NAME¶
nufw - NUFW User filtering gateway server
SYNOPSIS¶
nufw [
-h ] [
-V ] [
-D ] [
-m ] [
-v[v...] ] [
-s ] [
-S ] [
-N ] [
-A
debug_area ] [
-k keyfile ] [
-c
certfile ] [
-a cafile ] [
-r
crlfile ] [
-n nuauth_cert_dn ] [
-d
address ] [
-p (remote) port ] [
-t
timeout ] [
-T track_size ] [
-q
NfQueue_num ] [
-L Nfqueue_length ] [
-C ] [
-M ]
DESCRIPTION¶
This manual page documents the
nufw command.
nufw is the minimalist server, designed to run on the gateway(s) of the network.
nufw is designed to run in conjunction with nuauth, the authenticating server.
nufw receives network packets from the local firewall (on Linux 2.4 and 2.6,
this is set up with the help of '-j NFQUEUE' or '-j QUEUE' netfilter target),
and synchronizes with a nuauth server to check packet is authorized to travel
through the gateway.
The design of the NUFW package lets administrator filter network traffic per
user, not only per IP. This means you can now deal with different permissions
for user A and user B, even if they work at the same moment, on the same
multiuser machine. In other words, this extends firewalling criteria to
userID, at the network scale.
Original packaging and informations and help can be found from
http://www.nufw.org/
OPTIONS¶
- -h
- Issues usage details and exits.
- -V
- Issues version and exits.
- -D
- Run as a daemon. If started as a daemon, nufw logs message
to syslog. If you don't specify this option, messages go to the console
nufw is running on, both on STDOUT and STDERR. Unless you are debugging
something, you should run nufw with this option.
- -m
- Mark packets with UserID. This requires the wvmark POM
patch applied to netfilter, and is necessary for per user QoS or
routing.
- -v
- Increases debug level. Multiple switches are accepted and
each of them increases the debug level by one. Default debug level is 2,
max is 10.
- -A debug_areas
- Chooses debug_area. Default debug area is ALL. To select a
subset add value from the following list:
- •
- DEBUG_AREA_MAIN (1) main domain
- •
- DEBUG_AREA_PACKET (2) packet domain
- •
- DEBUG_AREA_USER (4) user domain
- •
- DEBUG_AREA_GW (8) Gateway domain, interaction with nufw
servers.
- •
- DEBUG_AREA_AUTH (16) Authentication domain
- -k keyfile
- Use specified file as SSL (private) key file.
- -c certfile
- Use specified file as SSL (public) certificate file.
- -a cafile
- Use specified file as SSL certificate authority file.
- -r crlfile
- Use specified file as SSL certificate revocation list file.
You will need to restart nufw if you modify this file. Since 2.2.19, nufw
reloads this file dynamically when receiving a HUP signal.
- -n nuauth_dn
- Use specified string as the needed DN of nuauth. nufw will
refuse to connect if the provided string does not match the DN of the
certificate provided by nuauth. If you do not use this option, the DN of
the nuauth certificate will be checked against the fully qualified domain
name of the nuauth server, obtained from a reverse DNS lookup on nuauth IP
address.
- -s
- Disable strict TLS checking of the certificate provided by
nuauth.
- -S
- Force strict TLS checking of the certificate provided by
nuauth. This is the default behavior of the daemon since 2.2.18.
- -N
- Suppress error if server FQDN does not match certificate
CN.
- -d address
- Network address of the nuauth server.
- -p port
- Specifies TCP port to send data to when addressing the
nuauth server. Nuauth server must be setup to listen on that port. Default
value : 4128
- -t seconds
- Specifies timeout to forget packets not answered for by
nuauth. Default value : 15 s.
- -T track_size
- Set maximum number of packets that can wait a decision in
nufw. Default value : 1000.
- -q NfQueue number
- If Nufw was compiled with NfQueue support, Id of the
NfQueue to use (default : 0).
- -L NfQueue length
- Specify the length of the nfnetlink queue used by nufw.
This is the number of packets that the kernel will keep internally before
dropping new coming packets.
- -C
- Listen to conntrack events (needed for connection
expiration).
- -M
- Only report event on marked connections to nuauth (implies
-C and -m)
This is the way to do an efficient selection of events to be sent to nuauth
but this REQUIRES a kernel with transmit_mark applied (should be ok for
2.6.18+) and the use of CONNMARK to propagate the initial mark across all
the packets of the connection.
SIGNALS¶
The
nufw daemon is designed to deal with several signals : USR1, USR2,
SYS, WINCH and POLL.
- USR1
- Increases verbosity. The daemon then acts as if it had been
launched with one supplementary '-v'.A line is also added to the system
log to mention the signal event.
- USR2
- Decreases verbosity. The daemon then acts as if it had been
launched with one less '-v'. A line is also added to the system log to
mention the signal event.
- SYS
- Removes the Conntrack events thread. This gets the daemon
to work as if the "-C" switch had not been set. This is useful
on HA configurations, when one firewall gets passive, for instance.
- WINCH
- Starts the Conntrack events thread. This gets the daemon to
work as if the "-C" switch had been set at startup. This is
useful on HA configurations, when one firewall gets active, for
instance.
- POLL
- Logs an "audit" line, mentionning how many
network datagrams were received and sent since daemon startup.
SEE ALSO¶
nuauth(8)
AUTHOR¶
Nufw was designed and coded by Eric Leblond, aka Regit (<eric@regit.org>)
, and Vincent Deffontaines, aka gryzor (<vincent@gryzor.com>). Original
idea in 2001, while working on NSM Ldap support.
This manual page was written by Vincent Deffontaines
Permission is granted to copy, distribute and/or modify this document under the
terms of the GNU Free Documentation License, Version 2 as published by the
Free Software Foundation; with no Invariant Sections, no Front-Cover Texts and
no Back-Cover Texts.
