loaded and will
apply default rules for all packet filtering. You must build a
configuration file and use Filter Compiler (see the file COMPILER) to
generate the filtering tables from there.

Filter will also not be using secure management by default. You can use
the "newpwd" command in fm to install a password in Filter to enable
secure management.  (Note that newpwd will perform a "set password
<password>" command implicitly.) In this first case the password will
go across the network unencrypted though all subsequent "newpwd"
generated passwords will be encrypted with the previous password. If
you are extremely concerned about security you should put an initial
password in the file PASSWORD on the Filter PC before starting it up.

Pseudo One Time Pad encryption is used for authentication and privacy.
The management packets contain random number "challenges" and the
entire data portion of the packets are encrypted.

o Using Tables

Once you have created filtering tables with the Filter Compiler (fc),
you load them into fm with "load" commands.  You can load multiple
networks into fm but only one each of classes, allow and reject tables.
Each table is loaded in with separate "load" commands.  You can inspect
these loaded tables with the "show" command.

Once you are satisified with the loaded tables, you can load the
information into Filter using the "upload" command.  Note that "upload
networks" will upload all of the networks at once. Once the uploaded
information has been successfully transfered, it will take immediate
effect.  However, it will not be made permanent until you issue a
"write" command which will tell Filter to write its currently loaded
tables to disk.

You can inspect what Filter currently has loaded with the "query"
command.  It's usage is analogous to the "show" command but queries
loaded tables in Filter, not fm.

You can also now query statistics in Filter. The statistics in the
upper section pertain directly to Drawbridge while the statistics in
the lower section pertain directly to the cards (NDIS). (Note that 
the Inside/Outside statistics in the Drawbridge section only pertain
to packets that made it past bridging to the filtering portion of
Drawbridge while the statistics in the lower section pertain to all
packets.)

If at some point you wish to delete tables loaded into Filter you can
use the "release" command. This command takes effect immediately and
deletes the tables from disk. Filter will revert to default behavior
for the deleted tables until new ones are loaded.

o Configuration Files

fm reads the file ~/.fmrc on startup and executes all commands found in
that file. The .fmrc file usually contains a "set target" command and a
"set password" command so that you can communicate with the filter on
startup of fm. For example:

set target 123.1.2.3
set password PaSsWoRd

Since the password may be in your .fmrc, fm requires that your .fmrc be
mode 400 to protect it.

Note that it is assumed that a machine that is running fm in the secure
mode is itself secure. Otherwise the key can be stolen and Filter
accessed without your knowledge. If you happen to lose your password on
the fm host, then you must go to Filter and modify the PASSWORD file.

o Miscellaneous

The "reboot" command can be used to cause Filter to warm boot the PC.
Note that the autoexec.bat file on the PC must be configured to
correctly restart the Filter for this to work effectively.

The "reset" and "clear" commands can be used to reset fm and Filter.
The "reset" command completely resets the internal state of fm and
causes the .fmrc file to be reread. The "clear tables" command only
causes the currently loaded tables in fm to be unloaded. The "clear
statistics" command causes Filter to reset its statistics.
