<?xml version='1.0'?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
<book><title>NuFW reference manual</title>
<bookinfo>
<author>
<firstname>Eric</firstname>
<surname>Leblond</surname>
<email>regit@inl.fr</email>
</author>
<copyright>
<year>2005-2007</year>
<holder>INL</holder>
</copyright>
<revhistory>
<revision>
<revnumber>0.8.1</revnumber>
<date>2007/12/20</date>
<revdescription>
<para>License clarification. On earlier versions license was not expressed at all, making the document de facto proprietary.</para>
</revdescription>
</revision>
<revision>
<revnumber>0.8</revnumber>
<date>2007/06/12</date>
<revdescription>
<para>Change port number following IANA assignement</para>
</revdescription>
</revision>
<revision>
<revnumber>0.7</revnumber>
<date>2007/05/13</date>
<revdescription>
<para>Add new option and module from 2.2</para>
</revdescription>
</revision>
<revision>
<revnumber>0.6</revnumber>
<date>2007/03/05</date>
<revdescription>
<para>Add new option from 2.2</para>
</revdescription>
</revision>
<revision>
<revnumber>0.5</revnumber>
<date>2006/06/18</date>
<revdescription>
<para>Add new option from 2.0</para>
</revdescription>
</revision>
<revision>
<revnumber>0.4</revnumber>
<date>2006/01/25</date>
<revdescription>
<para>Add new option from 1.1.3</para>
</revdescription>
</revision>
<revision>
<revnumber>0.3</revnumber>
<date>2005/05/02</date>
<revdescription>
<para>Add new option from 1.0.3</para>
</revdescription>
</revision>
<revision>
<revnumber>0.2</revnumber>
<date>2005/03/17</date>
<revdescription>
<para>Add nuauth_number_loggers</para>
</revdescription>
</revision>
<revision>
<revnumber>0.1</revnumber>
<date>2005/03/09</date>
<revdescription>
<para>Initial release</para>
</revdescription>
</revision>
</revhistory>
</bookinfo>
<chapter><title>License</title>
<para>
This document is copyrighted by INL, and distributed under the Creative Commons <command>by-nc-sa</command> license. The full text of the license is available at <ulink url="http://creativecommons.org/licenses/by-nc-sa/3.0/legalcode">http://creativecommons.org/licenses/by-nc-sa/3.0/legalcode</ulink>.
</para>
</chapter>
<chapter><title>nufw configuration</title>
<para>
the nufw server has no configuration file as it as only a restricted set of options :
<screen>
nufw [-nCMhVv[v[v[v[v[v[v[v[v[v]]]]]]]]]] [-l local_port] [-L local_addr] [-d remote_addr] [-p remote_port] [-L queue_maxlen] [-t packet_timeout] [-T track_size] [-n DN name]</screen>
<itemizedlist>
<listitem><para>-h : display this help and exit</para> </listitem>
<listitem><para>-v : increase verbosity (maximum 9)</para>
</listitem>
<listitem><para>-V : display version and exit</para>
</listitem>
<listitem><para>-D : daemonize</para>
</listitem>
<listitem><para>-k : Use specified file as key file</para>
</listitem>
<listitem><para>-c : Use specified file as cert file</para>
</listitem>
<listitem><para>-a : Use specified file as ca file (strict check on server certificate is done if activated)</para>
</listitem>
<listitem><para>-U : use UDP unencrypted communication with nuauth server</para>
</listitem>
<listitem><para>-v : increase debug level (+1 for each 'v') (max useful number : 10)</para>
</listitem>
<listitem><para>-m : mark packet with userid</para>
</listitem>
<listitem><para>-L : specify queue maximum length (default: 1024)</para>
</listitem>
<listitem><para>-d : remote address we send auth requests to (adress of the nuauth server) (default : 127.0.0.1)</para>
</listitem>
<listitem><para>-p : remote port we send auth requests to (TCP port nuauth server listens on) (default : 4128)</para>
</listitem>
<listitem><para>-t : timeout to forget about packets when they don't match (default : 15 s)</para>
</listitem>
<listitem><para>-T : track size (default : 1000)</para>
</listitem>
<listitem><para>-n : Check nuauth certificate DN against the specified string</para>
</listitem>
<listitem><para>-C : send conntrack destroy event to nuauth</para>
</listitem>
<listitem><para>-M : only report event on marked connections to nuauth (implies -C and -
m)</para></listitem>
</itemizedlist>
</para>
</chapter>
<chapter><title>nuauth configuration</title>
<section><title>network related parameters</title>
<section><title>General options</title>
<section><title>nuauth_client_listen_addr</title>
<para>
The IP address where nuauth listens to clients requests.
</para>
<para>Default: <computeroutput>nuauth_client_listen_addr="0.0.0.0"</computeroutput>
</para>
</section>
<section><title>nuauth_user_packet_port</title>
<para>
The port where nuauth waits for user authentication packet.
