<?xml version='1.0'?> <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> <book><title>NuFW reference manual</title> <bookinfo> <author> <firstname>Eric</firstname> <surname>Leblond</surname> <email>regit@inl.fr</email> </author> <copyright> <year>2005-2007</year> <holder>INL</holder> </copyright> <revhistory> <revision> <revnumber>0.8.1</revnumber> <date>2007/12/20</date> <revdescription> <para>License clarification. On earlier versions license was not expressed at all, making the document de facto proprietary.</para> </revdescription> </revision> <revision> <revnumber>0.8</revnumber> <date>2007/06/12</date> <revdescription> <para>Change port number following IANA assignement</para> </revdescription> </revision> <revision> <revnumber>0.7</revnumber> <date>2007/05/13</date> <revdescription> <para>Add new option and module from 2.2</para> </revdescription> </revision> <revision> <revnumber>0.6</revnumber> <date>2007/03/05</date> <revdescription> <para>Add new option from 2.2</para> </revdescription> </revision> <revision> <revnumber>0.5</revnumber> <date>2006/06/18</date> <revdescription> <para>Add new option from 2.0</para> </revdescription> </revision> <revision> <revnumber>0.4</revnumber> <date>2006/01/25</date> <revdescription> <para>Add new option from 1.1.3</para> </revdescription> </revision> <revision> <revnumber>0.3</revnumber> <date>2005/05/02</date> <revdescription> <para>Add new option from 1.0.3</para> </revdescription> </revision> <revision> <revnumber>0.2</revnumber> <date>2005/03/17</date> <revdescription> <para>Add nuauth_number_loggers</para> </revdescription> </revision> <revision> <revnumber>0.1</revnumber> <date>2005/03/09</date> <revdescription> <para>Initial release</para> </revdescription> </revision> </revhistory> </bookinfo> <chapter><title>License</title> <para> This document is copyrighted by INL, and distributed under the Creative Commons <command>by-nc-sa</command> license. The full text of the license is available at <ulink url="http://creativecommons.org/licenses/by-nc-sa/3.0/legalcode">http://creativecommons.org/licenses/by-nc-sa/3.0/legalcode</ulink>. </para> </chapter> <chapter><title>nufw configuration</title> <para> the nufw server has no configuration file as it as only a restricted set of options : <screen> nufw [-nCMhVv[v[v[v[v[v[v[v[v[v]]]]]]]]]] [-l local_port] [-L local_addr] [-d remote_addr] [-p remote_port] [-L queue_maxlen] [-t packet_timeout] [-T track_size] [-n DN name]</screen> <itemizedlist> <listitem><para>-h : display this help and exit</para> </listitem> <listitem><para>-v : increase verbosity (maximum 9)</para> </listitem> <listitem><para>-V : display version and exit</para> </listitem> <listitem><para>-D : daemonize</para> </listitem> <listitem><para>-k : Use specified file as key file</para> </listitem> <listitem><para>-c : Use specified file as cert file</para> </listitem> <listitem><para>-a : Use specified file as ca file (strict check on server certificate is done if activated)</para> </listitem> <listitem><para>-U : use UDP unencrypted communication with nuauth server</para> </listitem> <listitem><para>-v : increase debug level (+1 for each 'v') (max useful number : 10)</para> </listitem> <listitem><para>-m : mark packet with userid</para> </listitem> <listitem><para>-L : specify queue maximum length (default: 1024)</para> </listitem> <listitem><para>-d : remote address we send auth requests to (adress of the nuauth server) (default : 127.0.0.1)</para> </listitem> <listitem><para>-p : remote port we send auth requests to (TCP port nuauth server listens on) (default : 4128)</para> </listitem> <listitem><para>-t : timeout to forget about packets when they don't match (default : 15 s)</para> </listitem> <listitem><para>-T : track size (default : 1000)</para> </listitem> <listitem><para>-n : Check nuauth certificate DN against the specified string</para> </listitem> <listitem><para>-C : send conntrack destroy event to nuauth</para> </listitem> <listitem><para>-M : only report event on marked connections to nuauth (implies -C and - m)</para></listitem> </itemizedlist> </para> </chapter> <chapter><title>nuauth configuration</title> <section><title>network related parameters</title> <section><title>General options</title> <section><title>nuauth_client_listen_addr</title> <para> The IP address where nuauth listens to clients requests. </para> <para>Default: <computeroutput>nuauth_client_listen_addr="0.0.0.0"</computeroutput> </para> </section> <section><title>nuauth_user_packet_port</title> <para> The port where nuauth waits for user authentication packet. </para> <para>Default: <computeroutput>nuauth_user_packet_port=4129</computeroutput> </para> </section> <section><title>nuauth_nufw_listen_addr</title> <para> The IP address where nuauth listens