Man Linux: Main Page and Category List

NAME

       nufw - NUFW User filtering gateway server

SYNOPSIS

       nufw [ -h ] [ -V ] [ -D ] [ -m ] [ -v[v...] ] [ -s ] [ -S ] [ -N ] [ -A
       debug_area ] [ -k keyfile ] [ -c certfile ] [ -a cafile ] [ -r  crlfile
       ]  [  -n  nuauth_cert_dn  ]  [  -d  address ] [ -p (remote) port ] [ -t
       timeout ] [ -T track_size ] [ -q NfQueue_num ] [ -L Nfqueue_length ]  [
       -C ] [ -M ]

DESCRIPTION

       This manual page documents the nufw command.

       nufw is the minimalist server, designed to run on the gateway(s) of the
       network. nufw is designed  to  run  in  conjunction  with  nuauth,  the
       authenticating  server.  nufw  receives  network packets from the local
       firewall (on Linux 2.4 and 2.6, this is set up with  the  help  of  ’-j
       NFQUEUE’  or  ’-j  QUEUE’  netfilter  target),  and synchronizes with a
       nuauth server to check packet  is  authorized  to  travel  through  the
       gateway.

       The  design  of  the  NUFW  package  lets  administrator filter network
       traffic per user, not only per IP. This means you  can  now  deal  with
       different  permissions  for user A and user B, even if they work at the
       same moment, on the  same  multiuser  machine.  In  other  words,  this
       extends firewalling criteria to userID, at the network scale.

       Original  packaging  and  informations  and  help  can  be  found  from
       http://www.nufw.org/

OPTIONS

       -h     Issues usage details and exits.

       -V     Issues version and exits.

       -D     Run as a daemon. If started as a daemon, nufw  logs  message  to
              syslog.  If  you  don’t  specify this option, messages go to the
              console nufw is running on, both on STDOUT  and  STDERR.  Unless
              you  are  debugging  something,  you  should  run nufw with this
              option.

       -m     Mark packets with UserID. This requires  the  wvmark  POM  patch
              applied  to  netfilter,  and  is  necessary  for per user QoS or
              routing.

       -v     Increases debug level. Multiple switches are accepted  and  each
              of them increases the debug level by one. Default debug level is
              2, max is 10.

       -A debug_areas
              Chooses debug_area. Default debug  area  is  ALL.  To  select  a
              subset add value from the following list:

              · DEBUG_AREA_MAIN (1) main domain

              · DEBUG_AREA_PACKET (2) packet domain

              · DEBUG_AREA_USER (4) user domain

              · DEBUG_AREA_GW   (8)  Gateway  domain,  interaction  with  nufw
                servers.

              · DEBUG_AREA_AUTH (16) Authentication domain

       -k keyfile
              Use specified file as SSL (private) key file.

       -c certfile
              Use specified file as SSL (public) certificate file.

       -a cafile
              Use specified file as SSL certificate authority file.

       -r crlfile
              Use specified file as SSL certificate revocation list file.  You
              will need to restart nufw if you modify this file. Since 2.2.19,
              nufw reloads this file dynamically when receiving a HUP  signal.

       -n nuauth_dn
              Use  specified  string  as  the  needed  DN of nuauth. nufw will
              refuse to connect if the provided string does not match  the  DN
              of  the  certificate  provided by nuauth. If you do not use this
              option, the DN of the nuauth certificate will be checked against
              the  fully  qualified domain name of the nuauth server, obtained
              from a reverse DNS lookup on nuauth IP address.

       -s     Disable strict TLS  checking  of  the  certificate  provided  by
              nuauth.

       -S     Force strict TLS checking of the certificate provided by nuauth.
              This is the default behavior of the daemon since 2.2.18.

       -N     Suppress error if server FQDN does not match certificate CN.

       -d address
              Network address of the nuauth server.

       -p port
              Specifies TCP port to send data to when  addressing  the  nuauth
              server.  Nuauth  server  must  be  setup to listen on that port.
              Default value : 4128

       -t seconds
              Specifies timeout to forget packets not answered for by  nuauth.
              Default value : 15 s.

       -T track_size
              Set  maximum number of packets that can wait a decision in nufw.
              Default value : 1000.

       -q NfQueue number
              If Nufw was compiled with NfQueue support, Id of the NfQueue  to
              use (default : 0).

       -L NfQueue length
              Specify  the length of the nfnetlink queue used by nufw. This is
              the number of packets  that  the  kernel  will  keep  internally
              before dropping new coming packets.

       -C     Listen to conntrack events (needed for connection expiration).

       -M     Only  report  event  on marked connections to nuauth (implies -C
              and -m)

              This is the way to do an efficient selection  of  events  to  be
              sent  to  nuauth  but  this REQUIRES a kernel with transmit_mark
              applied (should be ok for 2.6.18+) and the use  of  CONNMARK  to
              propagate  the  initial  mark  across  all  the  packets  of the
              connection.

SIGNALS

       The nufw daemon is designed to deal with several signals : USR1,  USR2,
       SYS, WINCH and POLL.

       USR1   Increases  verbosity.  The  daemon  then  acts as if it had been
              launched with one supplementary ’-v’.A line is also added to the
              system log to mention the signal event.

       USR2   Decreases  verbosity.  The  daemon  then  acts as if it had been
              launched with one less ’-v’. A line is also added to the  system
              log to mention the signal event.

       SYS    Removes  the  Conntrack  events  thread. This gets the daemon to
              work as if the "-C" switch had not been set. This is  useful  on
              HA configurations, when one firewall gets passive, for instance.

       WINCH  Starts the Conntrack events thread. This gets the daemon to work
              as if the "-C" switch had been set at startup. This is useful on
              HA configurations, when one firewall gets active, for  instance.

       POLL   Logs  an  "audit"  line,  mentionning how many network datagrams
              were received and sent since daemon startup.

SEE ALSO

       nuauth(8)

AUTHOR

       Nufw  was   designed   and   coded   by   Eric   Leblond,   aka   Regit
       (<eric@regit.org>)    ,    and   Vincent   Deffontaines,   aka   gryzor
       (<vincent@gryzor.com>). Original idea in 2001,  while  working  on  NSM
       Ldap support.

       This manual page was written by Vincent Deffontaines

       Permission  is  granted to copy, distribute and/or modify this document
       under the terms of the GNU Free Documentation  License,  Version  2  as
       published  by the Free Software Foundation; with no Invariant Sections,
       no Front-Cover Texts and no Back-Cover Texts.

                               25 November 2008