</para>
<para>Default: <computeroutput>nuauth_user_packet_port=4129</computeroutput>
</para>
</section>
<section><title>nuauth_nufw_listen_addr</title>
<para>
The IP address where nuauth listens to nufw packets.
</para>
<para>Default: <computeroutput>nuauth_nufw_listen_addr="127.0.0.1"</computeroutput>
</para>
</section>
<section><title>nuauth_gw_packet_port</title>
<para>
The port where nuauth waits for nufw gateway requests.
</para>
<para>Default: <computeroutput>nuauth_gw_packet_port=4128</computeroutput>
</para>
</section>
<section><title>nufw_gw_addr</title>
<para>
A list of IP address authorized to connect as nufw firewall
on the nuauth server. For example :
<computeroutput>nufw_gw_addr="192.168.75.1 192.168.75.254"</computeroutput>
</para>
<para>Default: <computeroutput>nufw_gw_addr="127.0.0.1"</computeroutput>
</para>
</section>
</section>
</section>
<section><title>TLS options</title>
<section><title>nuauth_tls_key</title>
<para>
This is the complete filename of server private key used for TLS negotiation
with the clients and nufw servers.
</para>
<para>Default: <computeroutput>nuauth_tls_key="CONFIGDIR/nuauth-key.pem"</computeroutput>
</para>
</section>
<section><title>nuauth_tls_key_passwd</title><para>
Put here the password for private key. <remark>This is currently not supported.</remark>
</para>
<para>Default: <computeroutput>nuauth_tls_key_passwd="passwd"</computeroutput>
</para>
</section>
<section><title>nuauth_tls_cert</title>
<para>
This variable is the complete path to server certificate.
</para>
<para>Default: <computeroutput>nuauth_tls_cert="/etc/nufw/nuauth-cert.pem"</computeroutput>
</para>
</section>
<section><title>nuauth_tls_cacert</title>
<para>
The complete path to the certificate authority file.
</para>
<para>Default: <computeroutput>nuauth_tls_cacert="/etc/nufw/NuFW-cacert.pem"</computeroutput>
</para>
</section>
<section><title>nuauth_tls_crl</title>
<para>
The complete filename of the authority certificate
revocation list.</para>
<para>The default is none.</para>
</section>
<section><title>nuauth_tls_request_cert</title><para>
This variable if set to 1 ask clients to send certificate.
</para>
<para>
If it is set to 2, then the client has to show a valid certificate.
</para>
<para>Default: <computeroutput>nuauth_tls_request_cert=0</computeroutput>
</para>
<section><title>nuauth_tls_auth_by_cert</title><para>
This variable if set to 1
adds the capability to authenticate the client based on name
provided in certificate.
The authentication can failed if there is no group corresponding to
the given user name.
</para>
<para>If set to 2, then per-certificate authentication is mandatory.</para>
<para>Default: <computeroutput>nuauth_tls_auth_by_cert=0</computeroutput>
</para>
</section>
</section>
<section><title>nufw related option</title>
<section><title>nufw_has_conntrack</title>
<para>
Set <option>nufw_has_conntrack</option> to 1 if nufw is able to modify conntrack entry.
This requires a kernel release superior to 2.6.14 on nufw side.
</para>
</section>
<section><title>nufw_has_fixed_timeout</title>
<para>
Set <option>nufw_has_conntrack</option> to 1 if nufw is able to give a fixed timeout to a conntrack entry.
This requires at least kernel release superior to 2.6.14 on nufw side.