to nufw packets. </para> <para>Default: <computeroutput>nuauth_nufw_listen_addr="127.0.0.1"</computeroutput> </para> </section> <section><title>nuauth_gw_packet_port</title> <para> The port where nuauth waits for nufw gateway requests. </para> <para>Default: <computeroutput>nuauth_gw_packet_port=4128</computeroutput> </para> </section> <section><title>nufw_gw_addr</title> <para> A list of IP address authorized to connect as nufw firewall on the nuauth server. For example : <computeroutput>nufw_gw_addr="192.168.75.1 192.168.75.254"</computeroutput> </para> <para>Default: <computeroutput>nufw_gw_addr="127.0.0.1"</computeroutput> </para> </section> </section> </section> <section><title>TLS options</title> <section><title>nuauth_tls_key</title> <para> This is the complete filename of server private key used for TLS negotiation with the clients and nufw servers. </para> <para>Default: <computeroutput>nuauth_tls_key="CONFIGDIR/nuauth-key.pem"</computeroutput> </para> </section> <section><title>nuauth_tls_key_passwd</title><para> Put here the password for private key. <remark>This is currently not supported.</remark> </para> <para>Default: <computeroutput>nuauth_tls_key_passwd="passwd"</computeroutput> </para> </section> <section><title>nuauth_tls_cert</title> <para> This variable is the complete path to server certificate. </para> <para>Default: <computeroutput>nuauth_tls_cert="/etc/nufw/nuauth-cert.pem"</computeroutput> </para> </section> <section><title>nuauth_tls_cacert</title> <para> The complete path to the certificate authority file. </para> <para>Default: <computeroutput>nuauth_tls_cacert="/etc/nufw/NuFW-cacert.pem"</computeroutput> </para> </section> <section><title>nuauth_tls_crl</title> <para> The complete filename of the authority certificate revocation list.</para> <para>The default is none.</para> </section> <section><title>nuauth_tls_request_cert</title><para> This variable if set to 1 ask clients to send certificate. </para> <para> If it is set to 2, then the client has to show a valid certificate. </para> <para>Default: <computeroutput>nuauth_tls_request_cert=0</computeroutput> </para> <section><title>nuauth_tls_auth_by_cert</title><para> This variable if set to 1 adds the capability to authenticate the client based on name provided in certificate. The authentication can failed if there is no group corresponding to the given user name. </para> <para>If set to 2, then per-certificate authentication is mandatory.</para> <para>Default: <computeroutput>nuauth_tls_auth_by_cert=0</computeroutput> </para> </section> </section> <section><title>nufw related option</title> <section><title>nufw_has_conntrack</title> <para> Set <option>nufw_has_conntrack</option> to 1 if nufw is able to modify conntrack entry. This requires a kernel release superior to 2.6.14 on nufw side. </para> </section> <section><title>nufw_has_fixed_timeout</title> <para> Set <option>nufw_has_conntrack</option> to 1 if nufw is able to give a fixed timeout to a conntrack entry. This requires at least kernel release superior to 2.6.14 on nufw side. </para> </section> </section> <section><title>Modules choice</title> <section><title>Syntax description</title> <para> The syntax is the following: Each option that set up the use of a hook is a list of modules separated by space.</para> <para>For each module type, the syntax is the following: <option>name[:type[:config file]]</option> If syntax is : <itemizedlist> <listitem><para><option>name</option>: load module "name" with config file included in nuauth.conf</para></listitem> <listitem><para><option>name:type</option>: load module "type" with config file CONFIG_DIR/modules/name.conf</para></listitem> <listitem><para><option>name:type:conf</option>: load module "type" with config file "conf"</para></listitem> </itemizedlist> </para> </section> <section><title>nuauth_user_check_module</title> <para> This variable is used by nuauth to choose the authentication module for user. It has to be chosen in : <itemizedlist> <listitem><para>plaintext : user credentials are stored in a text file</para> </listitem> <listitem><para>system : authentication is done against PAM. This provides a convenient way to use pam-modules.</para> </listitem> </itemizedlist> </para> <para>Default: <computeroutput>nuauth_user_check_module="libdbm"</computeroutput> </para> </section> <section><title>nuauth_user_id_module</title> <para> This variable is used by nuauth to choose the id fetching module for user. It has to be chosen in: <itemizedlist> <listitem><para>plaintext: user ids are stored in a text file</para> </listitem> <listitem><para>system: This provides a convenient way to use PAM features.