NAME
uif - Tool for generating optimized packetfilter rules
SYNOPSIS
uif [-dptW] [-b base] [-c config_file] [-C config_file] [-D bind_dn]
[-r ruleset] [-R ruleset] [-s server] [-T time] [-w password]
DESCRIPTION
This manual page documents the uif command. It is used to generate
optimized iptables(8) packetfilter rules, using a simple description file
specified by the user. Generated rules are provided in iptables-save(8)
style. uif can be used to read or write rulesets from or to LDAP servers
in your network, which provides a global storing mechanism. (LDAP support
is currently broken, note that you need to include the uif.schema to your
slapd configuration in order to use it.)
uif.conf(5) provides an easy way to specify rules, without exact
knowledge of the iptables syntax. It provides groups and aliases to make
your packetfilter human readable.
Keep in mind that uif is intended to assist you when designing firewalls,
but will not tell you what to filter.
Options
The options are as follows:
-b base
Specify the base to act on when using LDAP based firewall
configuration. uif will look in the subtree ou=filter,
ou=sysconfig, base for your rulesets.
-c config_file
This option specifies the configuration file to be read by uif.
See uif.conf(5) for detailed informations on the fileformat. It
defaults to /etc/uif/uif.conf.
-C config_file
When reading configuration data from other sources than specified
with -c you may want to convert this information into a textual
configuration file. This options writes the parsed config back to
the file specified by config_file.
-d Clears all firewall rules immediatly.
-D bind_dn
If a special account is needed to bind to the LDAP database, the
account dn can be specified at this point. Note: you should use
this when writing an existing configuration to the LDAP. Reading
the configuration may be done with an anonymous bind.
-p Prints rules specified in the configuration to stdout. This
option is mainly used for debugging the rule simplifier.
-r ruleset
Specifies the name of the ruleset to load from the LDAP database.
Remember to use the -b option to set the base. Rulesets are
stored using the following dn: cn=name, ou=rulesets, ou=filter,
ou=sysconfig, base, where name will be replaced by the ruleset
specified.
-R ruleset
Specifies the name of the ruleset to write to the LDAP database.
This option can be used to convert i.e. a textual configuration
to a LDAP based ruleset. Like using -r you’ve to specify the
LDAP base to use. Target is cn=name, ou=rulesets, ou=filter,
ou=sysconfig, base, where name will be replaced by the ruleset
specified.
-s server
This option specified the LDAP server to be used.
-t This option is used to validate the packetfilter configuration
without applying any rules. Mainly used for debugging.
-T time
When changing your packetfiltering rules remotely, it is usefull
to have a test option. Specify this one to apply your rules for a
period of time (in seconds). After that the original rules will
be restored.
-w password
When connecting to the LDAP server, you may need to authenticate
via passwords. If you really need to specify a password, use this
option, otherwise use -W and enter it interactivly.
-W Activate interactive password query for LDAP authentication.
uif is meant to leave the packetfilter rules in a defined state, so if
something went wrong during the initialisation, or uif is aborted by the
user, the rules that were active before starting will be restored.
Normally you will not need to call this binary directly. Use the init
script instead, since it does the most common steps for you.
FILES
Configuration files are located in /etc/uif.
SEE ALSO
uif.conf(5) iptables(8)
AUTHOR
This manual page was written by Cajus Pollmeier <pollmeier@gonicus.de>
and Jörg Platte <joerg.platte@gmx.de>, for the Debian GNU/Linux system
(but may be used by others).