</para>
</section>
</section>
<section><title>Modules choice</title>
<section><title>Syntax description</title>
<para>
The syntax is the following: Each option that set up the use of a hook is
a list of modules separated by space.</para>
<para>For each module type, the syntax is the following:
<option>name[:type[:config file]]</option>
If syntax is :
<itemizedlist>
<listitem><para><option>name</option>: load module "name" with config file included in nuauth.conf</para></listitem>
<listitem><para><option>name:type</option>: load module "type" with config file CONFIG_DIR/modules/name.conf</para></listitem>
<listitem><para><option>name:type:conf</option>: load module "type" with config file "conf"</para></listitem>
</itemizedlist>
</para>
</section>
<section><title>nuauth_user_check_module</title>
<para>
This variable is used by nuauth to choose the authentication module for user. It has to be chosen in :
<itemizedlist>
<listitem><para>plaintext : user credentials are stored in a text file</para>
</listitem>
<listitem><para>system : authentication is done against PAM. This provides
a convenient way to use pam-modules.</para>
</listitem>
</itemizedlist>
</para>
<para>Default: <computeroutput>nuauth_user_check_module="libdbm"</computeroutput>
</para>
</section>
<section><title>nuauth_user_id_module</title>
<para>
This variable is used by nuauth to choose the id fetching module for user. It has to be chosen in:
<itemizedlist>
<listitem><para>plaintext: user ids are stored in a text file</para>
</listitem>
<listitem><para>system: This provides
a convenient way to use PAM features.</para>
</listitem>
</itemizedlist>
</para>
<para>Default: <computeroutput>nuauth_user_id_module="system"</computeroutput>
</para>
</section>
<section><title>nuauth_user_groups_module</title>
<para>
This variable is used by nuauth to choose the module used to fetch user groups. It has to be chosen in :
<itemizedlist>
<listitem><para>plaintext: user grous are stored in a text file</para>
</listitem>
<listitem><para>system: groups are system groups retrieved via NSS. This provides
a convenient way to use nss features.</para>
</listitem>
</itemizedlist>
</para>
<para>Default: <computeroutput>nuauth_user_id_module="system"</computeroutput>
</para>
</section>
<section><title>nuauth_acl_check_module</title>
<para>
Choose here the acl checking module. It has
to be choozen in :
<itemizedlist>
<listitem><para>libldap: Acls are stored on an LDAP tree whith a specific schema. This module enables
dynamic acls and network administration of them.</para>
</listitem>
<listitem><para>plaintext: This module stores acls in a plain text file. This is easy to manage for small rules set,
but nuauth has to be restarted to
have modification to the file taken into account.</para>
</listitem>
</itemizedlist>
</para><para>Default: <computeroutput>nuauth_acl_check_module="libplaintext"</computeroutput>
</para>
</section>
<section><title>nuauth_ip_authentication_module</title>
<para>
A fallback authentication module can be used to employ other authentication methods.
Currently, only an ident based module is available.
</para><para>Default: <computeroutput>nuauth_ip_authentication_module="libipauthident"</computeroutput>
</para>
</section>
<section><title>nuauth_user_logs_module</title>
<para>
User activities logging method is done via a module. It can be choose between syslog and SQL modules.
Only SQL modules permit to evolve to a SSO system. Acceptable values for this parameter are :
<itemizedlist>
<listitem><para>mysql</para>
</listitem>
<listitem><para>pgsql</para>
</listitem>
<listitem><para>syslog</para>
</listitem>
<listitem><para>nuprelude</para>
</listitem>
</itemizedlist>
</para><para>Default: <computeroutput>nuauth_user_logs_module="syslog"</computeroutput>
</para>
</section>
<section><title>nuauth_user_session_logs_module</title>
<para>
This define the method to use for user connection and disconnection logging.
The available modules are :
<itemizedlist>
<listitem><para>syslog</para></listitem>
<listitem><para>script : run a custom script at user connection (CONFDIR/user-up.sh) and disconnection (CONFDIR/user-down.sh)</para></listitem>
<listitem><para>mysql</para></listitem>
<listitem><para>nuprelude</para></listitem>
</itemizedlist>
</para>
<para>Default: <computeroutput>nuauth_user_session_logs_module="syslog"</computeroutput>
</para>
</section>
<section><title>nuauth_certificate_check_module</title>
<para>
These modules check client certificate and issue verdict on validity.
It is recommanded to keep <option>x509_std</option> as first module as it is
usually wanted checks.
</para>
<para>Default: <computeroutput>nuauth_certificate_check_module="x509_std"</computeroutput>
</para>
</section>
<section><title>nuauth_certificate_to_uid_module</title>
<para>
These modules get username from client certificate.
Currently, there is only on provided module: <option>x509_std</option>.
</para>
<para>Default: <computeroutput>nuauth_certificate_to_uid_module="x509_std"</computeroutput></para>
</section>
<section><title>nuauth_periods_module</title>
<para>
These modules define a set of periods that can be used in acl to check packet against the given period
of time. Currently only <option>xml_defs</option> is available. It stores period definition in a XML file.
</para>
<para>Default: <computeroutput>nuauth_periods_module="xml_defs"</computeroutput></para>
</section>
<section><title>nuauth_user_session_modify_module</title>
<para>
These modules provides a hook
which can be used to modify a user session just after its creation.
It is useful in the case of you want to modify property like expiration date of the session.
Currently only <option>libsession_expire</option> is available. It modify session expiration to force user to reconnect after
a given time.
</para>
<para>Default: <computeroutput>nuauth_user_session_modify_module="libsession_expire"</computeroutput>
</para>
</section>
<section><title>nuauth_finalize_packet_module</title>
<para>
These modules provides a hook
which can be used to modify a packet before decision and related
informations are sent to the nufw server.
It is useful in the case of you want to modify the mark to setup QoS.
