1NUFW(8) NUFW(8)
2
6 nufw - NUFW User filtering gateway server
7
9 nufw [ -h ] [ -V ] [ -D ] [ -m ] [ -v[v...] ] [ -s ] [ -S ] [ -N ] [ -A
10 debug_area ] [ -k keyfile ] [ -c certfile ] [ -a cafile ] [ -r crlfile
11 ] [ -n nuauth_cert_dn ] [ -d address ] [ -p (remote) port ] [ -t time‐
12 out ] [ -T track_size ] [ -q NfQueue_num ] [ -L Nfqueue_length ] [ -C ]
13 [ -M ]
14
17 This manual page documents the nufw command.
18 nufw is the minimalist server, designed to run on the gateway(s) of the
20 network. nufw is designed to run in conjunction with nuauth, the
21 authenticating server. nufw receives network packets from the local
22 firewall (on Linux 2.4 and 2.6, this is set up with the help of '-j
23 NFQUEUE' or '-j QUEUE' netfilter target), and synchronizes with a
24 nuauth server to check packet is authorized to travel through the gate‐
25 way.
26 The design of the NUFW package lets administrator filter network traf‐
28 fic per user, not only per IP. This means you can now deal with differ‐
29 ent permissions for user A and user B, even if they work at the same
30 moment, on the same multiuser machine. In other words, this extends
31 firewalling criteria to userID, at the network scale.
32 Original packaging and informations and help can be found from
34 http://www.nufw.org/
35
37 -h Issues usage details and exits.
38 -V Issues version and exits.
40 -D Run as a daemon. If started as a daemon, nufw logs message to
42 syslog. If you don't specify this option, messages go to the
43 console nufw is running on, both on STDOUT and STDERR. Unless
44 you are debugging something, you should run nufw with this
45 option.
46 -m Mark packets with UserID. This requires the wvmark POM patch
48 applied to netfilter, and is necessary for per user QoS or rout‐
49 ing.
50 -v Increases debug level. Multiple switches are accepted and each
52 of them increases the debug level by one. Default debug level is
53 2, max is 10.
54 -A debug_areas
56 Chooses debug_area. Default debug area is ALL. To select a sub‐
57 set add value from the following list:
58 · DEBUG_AREA_MAIN (1) main domain
60 · DEBUG_AREA_PACKET (2) packet domain
62 · DEBUG_AREA_USER (4) user domain
64 · DEBUG_AREA_GW (8) Gateway domain, interaction with nufw
66 servers.
67 · DEBUG_AREA_AUTH (16) Authentication domain
69 -k keyfile
71 Use specified file as SSL (private) key file.
72 -c certfile
74 Use specified file as SSL (public) certificate file.
75 -a cafile
77 Use specified file as SSL certificate authority file.
78 -r crlfile
80 Use specified file as SSL certificate revocation list file. You
81 will need to restart nufw if you modify this file. Since 2.2.19,
82 nufw reloads this file dynamically when receiving a HUP signal.
83 -n nuauth_dn
85 Use specified string as the needed DN of nuauth. nufw will
86 refuse to connect if the provided string does not match the DN
87 of the certificate provided by nuauth. If you do not use this
88 option, the DN of the nuauth certificate will be checked against
89 the fully qualified domain name of the nuauth server, obtained
90 from a reverse DNS lookup on nuauth IP address.
91 -s Disable strict TLS checking of the certificate provided by
93 nuauth.
94 -S Force strict TLS checking of the certificate provided by nuauth.
96 This is the default behavior of the daemon since 2.2.18.
97 -N Suppress error if server FQDN does not match certificate CN.
99 -d address
101 Network address of the nuauth server.
102 -p port
104 Specifies TCP port to send data to when addressing the nuauth
105 server. Nuauth server must be setup to listen on that port.
106 Default value : 4128
107 -t seconds
109 Specifies timeout to forget packets not answered for by nuauth.
110 Default value : 15 s.
111 -T track_size
113 Set maximum number of packets that can wait a decision in nufw.
114 Default value : 1000.
115 -q NfQueue number
117 If Nufw was compiled with NfQueue support, Id of the NfQueue to
118 use (default : 0).
119 -L NfQueue length
121 Specify the length of the nfnetlink queue used by nufw. This is
122 the number of packets that the kernel will keep internally
123 before dropping new coming packets.
124 -C Listen to conntrack events (needed for connection expiration).
126 -M Only report event on marked connections to nuauth (implies -C
128 and -m)
129 This is the way to do an efficient selection of events to be
131 sent to nuauth but this REQUIRES a kernel with transmit_mark
132 applied (should be ok for 2.6.18+) and the use of CONNMARK to
133 propagate the initial mark across all the packets of the connec‐
134 tion.
135
137 The nufw daemon is designed to deal with several signals : USR1, USR2,
138 SYS, WINCH and POLL.
139 USR1 Increases verbosity. The daemon then acts as if it had been
141 launched with one supplementary '-v'.A line is also added to the
142 system log to mention the signal event.
143 USR2 Decreases verbosity. The daemon then acts as if it had been
145 launched with one less '-v'. A line is also added to the system
146 log to mention the signal event.
147 SYS Removes the Conntrack events thread. This gets the daemon to
149 work as if the "-C" switch had not been set. This is useful on
150 HA configurations, when one firewall gets passive, for instance.
151 WINCH Starts the Conntrack events thread. This gets the daemon to work
153 as if the "-C" switch had been set at startup. This is useful on
154 HA configurations, when one firewall gets active, for instance.
155 POLL Logs an "audit" line, mentionning how many network datagrams
157 were received and sent since daemon startup.
158
160 nuauth(8)
161
163 Nufw was designed and coded by Eric Leblond, aka Regit
164 (<eric@regit.org>) , and Vincent Deffontaines, aka gryzor (<vin‐
165 cent@gryzor.com>). Original idea in 2001, while working on NSM Ldap
166 support.
167 This manual page was written by Vincent Deffontaines
169 Permission is granted to copy, distribute and/or modify this document
171 under the terms of the GNU Free Documentation License, Version 2 as
172 published by the Free Software Foundation; with no Invariant Sections,
173 no Front-Cover Texts and no Back-Cover Texts.
174 25 November 2008 NUFW(8)