</para> </listitem> </itemizedlist> </para> <para>Default: <computeroutput>nuauth_user_id_module="system"</computeroutput> </para> </section> <section><title>nuauth_user_groups_module</title> <para> This variable is used by nuauth to choose the module used to fetch user groups. It has to be chosen in : <itemizedlist> <listitem><para>plaintext: user grous are stored in a text file</para> </listitem> <listitem><para>system: groups are system groups retrieved via NSS. This provides a convenient way to use nss features.</para> </listitem> </itemizedlist> </para> <para>Default: <computeroutput>nuauth_user_id_module="system"</computeroutput> </para> </section> <section><title>nuauth_acl_check_module</title> <para> Choose here the acl checking module. It has to be choozen in : <itemizedlist> <listitem><para>libldap: Acls are stored on an LDAP tree whith a specific schema. This module enables dynamic acls and network administration of them.</para> </listitem> <listitem><para>plaintext: This module stores acls in a plain text file. This is easy to manage for small rules set, but nuauth has to be restarted to have modification to the file taken into account.</para> </listitem> </itemizedlist> </para><para>Default: <computeroutput>nuauth_acl_check_module="libplaintext"</computeroutput> </para> </section> <section><title>nuauth_ip_authentication_module</title> <para> A fallback authentication module can be used to employ other authentication methods. Currently, only an ident based module is available. </para><para>Default: <computeroutput>nuauth_ip_authentication_module="libipauthident"</computeroutput> </para> </section> <section><title>nuauth_user_logs_module</title> <para> User activities logging method is done via a module. It can be choose between syslog and SQL modules. Only SQL modules permit to evolve to a SSO system. Acceptable values for this parameter are : <itemizedlist> <listitem><para>mysql</para> </listitem> <listitem><para>pgsql</para> </listitem> <listitem><para>syslog</para> </listitem> <listitem><para>nuprelude</para> </listitem> </itemizedlist> </para><para>Default: <computeroutput>nuauth_user_logs_module="syslog"</computeroutput> </para> </section> <section><title>nuauth_user_session_logs_module</title> <para> This define the method to use for user connection and disconnection logging. The available modules are : <itemizedlist> <listitem><para>syslog</para></listitem> <listitem><para>script : run a custom script at user connection (CONFDIR/user-up.sh) and disconnection (CONFDIR/user-down.sh)</para></listitem> <listitem><para>mysql</para></listitem> <listitem><para>nuprelude</para></listitem> </itemizedlist> </para> <para>Default: <computeroutput>nuauth_user_session_logs_module="syslog"</computeroutput> </para> </section> <section><title>nuauth_certificate_check_module</title> <para> These modules check client certificate and issue verdict on validity. It is recommanded to keep <option>x509_std</option> as first module as it is usually wanted checks. </para> <para>Default: <computeroutput>nuauth_certificate_check_module="x509_std"</computeroutput> </para> </section> <section><title>nuauth_certificate_to_uid_module</title> <para> These modules get username from client certificate. Currently, there is only on provided module: <option>x509_std</option>. </para> <para>Default: <computeroutput>nuauth_certificate_to_uid_module="x509_std"</computeroutput></para> </section> <section><title>nuauth_periods_module</title> <para> These modules define a set of periods that can be used in acl to check packet against the given period of time. Currently only <option>xml_defs</option> is available. It stores period definition in a XML file. </para> <para>Default: <computeroutput>nuauth_periods_module="xml_defs"</computeroutput></para> </section> <section><title>nuauth_user_session_modify_module</title> <para> These modules provides a hook which can be used to modify a user session just after its creation. It is useful in the case of you want to modify property like expiration date of the session. Currently only <option>libsession_expire</option> is available. It modify session expiration to force user to reconnect after a given time. </para> <para>Default: <computeroutput>nuauth_user_session_modify_module="libsession_expire"</computeroutput> </para> </section> <section><title>nuauth_finalize_packet_module</title> <para> These modules provides a hook which can be used to modify a packet before decision and related informations are sent to the nufw server. It is useful in the case of you want to modify the mark to setup QoS. <itemizedlist> <listitem><para><option>mark_group</option>: set mark depending on user groups.</para></listitem> <listitem><para><option>mark_uid</option>: use next 16 bits of the mark to put the userid.</para></listitem> <listitem><para><option>mark_field</option>: set mark depending on application name or OS name.