<itemizedlist>
<listitem><para><option>mark_group</option>: set mark depending on user groups.</para></listitem>
<listitem><para><option>mark_uid</option>: use next 16 bits of the mark to put the userid.</para></listitem>
<listitem><para><option>mark_field</option>: set mark depending on application name or OS name.</para></listitem>
<listitem><para><option>mark_flag</option>: use first 16 bit of the mark to put mark given by acl.</para></listitem>
</itemizedlist>
</para>
<para>Default: <computeroutput>nuauth_finalize_packet_module="mark_uid"</computeroutput>
</para>
</section>
<section><title>nuauth_auth_error_log_module</title>
<para>
These modules provides a way to log
user authentication failure. For now, the only available modules
are <option>nuprelude</option> and <option>syslog</option>.
</para>
<para>Default: <computeroutput>nuauth_auth_error_log_module=""</computeroutput>
</para>
</section>
</section>
<section><title>Underlying options of nuauth</title>
<section><title>nuauth_use_command_server</title>
<para>
If set to 1, nuauth starts a server which wait to connection on a unix socket. The script in <filename>scripts/nuauth_command/</filename> can be used
to interact with some aspects of nuauth. Basically, it provides the ability to list and destroy users sessions or to change debug level.
</para><para>Default: <computeroutput>nuauth_use_command_server=1</computeroutput>
</para>
</section>
<section><title>nuauth_prio_to_nok</title>
<para>
What to do when several groups user is member of disagree about access rights
</para><para>Default: <computeroutput>nuauth_prio_to_nok=1</computeroutput>
</para>
</section>
<section><title>nuauth_push_to_client</title>
<para>
Client can work with two modes :
<itemizedlist>
<listitem><para>POLL : client check each time interval if it need to send a packet (traffic economy for WAN)</para>
</listitem>
<listitem><para>PUSH : nuauth warn client that they may need to send authentication packet (better response time on LAN)</para>
</listitem>
</itemizedlist>
</para>
<para>Default: <computeroutput>nuauth_push_to_client=1</computeroutput>
</para>
</section>
<section><title>nuauth_connect_policy</title>
<para>
This is used to choose the user connection policy :
<itemizedlist>
<listitem><para>0 : no login restriction (default)</para></listitem>
<listitem><para>1 : one login per user</para></listitem>
<listitem><para>2 : one login per ip and per user</para></listitem>
</itemizedlist>
</para>
</section>
<section><title>nuauth_reject_after_timeout</title>
<para>
Reject via ICMP message (instead of simply drop) when packet timeout is reached.
</para>
<para>Default: <computeroutput>nuauth_reject_after_timeout=0</computeroutput>
</para>
</section>
<section><title>nuauth_reject_authenticated_drop</title>
<para>
Reject via ICMP message (instead of simply drop) when
user in not authorized by nuauth to send packets.
</para>
<para>Default: <computeroutput>nuauth_reject_authenticated_drop=0</computeroutput>
</para>
</section>
<section><title>nuauth_hello_authentication</title>
<para>
This is a fallback hello authentication mode for non NuFW supported
protocols. This brings authentication for all protocols based on IP
by doing a posteriori IP based authentication.
</para>
<para>Default: <computeroutput>nuauth_hello_authentication=0</computeroutput></para>
<section><title>Warning</title>
<para>
This authentication is <emphasis>FAR</emphasis> less strict than nufw original protocol :
<itemizedlist>
<listitem><para>It authenticates NATed computer (and every computers behind the same firewall)</para></listitem>
<listitem><para>It is strictly MONO user</para></listitem>
<listitem><para>But, it can authenticate all type of IP flows</para></listitem>
</itemizedlist>
</para>
</section>
</section>
<section><title>nuauth_do_ip_authentication</title>
<para>
Do we use fallback mode when no client are found<footnote><para>When no client is known on the IP from which a packet is coming
the fallback method is used.</para>
</footnote> ?
<remark><varname>nuauth_push_to_client</varname> has to be set to <option>1</option> if you choose to enable it.</remark>
</para><para>Default: <computeroutput>nuauth_do_ip_authentication=1</computeroutput>
</para>
</section>
<section><title>nuauth_session_duration</title>
<para>This option if set to a non null value causes nuauth to close a user session
after the specified time. The user client has then to reconnect (transparently or not).
This permit for example to disconnect users when their account has been cancelled.</para>
<para>Disconnection occurs when nuauth has to authenticate a packet coming from the source IP
of the connection</para>
<para>Default: <computeroutput>nuauth_session_duration=0</computeroutput>
</para>
</section>
</section>
<section><title>Tuning options</title>
<section><title>nuauth_packet_timeout</title>
<para>
This is the time in second to keep packet in the nuauth internal connection tracking.
</para><para>Default: <computeroutput>nuauth_packet_timeout=15</computeroutput>
</para>
</section>
<section><title>nuauth_proto_wait_delay</title>
<para>
This set the timeout for protocol announce from client.
