<!doctype refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN" [
<!-- Process this file with docbook-to-man to generate an nroff manual
page: `docbook-to-man manpage.sgml > manpage.1'. You may view
the manual page with: `docbook-to-man manpage.sgml | nroff -man |
less'. A typical entry in a Makefile or Makefile.am is:
manpage.1: manpage.sgml
docbook-to-man $< > $@
The docbook-to-man binary is found in the docbook-to-man package.
Please remember that if you create the nroff version in one of the
debian/rules file targets (such as build), you will need to include
docbook-to-man in your Build-Depends control field.
-->
<!-- Fill in your name for FIRSTNAME and SURNAME. -->
<!ENTITY dhfirstname "<firstname>Vincent</firstname>">
<!ENTITY dhsurname "<surname>Deffontaines</surname>">
<!-- Please adjust the date whenever revising the manpage. -->
<!ENTITY dhdate "<date>october 2, 2003</date>">
<!-- SECTION should be 1-8, maybe w/ subsection other parameters are
allowed: see man(7), man(1). -->
<!ENTITY dhsection "<manvolnum>8</manvolnum>">
<!ENTITY dhemail "<email>vincent@gryzor.com</email>">
<!ENTITY dhemail2 "<email>eric@regit.org</email>">
<!ENTITY dhusername "Vincent Deffontaines">
<!ENTITY dhucpackage "<refentrytitle>nufw</refentrytitle>">
<!ENTITY dhpackage "nufw">
<!ENTITY gnu "<acronym>GNU</acronym>">
<!ENTITY gpl "&gnu; <acronym>GPL</acronym>">
]>
<refentry>
<refentryinfo>
<address>
&dhemail;
</address>
<author>
&dhfirstname;
&dhsurname;
</author>
<copyright>
<year>2003-2006</year>
<holder>&dhusername;</holder>
</copyright>
&dhdate;
</refentryinfo>
<refmeta>
&dhucpackage;
&dhsection;
</refmeta>
<refnamediv>
<refname>&dhpackage;</refname>
<refpurpose>NUFW User filtering gateway server</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>&dhpackage;</command>
<arg><option>-h</option></arg>
<arg><option>-V</option></arg>
<arg><option>-D</option></arg>
<arg><option>-m</option></arg>
<arg><option>-U</option></arg>
<arg><option>-v[v...]</option></arg>
<arg><option>-A <replaceable>debug_area</replaceable></option></arg>
<arg><option>-k <replaceable>keyfile</replaceable></option></arg>
<arg><option>-c <replaceable>certfile</replaceable></option></arg>
<arg><option>-a <replaceable>cafile</replaceable></option></arg>
<!-- <arg><option>-l <replaceable>(local) port</replaceable></option></arg>-->
<!-- <arg><option>-L <replaceable>(local) address</replaceable></option></arg>-->
<arg><option>-d <replaceable>address</replaceable></option></arg>
<arg><option>-p <replaceable>(remote) port</replaceable></option></arg>
<arg><option>-t <replaceable>timeout</replaceable></option></arg>
<arg><option>-T <replaceable>track_size</replaceable></option></arg>
<arg><option>-I <replaceable>ServerID</replaceable></option></arg>
<arg><option>-q <replaceable>NfQueue_num</replaceable></option></arg>
<arg><option>-C</option></arg>
<arg><option>-M</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para>This manual page documents the
<command>&dhpackage;</command> command.</para>
<para>nufw is the minimalist server, designed to run on the gateway(s) of
the network. nufw is designed to run in conjunction with nuauth, the
authenticating server. nufw receives network packets from the local
firewall (on Linux 2.4 and 2.6, this is set up with the help of '-j NFQUEUE' or '-j QUEUE'
netfilter target), and synchronizes with a nuauth server to check packet is
authorized to travel through the gateway.</para>
<para>The design of the NUFW package lets administrator filter network
traffic per user, not only per IP. This means you can now deal with different
permissions for user A and user B, even if they work at the same moment,
on the same multiuser machine. In other words, this extends firewalling criteria to
userID, at the network scale.</para>
<para>Original packaging and informations and help can be found from http://www.nufw.org/</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term><option>-h</option>
</term>
<listitem>
<para>Issues usage details and exits.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-V</option>
</term>
<listitem>
<para>Issues version and exits.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-D</option>
</term>
<listitem>
<para>Run as a daemon.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-U</option>
</term>
<listitem>
<para>Use UDP, unencrypted protocol for communication with the nuauth
server. This is NOT recommended.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-m</option>
</term>
<listitem>
<para>Mark packets with UserID. This requires the wvmark POM patch
applied to netfilter, and is necessary for per user QoS or routing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-v</option>
</term>
<listitem>
<para>Increases debug level. Multiple switches are accepted and each
of them increases the debug level by one. Default debug level is 2, max is 10.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-A <replaceable>debug_areas</replaceable></option>
</term>
<listitem>