</para></listitem> <listitem><para><option>mark_flag</option>: use first 16 bit of the mark to put mark given by acl.</para></listitem> </itemizedlist> </para> <para>Default: <computeroutput>nuauth_finalize_packet_module="mark_uid"</computeroutput> </para> </section> <section><title>nuauth_auth_error_log_module</title> <para> These modules provides a way to log user authentication failure. For now, the only available modules are <option>nuprelude</option> and <option>syslog</option>. </para> <para>Default: <computeroutput>nuauth_auth_error_log_module=""</computeroutput> </para> </section> </section> <section><title>Underlying options of nuauth</title> <section><title>nuauth_use_command_server</title> <para> If set to 1, nuauth starts a server which wait to connection on a unix socket. The script in <filename>scripts/nuauth_command/</filename> can be used to interact with some aspects of nuauth. Basically, it provides the ability to list and destroy users sessions or to change debug level. </para><para>Default: <computeroutput>nuauth_use_command_server=1</computeroutput> </para> </section> <section><title>nuauth_prio_to_nok</title> <para> What to do when several groups user is member of disagree about access rights </para><para>Default: <computeroutput>nuauth_prio_to_nok=1</computeroutput> </para> </section> <section><title>nuauth_push_to_client</title> <para> Client can work with two modes : <itemizedlist> <listitem><para>POLL : client check each time interval if it need to send a packet (traffic economy for WAN)</para> </listitem> <listitem><para>PUSH : nuauth warn client that they may need to send authentication packet (better response time on LAN)</para> </listitem> </itemizedlist> </para> <para>Default: <computeroutput>nuauth_push_to_client=1</computeroutput> </para> </section> <section><title>nuauth_connect_policy</title> <para> This is used to choose the user connection policy : <itemizedlist> <listitem><para>0 : no login restriction (default)</para></listitem> <listitem><para>1 : one login per user</para></listitem> <listitem><para>2 : one login per ip and per user</para></listitem> </itemizedlist> </para> </section> <section><title>nuauth_reject_after_timeout</title> <para> Reject via ICMP message (instead of simply drop) when packet timeout is reached. </para> <para>Default: <computeroutput>nuauth_reject_after_timeout=0</computeroutput> </para> </section> <section><title>nuauth_reject_authenticated_drop</title> <para> Reject via ICMP message (instead of simply drop) when user in not authorized by nuauth to send packets. </para> <para>Default: <computeroutput>nuauth_reject_authenticated_drop=0</computeroutput> </para> </section> <section><title>nuauth_hello_authentication</title> <para> This is a fallback hello authentication mode for non NuFW supported protocols. This brings authentication for all protocols based on IP by doing a posteriori IP based authentication. </para> <para>Default: <computeroutput>nuauth_hello_authentication=0</computeroutput></para> <section><title>Warning</title> <para> This authentication is <emphasis>FAR</emphasis> less strict than nufw original protocol : <itemizedlist> <listitem><para>It authenticates NATed computer (and every computers behind the same firewall)</para></listitem> <listitem><para>It is strictly MONO user</para></listitem> <listitem><para>But, it can authenticate all type of IP flows</para></listitem> </itemizedlist> </para> </section> </section> <section><title>nuauth_do_ip_authentication</title> <para> Do we use fallback mode when no client are found<footnote><para>When no client is known on the IP from which a packet is coming the fallback method is used.</para> </footnote> ? <remark><varname>nuauth_push_to_client</varname> has to be set to <option>1</option> if you choose to enable it.</remark> </para><para>Default: <computeroutput>nuauth_do_ip_authentication=1</computeroutput> </para> </section> <section><title>nuauth_session_duration</title> <para>This option if set to a non null value causes nuauth to close a user session after the specified time. The user client has then to reconnect (transparently or not). This permit for example to disconnect users when their account has been cancelled.