If some of your client (post 2.0 version) receives a "bad protocol messsage", you may
want to increase this value. This is a workaround against very laggy network.
</para><para>Default: <computeroutput>nuauth_proto_wait_delay=2</computeroutput>
</para>
</section>
<section><title>nuauth_datas_persistance</title>
<para>
A cache is implemented for acl (and/or user) datas.
It permits to speed thing up by decreasing the number of request to external
system. This variable set the datas persistence in cache (in second).
</para><para>Default: <computeroutput>nuauth_datas_persistance=300</computeroutput>
</para>
</section>
<section><title>nuauth_auth_nego_timeout</title>
<para>
This option set the delay after which a authentication failed and it forcibly interrupt.
</para><para>Default: <computeroutput>nuauth_auth_nego_timeout=30</computeroutput>
</para>
</section>
<section><title>nuauth_number_usercheckers</title>
<para>
A pool of threads is used to work on client authentication.
This variable set the number of threads used for this task.
</para><para>Default: <computeroutput>nuauth_number_usercheckers=5</computeroutput>
</para>
</section>
<section><title>nuauth_number_aclcheckers</title>
<para>
A pool of threads is used to do acl checking against external authority
and to treat gateway request.
This variable set the number of threads to work on gateway requests.
</para><para>Default: <computeroutput>nuauth_number_aclcheckers=5</computeroutput>
</para>
</section>
<section><title>nuauth_number_loggers</title>
<para>
A pool of threads is used to do logging. You may need to adjust
it to the capability of the database server.
</para><para>Default: <computeroutput>nuauth_number_loggers=3</computeroutput>
</para>
</section>
<section><title>nuauth_number_session_loggers</title>
<para>
A pool of threads is used to do user connection logging. You may need to adjust
it to the capability of the database server.
</para><para>Default: <computeroutput>nuauth_number_session_loggers=3</computeroutput>
</para>
</section>
<section><title>nuauth_number_authcheckers</title>
<para>
A pool of threads is used to do TLS and SASL negotiation with users.
This set the number of threads used for this task.
</para><para>Default: <computeroutput>nuauth_number_authcheckers=5</computeroutput>
</para>
</section>
<section><title>nuauth_number_ipauthcheckers</title>
<para>
This set the number of threads working for ip authentication.
</para><para>Default: <computeroutput>nuauth_number_ipauthcheckers=5</computeroutput>
</para>
</section>
<section><title>nuauth_tls_max_clients</title>
<para>
This set the maximum number of a simultaneously connected
nufw authentication clients.
</para><para>Default: <computeroutput>nuauth_tls_max_clients=256</computeroutput>
</para>
</section>
<section><title>nuauth_tls_max_servers</title>
<para>
This set the maximum number of simultaneously connected
nufw servers.
</para><para>Default: <computeroutput>nuauth_tls_max_servers=8</computeroutput>
</para>
</section>
</section>
<section><title>Logging options</title>
<section><title>nuauth_log_users</title>
<para>
This variable decide the level of verbosity of user activities logging.
The log level is the sum of values :
<itemizedlist>
<listitem><para>0: no log at all</para>
</listitem>
<listitem><para>1: log new user (in syslog)</para>
</listitem>
<listitem><para>2: log rejected packets</para>
</listitem>
<listitem><para>4: log accepted packets</para>
</listitem>
<listitem><para>8: do complete session tracking
<footnote><para>complete session tracking need special iptables
rules, described in documentation</para>
</footnote>
</para>
</listitem></itemizedlist>
</para><para>Default: <computeroutput>nuauth_log_users=0</computeroutput>
</para>
</section>
<section><title>nuauth_log_users_sync</title>
<para>This controls whether the users logging is absolutely safe. The access is
logged before granted.</para>
<remark> This is necessary if SQL backend is used for SSO.</remark>
<para>Default: <computeroutput>nuauth_log_users_sync=1</computeroutput></para>
</section>
<section><title>nuauth_debug_level</title>
<para>This controls whether the debug_level of nuauth.</para>
<para>Default: <computeroutput>nuauth_debug_level=0</computeroutput></para>
</section>
</section>
<section><title>nuauth_debug_areas</title>
<para>This controls whether the debug areas of nuauth. It is computed by doing a binary end (or addition) on the following value :
<itemizedlist>
<listitem><para>DEBUG_AREA_MAIN (1) main domain</para></listitem>
<listitem><para>DEBUG_AREA_PACKET (2) packet domain</para></listitem>
<listitem><para>DEBUG_AREA_USER (4) user domain</para></listitem>
<listitem><para>DEBUG_AREA_GW (8) Gateway domain, interaction wit nufw servers.</para></listitem>
<listitem><para>DEBUG_AREA_AUTH (16) Authentication domain</para></listitem>
</itemizedlist>
Default debug areas is all areas.
