Provided by: nufw_2.4.3-2.1build1_i386 bug

NAME

       nufw - NUFW User filtering gateway server

SYNOPSIS

       nufw [ -h ] [ -V ] [ -D ] [ -m ] [ -v[v...] ] [ -s ] [ -S ] [ -N ] [ -A
       debug_area ] [ -k keyfile ] [ -c certfile ] [ -a cafile ] [ -r  crlfile
       ]  [  -n  nuauth_cert_dn  ]  [  -d  address ] [ -p (remote) port ] [ -t
       timeout ] [ -T track_size ] [ -q NfQueue_num ] [ -L Nfqueue_length ]  [
       -C ] [ -M ]

DESCRIPTION

       This manual page documents the nufw command.

       nufw is the minimalist server, designed to run on the gateway(s) of the
       network. nufw is designed  to  run  in  conjunction  with  nuauth,  the
       authenticating  server.  nufw  receives  network packets from the local
       firewall (on Linux 2.4 and 2.6, this is set up with  the  help  of  '-j
       NFQUEUE'  or  '-j  QUEUE'  netfilter  target),  and synchronizes with a
       nuauth server to check packet  is  authorized  to  travel  through  the
       gateway.

       The  design  of  the  NUFW  package  lets  administrator filter network
       traffic per user, not only per IP. This means you  can  now  deal  with
       different  permissions  for user A and user B, even if they work at the
       same moment, on the  same  multiuser  machine.  In  other  words,  this
       extends firewalling criteria to userID, at the network scale.

       Original  packaging  and  informations  and  help  can  be  found  from
       http://www.nufw.org/

OPTIONS

       -h     Issues usage details and exits.

       -V     Issues version and exits.

       -D     Run as a daemon. If started as a daemon, nufw  logs  message  to
              syslog.  If  you  don't  specify this option, messages go to the
              console nufw is running on, both on STDOUT  and  STDERR.  Unless
              you  are  debugging  something,  you  should  run nufw with this
              option.

       -m     Mark packets with UserID. This requires  the  wvmark  POM  patch
              applied  to  netfilter,  and  is  necessary  for per user QoS or
              routing.

       -v     Increases debug level. Multiple switches are accepted  and  each
              of them increases the debug level by one. Default debug level is
              2, max is 10.

       -A debug_areas
              Chooses debug_area. Default debug  area  is  ALL.  To  select  a
              subset add value from the following list:

              o DEBUG_AREA_MAIN (1) main domain

              o DEBUG_AREA_PACKET (2) packet domain

              o DEBUG_AREA_USER (4) user domain

              o DEBUG_AREA_GW   (8)  Gateway  domain,  interaction  with  nufw
                servers.

              o DEBUG_AREA_AUTH (16) Authentication domain

       -k keyfile
              Use specified file as SSL (private) key file.

       -c certfile
              Use specified file as SSL (public) certificate file.

       -a cafile
              Use specified file as SSL certificate authority file.

       -r crlfile
              Use specified file as SSL certificate revocation list file.  You
              will need to restart nufw if you modify this file. Since 2.2.19,
              nufw reloads this file dynamically when receiving a HUP signal.

       -n nuauth_dn
              Use specified string as the  needed  DN  of  nuauth.  nufw  will
              refuse  to  connect if the provided string does not match the DN
              of the certificate provided by nuauth. If you do  not  use  this
              option, the DN of the nuauth certificate will be checked against
              the fully qualified domain name of the nuauth  server,  obtained
              from a reverse DNS lookup on nuauth IP address.

       -s     Disable  strict  TLS  checking  of  the  certificate provided by
              nuauth.

       -S     Force strict TLS checking of the certificate provided by nuauth.
              This is the default behavior of the daemon since 2.2.18.

       -N     Suppress error if server FQDN does not match certificate CN.

       -d address
              Network address of the nuauth server.

       -p port
              Specifies  TCP  port  to send data to when addressing the nuauth
              server. Nuauth server must be setup  to  listen  on  that  port.
              Default value : 4128

       -t seconds
              Specifies  timeout to forget packets not answered for by nuauth.
              Default value : 15 s.

       -T track_size
              Set maximum number of packets that can wait a decision in  nufw.
              Default value : 1000.

       -q NfQueue number
              If  Nufw was compiled with NfQueue support, Id of the NfQueue to
              use (default : 0).

       -L NfQueue length
              Specify the length of the nfnetlink queue used by nufw. This  is
              the  number  of  packets  that  the  kernel will keep internally
              before dropping new coming packets.

       -C     Listen to conntrack events (needed for connection expiration).

       -M     Only report event on marked connections to  nuauth  (implies  -C
              and -m)

              This  is  the  way  to do an efficient selection of events to be
              sent to nuauth but this REQUIRES  a  kernel  with  transmit_mark
              applied  (should  be  ok for 2.6.18+) and the use of CONNMARK to
              propagate the  initial  mark  across  all  the  packets  of  the
              connection.

SIGNALS

       The  nufw daemon is designed to deal with several signals : USR1, USR2,
       SYS, WINCH and POLL.

       USR1   Increases verbosity. The daemon then acts  as  if  it  had  been
              launched with one supplementary '-v'.A line is also added to the
              system log to mention the signal event.

       USR2   Decreases verbosity. The daemon then acts  as  if  it  had  been
              launched  with one less '-v'. A line is also added to the system
              log to mention the signal event.

       SYS    Removes the Conntrack events thread. This  gets  the  daemon  to
              work  as  if the "-C" switch had not been set. This is useful on
              HA configurations, when one firewall gets passive, for instance.

       WINCH  Starts the Conntrack events thread. This gets the daemon to work
              as if the "-C" switch had been set at startup. This is useful on
              HA configurations, when one firewall gets active, for instance.

       POLL   Logs an "audit" line, mentionning  how  many  network  datagrams
              were received and sent since daemon startup.

SEE ALSO

       nuauth(8)

AUTHOR

       Nufw   was   designed   and   coded   by   Eric   Leblond,   aka  Regit
       (<eric@regit.org>)   ,   and   Vincent   Deffontaines,    aka    gryzor
       (<vincent@gryzor.com>).  Original  idea  in  2001, while working on NSM
       Ldap support.

       This manual page was written by Vincent Deffontaines

       Permission is granted to copy, distribute and/or modify  this  document
       under  the  terms  of  the GNU Free Documentation License, Version 2 as
       published by the Free Software Foundation; with no Invariant  Sections,
       no Front-Cover Texts and no Back-Cover Texts.

                               25 November 2008                        NUFW(8)