<para>Chooses debug_area. Default debug area is ALL. To select a subset add value from the following list:
<itemizedlist>
<listitem><para>DEBUG_AREA_MAIN (1) main domain</para></listitem>
<listitem><para>DEBUG_AREA_PACKET (2) packet domain</para></listitem>
<listitem><para>DEBUG_AREA_USER (4) user domain</para></listitem>
<listitem><para>DEBUG_AREA_GW (8) Gateway domain, interaction with nufw servers.</para></listitem>
<listitem><para>DEBUG_AREA_AUTH (16) Authentication domain</para></listitem>
</itemizedlist>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-k <replaceable>keyfile</replaceable></option>
</term>
<listitem>
<para>Use specified file as SSL (private) key file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-c <replaceable>certfile</replaceable></option>
</term>
<listitem>
<para>Use specified file as SSL (public) certificate file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-a <replaceable>cafile</replaceable></option>
</term>
<listitem>
<para>Use specified file as SSL certificate authority file. This
parameter is optional.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-d <replaceable>address</replaceable></option>
</term>
<listitem>
<para>Network address of the nuauth server.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-p <replaceable>port</replaceable></option>
</term>
<listitem>
<para>Specifies TCP port to send data to when addressing the nuauth
server. Nuauth server must be setup to
listen on that port. Default value : 4128</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-t <replaceable>seconds</replaceable></option>
</term>
<listitem>
<para>Specifies timeout to forget packets not answered for by nuauth.
Default value : 15 s.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-T <replaceable>track_size</replaceable></option>
</term>
<listitem>
<para>Set maximum number of packets that can wait a decision in nufw. Default value : 1000.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-q <replaceable>NfQueue number</replaceable></option>
</term>
<listitem>
<para>If Nufw was compiled with NfQueue support, Id of the NfQueue to
use (default : 0).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-C</option>
</term>
<listitem>
<para>listen to conntrack events (needed for connection expiration).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-M</option>
</term>
<listitem>
<para>only report event on marked connections to nuauth (implies -C and -m)</para>
<para>
This is the way to do an efficient selection of events to be sent to nuauth but this REQUIRES a kernel with transmit_mark applied (should be ok for 2.6.18+) and the use of CONNMARK to propagate the initial mark across all the packets of the connection.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>SIGNALS</title>
<para>
The <command>&dhpackage;</command> daemon is designed to deal with several
signals : USR1, USR2, SYS, WINCH and POLL.
<variablelist>
<varlistentry>
<term><option>USR1</option>
</term>
<listitem>
<para>Increases verbosity. The daemon then acts as if it had been
launched with one supplementary '-v'.A line is also added to the system
log to mention the signal event.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>USR2</option>
</term>
<listitem>
<para>Decreases verbosity. The daemon then acts as if it had been
launched with one less '-v'. A line is also added to the system
log to mention the signal event.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>SYS</option>
</term>
<listitem>
<para>Removes the Conntrack events thread. This gets the daemon to
work as if the "-C" switch had not been set. This is useful on HA
configurations, when one firewall gets passive, for instance.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>WINCH</option>
</term>
<listitem>
<para>Starts the Conntrack events thread. This gets the daemon to
work as if the "-C" switch had been set at startup. This is useful on HA
configurations, when one firewall gets active, for instance.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>POLL</option>
</term>
<listitem>
<para>Logs an "audit" line, mentionning how many network datagrams
were received and sent since daemon startup.</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para>nuauth(8)</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para>Nufw was designed and coded by Eric Leblond, aka Regit (&dhemail2;) , and Vincent
Deffontaines, aka gryzor (&dhemail;). Original idea in 2001, while working on NSM Ldap
support.</para>
<para>This manual page was written by &dhusername;</para>
<para>Permission is
granted to copy, distribute and/or modify this document under
the terms of the &gnu; Free Documentation
License, Version 2 as published by the Free
Software Foundation; with no Invariant Sections, no Front-Cover
Texts and no Back-Cover Texts.</para>
</refsect1>
</refentry>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:2
sgml-indent-data:t
sgml-parent-document:nil
sgml-default-dtd-file:nil
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
-->