</para>
<para>Default: <computeroutput>nuauth_debug_level=31</computeroutput></para>
</section>
<section><title>nuauth_log_users_strict</title>
<para>This option if set to <option>1</option> causes nuauth to do an update of log entries
of database to avoid accidental double connections before inserting new connection.</para>
<remark>Do not disable it by changing it to <option>0</option> if you want strict security
when using sso modules.</remark>
<para>Default: <computeroutput>nuauth_log_users_strict=1</computeroutput>
</para>
</section>
<section><title>nuauth_log_users_without_realm</title>
<para>This option if set to <option>1</option> causes nuauth to remove the realm from the
username before logging.</para>
<para>Default: <computeroutput>nuauth_log_users_without_realm=1</computeroutput>
</para>
</section>
</section>
</chapter>
<chapter><title>Modules configuration</title>
<section><title>Plaintext</title>
<section><title>plaintext_userfile</title>
<para>This option is used to select the file used to store the credentials of the users.</para>
<para>Default: <computeroutput>plaintext_userfile="/etc/nufw/users.nufw"</computeroutput></para>
</section>
<section><title>plaintext_aclfile</title>
<para>This option is used to select the file used to store the credentials of the access lists.</para>
<para>Default: <computeroutput>plaintext_aclfile="/etc/nufw/acls.nufw"</computeroutput></para>
</section>
</section>
<section><title>system</title>
<section><title>system_glibc_cant_guess_maxgroups</title>
<para>This option has to be used if you have a buggy version of glibc.
It is known that glibc 2.3.2 implementation of getgrouplist is buggy and
thus you need to manually set the option to the maximum number of groups
a user can belong to.
</para>
<para>Default: <computeroutput>system_glibc_cant_guess_maxgroups=0</computeroutput></para>
</section>
<section><title>system_pam_module_not_threadsafe</title>
<para>This option has to be used as PAM is not threadsafe.</para>
<para>Default: <computeroutput>system_pam_module_not_threadsafe=1</computeroutput></para>
</section>
<section><title>system_suppress_prefixed_domain</title>
<para> When username is given with "DOMAIN\user" it calls
pam authentication with username equal to "user" if option is set to 1.</para>
<para>Default: <computeroutput>system_suppress_prefixed_domain=0</computeroutput></para>
</section>
</section>
<section><title>ldap</title>
<section><title>ldap_server_addr</title>
<para>
This set the address of the ldap server which contains the acls and/or the users credentials.
</para>
<para>Default: <computeroutput>ldap_server_addr="127.0.0.1"</computeroutput></para>
</section>
<section><title>ldap_server_port</title>
<para>This set the port of the ldap server.</para>
<para>Default: <computeroutput>ldap_server_port=389</computeroutput>
</para> </section>
<section><title>ldap_bind_dn</title><para>
This set the bind dn of the ldap connection.
</para><para>Default: <computeroutput>ldap_bind_dn="cn=admin,dc=nufw,dc=org"</computeroutput>
</para>
</section>
<section><title>ldap_bind_password</title>
<para>This set the password used to bind to the ldap connection.
</para><para>Default: <computeroutput>ldap_bind_password="mypassword"</computeroutput>
</para>
</section>
<section><title>ldap_filter_type</title>
<para>This set the ldap request type.
<itemizedlist><listitem><para>set to 1: request on DstPort is done with equality. This is
the fastest version. In case a range of ports has to be set, a better idea could be
to use application filtering.</para>
</listitem>
<listitem><para>set to 0: request on DstPort is done with range.
The range can be more simple to administrate, but performance is lower.</para>
</listitem>
</itemizedlist>
</para><para>Default: <computeroutput>ldap_filter_type=1</computeroutput>
</para>
</section>
<section><title>ldap_request_timeout</title>
<para>
This set the timeout of ldap request.
</para><para>Default: <computeroutput>ldap_request_timeout=4</computeroutput>
</para>
</section>
<section><title>ldap_basedn</title><para>
This parameters set the base dn for search request. This is the
default for ldap_acls_base_dn,ldap_users_base_dn if they are not set.
</para><para>Default: <computeroutput>ldap_basedn="dc=nufw,dc=org"</computeroutput>
</para>
</section>
<section><title>ldap_acls_base_dn</title><para>
This is the base dn for acl search request.
</para><para>Default: <computeroutput>ldap_acls_base_dn="dc=acls,dc=nufw,dc=org"</computeroutput>
</para>
</section>
<section><title>ldap_users_base_dn</title><para>
This is the base dn for user search request.
</para><para>Default: <computeroutput>ldap_users_base_dn="ou=people,dc=nufw,dc=org"</computeroutput>
</para>
</section>
</section>
<section><title>mysql log</title>
<section><title>mysql_server_addr</title>
<para>
This parameter set MySql server address.