</para> <para>Disconnection occurs when nuauth has to authenticate a packet coming from the source IP of the connection</para> <para>Default: <computeroutput>nuauth_session_duration=0</computeroutput> </para> </section> </section> <section><title>Tuning options</title> <section><title>nuauth_packet_timeout</title> <para> This is the time in second to keep packet in the nuauth internal connection tracking. </para><para>Default: <computeroutput>nuauth_packet_timeout=15</computeroutput> </para> </section> <section><title>nuauth_proto_wait_delay</title> <para> This set the timeout for protocol announce from client. If some of your client (post 2.0 version) receives a "bad protocol messsage", you may want to increase this value. This is a workaround against very laggy network. </para><para>Default: <computeroutput>nuauth_proto_wait_delay=2</computeroutput> </para> </section> <section><title>nuauth_datas_persistance</title> <para> A cache is implemented for acl (and/or user) datas. It permits to speed thing up by decreasing the number of request to external system. This variable set the datas persistence in cache (in second). </para><para>Default: <computeroutput>nuauth_datas_persistance=300</computeroutput> </para> </section> <section><title>nuauth_auth_nego_timeout</title> <para> This option set the delay after which a authentication failed and it forcibly interrupt. </para><para>Default: <computeroutput>nuauth_auth_nego_timeout=30</computeroutput> </para> </section> <section><title>nuauth_number_usercheckers</title> <para> A pool of threads is used to work on client authentication. This variable set the number of threads used for this task. </para><para>Default: <computeroutput>nuauth_number_usercheckers=5</computeroutput> </para> </section> <section><title>nuauth_number_aclcheckers</title> <para> A pool of threads is used to do acl checking against external authority and to treat gateway request. This variable set the number of threads to work on gateway requests. </para><para>Default: <computeroutput>nuauth_number_aclcheckers=5</computeroutput> </para> </section> <section><title>nuauth_number_loggers</title> <para> A pool of threads is used to do logging. You may need to adjust it to the capability of the database server. </para><para>Default: <computeroutput>nuauth_number_loggers=3</computeroutput> </para> </section> <section><title>nuauth_number_session_loggers</title> <para> A pool of threads is used to do user connection logging. You may need to adjust it to the capability of the database server. </para><para>Default: <computeroutput>nuauth_number_session_loggers=3</computeroutput> </para> </section> <section><title>nuauth_number_authcheckers</title> <para> A pool of threads is used to do TLS and SASL negotiation with users. This set the number of threads used for this task. </para><para>Default: <computeroutput>nuauth_number_authcheckers=5</computeroutput> </para> </section> <section><title>nuauth_number_ipauthcheckers</title> <para> This set the number of threads working for ip authentication. </para><para>Default: <computeroutput>nuauth_number_ipauthcheckers=5</computeroutput> </para> </section> <section><title>nuauth_tls_max_clients</title> <para> This set the maximum number of a simultaneously connected nufw authentication clients. </para><para>Default: <computeroutput>nuauth_tls_max_clients=256</computeroutput> </para> </section> <section><title>nuauth_tls_max_servers</title> <para> This set the maximum number of simultaneously connected nufw servers. </para><para>Default: <computeroutput>nuauth_tls_max_servers=8</computeroutput> </para> </section> </section> <section><title>Logging options</title> <section><title>nuauth_log_users</title> <para> This variable decide the level of verbosity of user activities logging. The log level is the sum of values : <itemizedlist> <listitem><para>0: no log at all</para> </listitem> <listitem><para>1: log new user (in syslog)</para> </listitem> <listitem><para>2: log rejected packets</para> </listitem> <listitem><para>4: log accepted packets</para> </listitem> <listitem><para>8: do complete session tracking <footnote><para>complete session tracking need special iptables rules, described in documentation</para> </footnote> </para> </listitem></itemizedlist> </para><para>Default: <computeroutput>nuauth_log_users=0</computeroutput> </para> </section> <section><title>nuauth_log_users_sync</title> <para>This controls whether the users logging is absolutely safe. The access is logged before granted.</para> <remark> This is necessary if SQL backend is used for SSO.</remark> <para>Default: <computeroutput>nuauth_log_users_sync=1</computeroutput></para> </section> <section><title>nuauth_debug_level</title> <para>This controls whether the debug_level of nuauth.</para> <para>Default: <computeroutput>nuauth_debug_level=0</computeroutput></para> </section> </section> <section><title>nuauth_debug_areas</title> <para>This controls whether the debug areas of nuauth. It is computed by doing a binary end (or addition) on the following value : <itemizedlist> <listitem><para>DEBUG_AREA_MAIN (1) main domain</para></listitem> <listitem><para>DEBUG_AREA_PACKET (2) packet domain</para></listitem> <listitem><para>DEBUG_AREA_USER (4) user domain</para></listitem> <listitem><para>DEBUG_AREA_GW (8) Gateway domain, interaction wit nufw servers.