Provided by: uif_1.99.0-4_all bug


       uif - Universal Internet Firewall


       uif [-c <configfile>] [-n] [-p [-l]] [-6] uif -d [-6] uif [<ldap-options>]


       This  manual  page  documents  the uif command. It is used to generate optimized nft(8) or
       iptables(8) packetfilter rules, using a simple description file  specified  by  the  user.
       Generated  rules  are  provided  in  nft(8)  (with option -f <filename>) or iptables-save8
       style. uif can be used to read or write rulesets from or to LDAP servers in your  network,
       which  provides  a  global  storing  mechanism (LDAP support hasn't been tested for a long
       time). Note that you need to include the uif.schema to your slapd configuration  in  order
       to use it.

       uif.conf(5)  provides  an  easy way to specify rules, without exact knowledge of the nft /
       iptables syntax. It provides groups and aliases to make your packetfilter human readable.

       Keep in mind that uif uif is intended to assist you when designing firewalls, but will not
       tell you what to filter.


       The options are as follows:

       -6     Turn  on  IPv6  mode so as to manipulate IPv6 rules.  Default configuration file is
              changed to /etc/uif/uif6.conf see -c below. It should be noted that nat  rules  are
              silently ignored if -6 is used.

       -b <basedn>
              Specify  the  base  DN  to act on when using LDAP based firewall configuration. uif
              will look in the subtree ou=filter,ou=sysconfig,<basedn> for your rulesets.

       -c <configfile>
              This option specifies the configuration file to be read by  uif.   See  uif.conf(5)
              for detailed information on the fileformat. It defaults to /etc/uif/uif.conf.

       -C <configfile>
              When  reading configuration data from other sources than specified with -c  you may
              want to convert this information into a textual configuration  file.  This  options
              writes the parsed config back to the file specified by <configfile>.

       -d     Clears all firewall rules immediately.

       -D <bind_dn>
              If  a  special account is needed to bind to the LDAP database, the account's DN can
              be specified at this point. Note: you should use  this  when  writing  an  existing
              configuration  to the LDAP. Reading the configuration may be done with an anonymous

       -p     Prints rules specified in the configuration to stdout. This option is  mainly  used
              for debugging the rule simplifier.

       -l     If printing rules (see -p) prepend line numbers to the print-out.

       -r <ruleset>
              Specifies  the name of the ruleset to load from the LDAP database.  Remember to use
              the -b option to set  the  base.  Rulesets  are  stored  using  the  following  dn:
              cn=<ruleset>, ou=rulesets, ou=filter, ou=sysconfig, basedn, where <ruleset> will be
              replaced by the ruleset specified.

       -R <ruleset>
              Specifies the name of the ruleset to write to the LDAP database. This option can be
              used  to  convert  i.e. a textual configuration to an LDAP based ruleset. Like with
              using -r  you've  to  specify  the  LDAP  base  to  use.  Target  is  cn=<ruleset>,
              ou=rulesets, ou=filter, ou=sysconfig, <basedn>, where <ruleset> will be replaced by
              the ruleset specified.

       -s <server>
              This option specifies the LDAP server to be used.

       -t     This option is used to validate the packetfilter configuration without applying any
              rules. Mainly used for debugging.

       -T <time>
              When  changing  your  packetfiltering  rules  remotely, it is useful to have a test
              option. Specify this one to apply your rules for a period of <time>  (in  seconds).
              After that the original rules will be restored.

       -w <password>
              When connecting to an LDAP server, you may need to  authenticate via a password. If
              you really need to specify a password on the command line (discouraged!), use  this
              option, otherwise use -W and enter it interactively.

       -W     Activate interactive password query for LDAP authentication.

       uif  is  meant  to  leave  the packetfilter rules in a defined state, so if something went
       wrong during the initialisation, or uif is aborted by the user, the rules that were active
       before starting will be restored.

       Normally  you  will  not  need  to call this binary directly. Use the init script instead,
       since it does the most common steps for you.


       Configuration files are located in /etc/uif.


       uif.conf(5) nft(8) iptables(8)


       This manual page was written by Cajus Pollmeier  <>  and  Jörg  Platte
       <>  and  adjusted  to  nft  support  by Mike Gabriel <mike.gabriel@das->.