</para><para>Default: <computeroutput>mysql_server_addr="127.0.0.1"</computeroutput>
</para>
</section>
<section><title>mysql_server_port</title><para>
This set the Mysql server port.
</para><para>Default: <computeroutput>mysql_server_port=3306</computeroutput>
</para>
</section>
<section><title>mysql_user</title>
<para>
This parameter set the name of the user used to log on MySQL server.
</para><para>Default: <computeroutput>mysql_user="myuser"</computeroutput>
</para>
</section>
<section><title>mysql_passwd</title><para>
This set the MySQL password, associated with username.
</para><para>Default: <computeroutput>mysql_passwd="secret"</computeroutput>
</para>
</section>
<section><title>mysql_db_name</title><para>
This is the name of MySQL database to connect to.
</para><para>Default: <computeroutput>mysql_db_name="nufw"</computeroutput>
</para>
</section>
<section><title>mysql_table_name</title><para>
This set the name of table to connect to. It must belong to the chosen database.
The specified user must have rights on this table.
</para><para>Default: <computeroutput>mysql_table_name="ulog"</computeroutput>
</para>
</section>
<section><title>mysql_users_table_name</title><para>
This set the name of table to log users session into. It must belong to the chosen database.
The specified user must have rights on this table.
</para><para>Default: <computeroutput>mysql_users_table_name="users"</computeroutput>
</para>
</section>
<section><title>mysql_use_ipv4_schema</title>
<para>
Set to 0 if your MySQL database
uses the IPV6 schema provided with NuFW 2.2.
</para>
<para>Default: <computeroutput>mysql_use_ipv4_schema=1</computeroutput>
</para>
</section>
<section><title>mysql_request_timeout</title><para>T
This set the time in seconds we consider connection to the database to be lost if we have no
answer.
</para><para>Default: <computeroutput>mysql_request_timeout=5</computeroutput>
</para>
</section>
<section><title>mysql_use_ssl</title><para>
Set <varname>mysql_use_ssl</varname> to <option>1</option> to use SSL, else other ssl options will be ignored
</para><para>Default: <computeroutput>mysql_use_ssl=0</computeroutput>
</para>
</section>
<section><title>mysql_ssl_keyfile</title><para>
Set <varname>mysql_ssl_keyfile</varname> to the full path of the file containing your PRIVATE key.
<remark>This must be set if you want to use ssl, as default value is NULL.</remark>
</para><para>Default: <computeroutput>mysql_ssl_keyfile="/etc/nufw/ssl/mysql.key"</computeroutput>
</para>
</section>
<section><title>mysql_ssl_certfile</title>
<para>
Set <varname>mysql_ssl_certfile</varname> to the full path of the file containing your PUBLIC certificate
<remark>This must be set if you want to use ssl, as default value is NULL.</remark>
</para><para>Default: <computeroutput>mysql_ssl_certfile="/etc/nufw/ssl/mysql.cert"</computeroutput>
</para>
</section>
<section><title>mysql_ssl_ca</title>
<para>
Set <varname>mysql_ssl_ca</varname> to the full path of the file containing your CA (Certificate Authority) file.
<remark>Unset this field if you don't want to use a CA.</remark>
</para><para>Default: <computeroutput>mysql_ssl_ca="/etc/nufw/ssl/mysql.ca"</computeroutput>
</para>
</section>
<section><title>mysql_ssl_capath</title><para>
Set <varname>mysql_ssl_capath</varname> to the full path of a DIRECTORY containing your CA
Certificate Authority) files, in PEM format
<remark>Unset this field if you don't want to use CAs.</remark>
</para><para>Default: <computeroutput>mysql_ssl_capath="/etc/nufw/ssl/mysql.cas/"</computeroutput>
</para>
</section>
<section><title>mysql_ssl_cipher</title><para>
Set <varname>mysql_ssl_cipher</varname> to the list of ciphers you wish to use for Mysql
connections. A complete cipher list on your system should be available if you
issue "openssl ciphers"
The default value here is "ALL:!ADH:+RC4:@STRENGTH", which is OpenSSL default,
and means "Use any but give RC4 the lowest priority"
For more info see : http://www.mkssoftware.com/docs/man1/openssl_ciphers.1.asp
</para><para>Default: <computeroutput>mysql_ssl_cipher="ALL:!ADH:+RC4:@STRENGTH"</computeroutput>
</para>
</section>
</section>
<section><title>pgsql log</title>
<section><title>pgsql_server_addr</title>
<para>
This parameter set the PGSql server address.
</para><para>Default: <computeroutput>pgsql_server_addr="127.0.0.1"</computeroutput>
</para>
</section>
<section><title>pgsql_server_port</title><para>
This set the port to used to connect to the PGsql server.