</para></listitem> <listitem><para>DEBUG_AREA_AUTH (16) Authentication domain</para></listitem> </itemizedlist> Default debug areas is all areas. </para> <para>Default: <computeroutput>nuauth_debug_level=31</computeroutput></para> </section> <section><title>nuauth_log_users_strict</title> <para>This option if set to <option>1</option> causes nuauth to do an update of log entries of database to avoid accidental double connections before inserting new connection.</para> <remark>Do not disable it by changing it to <option>0</option> if you want strict security when using sso modules.</remark> <para>Default: <computeroutput>nuauth_log_users_strict=1</computeroutput> </para> </section> <section><title>nuauth_log_users_without_realm</title> <para>This option if set to <option>1</option> causes nuauth to remove the realm from the username before logging.</para> <para>Default: <computeroutput>nuauth_log_users_without_realm=1</computeroutput> </para> </section> </section> </chapter> <chapter><title>Modules configuration</title> <section><title>Plaintext</title> <section><title>plaintext_userfile</title> <para>This option is used to select the file used to store the credentials of the users.</para> <para>Default: <computeroutput>plaintext_userfile="/etc/nufw/users.nufw"</computeroutput></para> </section> <section><title>plaintext_aclfile</title> <para>This option is used to select the file used to store the credentials of the access lists.</para> <para>Default: <computeroutput>plaintext_aclfile="/etc/nufw/acls.nufw"</computeroutput></para> </section> </section> <section><title>system</title> <section><title>system_glibc_cant_guess_maxgroups</title> <para>This option has to be used if you have a buggy version of glibc. It is known that glibc 2.3.2 implementation of getgrouplist is buggy and thus you need to manually set the option to the maximum number of groups a user can belong to. </para> <para>Default: <computeroutput>system_glibc_cant_guess_maxgroups=0</computeroutput></para> </section> <section><title>system_pam_module_not_threadsafe</title> <para>This option has to be used as PAM is not threadsafe.</para> <para>Default: <computeroutput>system_pam_module_not_threadsafe=1</computeroutput></para> </section> <section><title>system_suppress_prefixed_domain</title> <para> When username is given with "DOMAIN\user" it calls pam authentication with username equal to "user" if option is set to 1.</para> <para>Default: <computeroutput>system_suppress_prefixed_domain=0</computeroutput></para> </section> </section> <section><title>ldap</title> <section><title>ldap_server_addr</title> <para> This set the address of the ldap server which contains the acls and/or the users credentials. </para> <para>Default: <computeroutput>ldap_server_addr="127.0.0.1"</computeroutput></para> </section> <section><title>ldap_server_port</title> <para>This set the port of the ldap server.</para> <para>Default: <computeroutput>ldap_server_port=389</computeroutput> </para> </section> <section><title>ldap_bind_dn</title><para> This set the bind dn of the ldap connection. </para><para>Default: <computeroutput>ldap_bind_dn="cn=admin,dc=nufw,dc=org"</computeroutput> </para> </section> <section><title>ldap_bind_password</title> <para>This set the password used to bind to the ldap connection. </para><para>Default: <computeroutput>ldap_bind_password="mypassword"</computeroutput> </para> </section> <section><title>ldap_filter_type</title> <para>This set the ldap request type. <itemizedlist><listitem><para>set to 1: request on DstPort is done with equality. This is the fastest version. In case a range of ports has to be set, a better idea could be to use application filtering.</para> </listitem> <listitem><para>set to 0: request on DstPort is done with range. The range can be more simple to administrate, but performance is lower.</para> </listitem> </itemizedlist> </para><para>Default: <computeroutput>ldap_filter_type=1</computeroutput> </para> </section> <section><title>ldap_request_timeout</title> <para> This set the timeout of ldap request. </para><para>Default: <computeroutput>ldap_request_timeout=4</computeroutput> </para> </section> <section><title>ldap_basedn</title><para> This parameters set the base dn for search request. This is the default for ldap_acls_base_dn,ldap_users_base_dn if they are not set. </para><para>Default: <computeroutput>ldap_basedn="dc=nufw,dc=org"</computeroutput> </para> </section> <section><title>ldap_acls_base_dn</title><para> This is the base dn for acl search request. </para><para>Default: <computeroutput>ldap_acls_base_dn="dc=acls,dc=nufw,dc=org"</computeroutput> </para> </section> <section><title>ldap_users_base_dn</title><para> This is the base dn for user search request. </para><para>Default: <computeroutput>ldap_users_base_dn="ou=people,dc=nufw,dc=org"</computeroutput> </para> </section> </section> <section><title>mysql log</title> <section><title>mysql_server_addr</title> <para> This parameter set MySql server address. </para><para>Default: <computeroutput>mysql_server_addr="127.0.0.1"</computeroutput> </para> </section> <section><title>mysql_server_port</title><para> This set the Mysql server port. </para><para>Default: <computeroutput>mysql_server_port=3306</computeroutput> </para> </section> <section><title>mysql_user</title> <para> This parameter set the name of the user used to log on MySQL server. </para><para>Default: <computeroutput>mysql_user="myuser"</computeroutput> </para> </section> <section><title>mysql_passwd</title><para> This set the MySQL password, associated with username. </para><para>Default: <computeroutput>mysql_passwd="secret"</computeroutput> </para> </section> <section><title>mysql_db_name</title><para> This is the name of MySQL database to connect to. </para><para>Default: <computeroutput>mysql_db_name="nufw"</computeroutput> </para> </section> <section><title>mysql_table_name</title><para> This set the name of table to connect to. It must belong to the chosen database. The specified user must have rights on this table. </para><para>Default: <computeroutput>mysql_table_name="ulog"</computeroutput> </para> </section> <section><title>mysql_users_table_name</title><para> This set the name of table to log users session into. It must belong to the chosen database. The specified user must have rights on this table. </para><para>Default: <computeroutput>mysql_users_table_name="users"</computeroutput> </para> </section> <section><title>mysql_use_ipv4_schema</title> <para> Set to 0 if your MySQL database uses the IPV6 schema provided with NuFW 2.2. </para> <para>Default: <computeroutput>mysql_use_ipv4_schema=1</computeroutput> </para> </section> <section><title>mysql_request_timeout</title><para>T This set the time in seconds we consider connection to the database to be lost if we have no answer. </para><para>Default: <computeroutput>mysql_request_timeout=5</computeroutput> </para> </section> <section><title>mysql_use_ssl</title><para> Set <varname>mysql_use_ssl</varname> to <option>1</option> to use SSL, else other ssl options will be ignored </para><para>Default: <computeroutput>mysql_use_ssl=0</computeroutput> </para> </section> <section><title>mysql_ssl_keyfile</title><para> Set <varname>mysql_ssl_keyfile</varname> to the full path of the file containing your PRIVATE key. <remark>This must be set if you want to use ssl, as default value is NULL.</remark> </para><para>Default: <computeroutput>mysql_ssl_keyfile="/etc/nufw/ssl/mysql.key"</computeroutput> </para> </section> <section><title>mysql_ssl_certfile</title> <para> Set <varname>mysql_ssl_certfile</varname> to the full path of the file containing your PUBLIC certificate <remark>This must be set if you want to use ssl, as default value is NULL.</remark> </para><para>Default: <computeroutput>mysql_ssl_certfile="/etc/nufw/ssl/mysql.cert"</computeroutput> </para> </section> <section><title>mysql_ssl_ca</title> <para> Set <varname>mysql_ssl_ca</varname> to the full path of the file containing your CA (Certificate Authority) file. <remark>Unset this field if you don't want to use a CA.</remark> </para><para>Default: <computeroutput>mysql_ssl_ca="/etc/nufw/ssl/mysql.ca"</computeroutput> </para> </section> <section><title>mysql_ssl_capath</title><para> Set <varname>mysql_ssl_capath</varname> to the full path of a DIRECTORY containing your CA Certificate Authority) files, in PEM format <remark>Unset this field if you don't want to use CAs.</remark> </para><para>Default: <computeroutput>mysql_ssl_capath="/etc/nufw/ssl/mysql.cas/"</computeroutput> </para> </section> <section><title>mysql_ssl_cipher</title><para> Set <varname>mysql_ssl_cipher</varname> to the list of ciphers you wish to use for Mysql connections. A complete cipher list on your system should be available if you issue "openssl ciphers" The default value here is "ALL:!ADH:+RC4:@STRENGTH", which is OpenSSL default, and means "Use any but give RC4 the lowest priority" For more info see : http://www.mkssoftware.com/docs/man1/openssl_ciphers.1.asp </para><para>Default: <computeroutput>mysql_ssl_cipher="ALL:!ADH:+RC4:@STRENGTH"</computeroutput> </para> </section> </section> <section><title>pgsql log</title> <section><title>pgsql_server_addr</title> <para> This parameter set the PGSql server address. </para><para>Default: <computeroutput>pgsql_server_addr="127.0.0.1"</computeroutput> </para> </section> <section><title>pgsql_server_port</title><para> This set the port to used to connect to the PGsql server. </para><para>Default: <computeroutput>pgsql_server_port=5432</computeroutput> </para> </section> <section><title>pgsql_user</title> <para> This parameter set the login of the PGsql user. </para><para>Default: <computeroutput>pgsql_user="myuser"</computeroutput> </para> </section> <section><title>pgsql_passwd</title> <para> This set the PGsql password, associated with username of the database. </para><para>Default: <computeroutput>pgsql_passwd="secret"</computeroutput> </para> </section> <section><title>pgsql_ssl</title> <para> This set whether to use SSL or not. (this parameter is ignored for now) </para><para>Default: <computeroutput>pgsql_ssl="prefer"</computeroutput> </para> </section> <section><title>pgsql_db_name</title> <para> This is the name of PGsql database to connect to </para><para>Default: <computeroutput>pgsql_db_name="nufw"</computeroutput> </para> </section> <section><title>pgsql_table_name</title> <para> This set the name of the table to connect to. It must belong to the chosen database. The specified user must have rights on this table. </para><para>Default: <computeroutput>pgsql_table_name="ulog"</computeroutput> </para> </section> <section><title>pgsql_users_table_name</title><para> This set the name of table to log users session into. It must belong to the chosen database. The specified user must have rights on this table. </para><para>Default: <computeroutput>pgsql_users_table_name="users"</computeroutput> </para> </section> <section><title>pgsql_request_timeout</title><para> This is the time in seconds after which the connection to the database is assumed to be lost if we have no answer. </para><para>Default: <computeroutput>pgsql_request_timeout=5</computeroutput> </para> </section> </section> <section><title>xml_defs</title> <section><title>xml_defs_periodfile</title><para> This set the complete filename of the file containing the definitions of periods. </para> <para>Default: <computeroutput>xml_defs_periodfile="CONFIG_DIR/periods.xml"</computeroutput> </para> </section> </section> <section><title>nuprelude</title> <para> No option. </para> </section> <section><title>x509_std</title> <section><title>nuauth_tls_trusted_issuer_dn</title><para> This option is used to match issuer of a certificate against this string. It there is a match, then we trust the give certificate. </para> <para>No default</para> </section> </section> <section><title>session_expire</title><para> The session expiration duration has to be set by using the global variable <option>nuauth_session_duration</option> </para> </section> <section><title>mark group</title> <section><title>mark_group_file</title><para> File to read configuration from. </para> <para>Default: <computeroutput>mark_group_file=CONFFILE/mark_group.conf</computeroutput></para> </section> <section><title>nuauth_group_shift</title> <para> Position of the mark (in bits) in the packet mark. </para> <para>No default</para> </section> <section><title>nuauth_group_nbits</title> <para> Number of bits to store the mark. </para> <para>No default</para> </section> <section><title>nuauth_group_default_mark</title> <para> Default mark if no group does match. </para> <para>No default</para> </section> </section> <section><title>mark field</title> <section><title>mark_field_file</title><para> File to read configuration from. </para> <para>Default: <computeroutput>mark_field_file=CONFFILE/mark_field.conf</computeroutput></para> </section> <section><title>nuauth_field_shift</title> <para> Position of the mark (in bits) in the packet mark. </para> <para>Default: <computeroutput>mark_field_shift=0</computeroutput></para> </section> <section><title>nuauth_field_nbits</title> <para> Number of bits to store the mark. </para> <para>Default: <computeroutput>mark_field_mark=32</computeroutput></para> </section> <section><title>nuauth_field_default_mark</title> <para> Default mark if no group does match. </para> <para>No default</para> </section> <section><title>mark_field_type</title> <para> Type of match. <itemizedlist> <listitem><para>match on appname: 0</para></listitem> <listitem><para>match on osname: 1</para></listitem> </itemizedlist> </para> </section> </section> <section><title>mark flag</title> <section><title>nuauth_flag_nbits</title> <para> Number of bits to overwrite in the mark. </para> <para>Default: <computeroutput>mark_flag_nbits=16</computeroutput></para> </section> <section><title>nuauth_flag_mark_shift</title> <para> Position of the overwritten part of the mark (in bits). </para> <para>Default: <computeroutput>mark_flag_mark_shift=16</computeroutput></para> </section> <section><title>nuauth_flag_flag_shift</title> <para> Position in the flag of the bytes use to overwrite the mark (in bits). </para> <para>Default: <computeroutput>mark_flag_flag_shift=16</computeroutput></para> </section> </section> </chapter> </book>