</para><para>Default: <computeroutput>pgsql_server_port=5432</computeroutput>
</para>
</section>
<section><title>pgsql_user</title>
<para>
This parameter set the login of the PGsql user.
</para><para>Default: <computeroutput>pgsql_user="myuser"</computeroutput>
</para>
</section>
<section><title>pgsql_passwd</title>
<para>
This set the PGsql password, associated with username of the database.
</para><para>Default: <computeroutput>pgsql_passwd="secret"</computeroutput>
</para>
</section>
<section><title>pgsql_ssl</title>
<para>
This set whether to use SSL or not. (this parameter is ignored for now)
</para><para>Default: <computeroutput>pgsql_ssl="prefer"</computeroutput>
</para>
</section>
<section><title>pgsql_db_name</title>
<para>
This is the name of PGsql database to connect to
</para><para>Default: <computeroutput>pgsql_db_name="nufw"</computeroutput>
</para>
</section>
<section><title>pgsql_table_name</title>
<para>
This set the name of the table to connect to. It must belong to the chosen database.
The specified user must have rights on this table.
</para><para>Default: <computeroutput>pgsql_table_name="ulog"</computeroutput>
</para>
</section>
<section><title>pgsql_users_table_name</title><para>
This set the name of table to log users session into. It must belong to the chosen database.
The specified user must have rights on this table.
</para><para>Default: <computeroutput>pgsql_users_table_name="users"</computeroutput>
</para>
</section>
<section><title>pgsql_request_timeout</title><para>
This is the time in seconds after which the connection to the database is
assumed to be lost if we have no answer.
</para><para>Default: <computeroutput>pgsql_request_timeout=5</computeroutput>
</para>
</section>
</section>
<section><title>xml_defs</title>
<section><title>xml_defs_periodfile</title><para>
This set the complete filename
of the file containing the definitions of periods.
</para>
<para>Default: <computeroutput>xml_defs_periodfile="CONFIG_DIR/periods.xml"</computeroutput>
</para>
</section>
</section>
<section><title>nuprelude</title>
<para>
No option.
</para>
</section>
<section><title>x509_std</title>
<section><title>nuauth_tls_trusted_issuer_dn</title><para>
This option is used to match issuer of a certificate against this string.
It there is a match, then we trust the give certificate.
</para>
<para>No default</para>
</section>
</section>
<section><title>session_expire</title><para>
The session expiration duration has to be set by using the global variable <option>nuauth_session_duration</option>
</para>
</section>
<section><title>mark group</title>
<section><title>mark_group_file</title><para>
File to read configuration from.
</para>
<para>Default: <computeroutput>mark_group_file=CONFFILE/mark_group.conf</computeroutput></para>
</section>
<section><title>nuauth_group_shift</title>
<para>
Position of the mark (in bits) in the packet mark.
</para>
<para>No default</para>
</section>
<section><title>nuauth_group_nbits</title>
<para>
Number of bits to store the mark.
</para>
<para>No default</para>
</section>
<section><title>nuauth_group_default_mark</title>
<para>
Default mark if no group does match.
</para>
<para>No default</para>
</section>
</section>
<section><title>mark field</title>
<section><title>mark_field_file</title><para>
File to read configuration from.
</para>
<para>Default: <computeroutput>mark_field_file=CONFFILE/mark_field.conf</computeroutput></para>
</section>
<section><title>nuauth_field_shift</title>
<para>
Position of the mark (in bits) in the packet mark.
</para>
<para>Default: <computeroutput>mark_field_shift=0</computeroutput></para>
</section>
<section><title>nuauth_field_nbits</title>
<para>
Number of bits to store the mark.
</para>
<para>Default: <computeroutput>mark_field_mark=32</computeroutput></para>
</section>
<section><title>nuauth_field_default_mark</title>
<para>
Default mark if no group does match.
</para>
<para>No default</para>
</section>
<section><title>mark_field_type</title>
<para>
Type of match.
<itemizedlist>
<listitem><para>match on appname: 0</para></listitem>
<listitem><para>match on osname: 1</para></listitem>
</itemizedlist>
</para>
</section>
</section>
<section><title>mark flag</title>
<section><title>nuauth_flag_nbits</title>
<para>
Number of bits to overwrite in the mark.
</para>
<para>Default: <computeroutput>mark_flag_nbits=16</computeroutput></para>
</section>
<section><title>nuauth_flag_mark_shift</title>
<para>
Position of the overwritten part of the mark (in bits).
</para>
<para>Default: <computeroutput>mark_flag_mark_shift=16</computeroutput></para>
</section>
<section><title>nuauth_flag_flag_shift</title>
<para>
Position in the flag of the bytes use to overwrite the mark (in bits).
</para>
<para>Default: <computeroutput>mark_flag_flag_shift=16</computeroutput></para>
</section>
</section>
</chapter>
</book>
