Provided by: uif_1.99.0-5_all 
NAME
uif.conf - default configuration file for the Universal Internet Firewall
DESCRIPTION
/etc/uif/uif.conf is the default configuration file for uif(8). This file may contain several sections
and comments. Each section begins with the section name and the left curly brace and ends with the right
curly brace in a single line. A comment starts with a hash mark (#) at the beginning of a line. Blank
lines are silently ignored.
The following sections are valid: include, include4, include6, sysconfig, service, network, interface,
Imarker, filter, nat, input, output, forward, masquerade and stateless.
The sections service, network, marker and interface have all a very similar syntax. Each line starts
with an identifier followed by one or more blanks and one or more section specific entries or defined
identifiers separated by blanks. A valid identifier is case sensitive and consists of letters, digits,
underscores and hyphens.
If two or more identifiers in one section are equal, the corresponding entries are merged to the first
identifier. Hence, it's not possible to overwrite previously defined identifiers. As a result the order
of the section entries is irrelevant and it's possible to define a section more than once.
include section
Include other configuration files. Each line in this section, enclosed in quotation marks ("), must be a
valid filename or a valid file globbing pattern (it is ok, if no files match this pattern). The contents
of this file / these files are added to the actual configuration and each file should contain at least
one section (a comment only file is not really useful...).
include4 section
Include other configuration files but ONLY in IPv4 mode (WITHOUT -6 switch to uif). Otherwise equivalent
to the include section above.
include6 section
Include other configuration files but ONLY in IPv6 mode (WITH -6 switch to uif). Otherwise equivalent to
the include section above.
sysconfig section
Set some global settings. Each line in this section starts with one of the following identifiers followed
by one or more blanks and the desired value: LogLevel, LogPrefix, LogLimit, LogBurst, Limit, Burst or
AccountPrefix. If there are multiple definitions of one entry the last definition is stored.
LogLevel
A valid default log priority (see syslog.conf(5)).
LogPrefix
The default log prefix. Each netfilter (or iptables) log message starts with this prefix.
LogLimit
The default limit value for log messages (see nft(8) or iptables(8)).
LogBurst
The default burst value for log messages (see nft(8) or iptables(8)).
Limit The default limit value (see nft(8) or iptables(8)).
Burst The default burst value (see nft(8) or iptables(8)).
AccountPrefix
The default prefix for accounting chains.
service section
This section defines all needed services. A service description starts with the protocol (see
protocols(5)) followed by parameters in parenthesis. Most protocols don't need any parameters. The only
exceptions are tcp, udp and icmp. The tcp and udp parameters define the source and destionation
port(-range). The source and destination ports are separated by a slash (/) and port ranges are separated
by a colon (eg. tcp(123:333/99): tcp protocol, source port range 123-333, destination port 99). Empty
source or destination ports are expanded to 1:65535. The icmp protocol parameter must be a valid icmp
type (see iptables -p icmp --help).
network section
This section defines all needed networks and hosts. A network description starts with a valid IPv4
address (dotted quad), a valid IPv6 address (colon syntax, square brackets not needed), an optional
netmask in cidr notation (number of bits) or an optional MAC-address (with a prefixed equal sign (=).
Some valid entries are: 127.0.0.1, 127.0.0.0/8, ::1, fd00:1:2:3::/64,
and 192.168.0.1=00:00:00:00:00:FF.
interface section
This section defines all needed (physical and bridged) interfaces (eg. eth0, lo, ppp0).
marker section
This section defines all needed numerical (decimal) values for packet marking purposes.
filter, nat, input, output, forward, masquerade and stateless sections
Due to better partitioning of the packetfilter, rules can be split into these sections. Internally they
are equivalent and contain all rules. As an exception to all other sections the order of entries in these
sections is important.
The default policy for the chains INPUT, OUTPUT and FORWARD is DROP (see nft(8) or iptables(8)) and it's
not possible to change this.
Each line in in this section begins with in, out, fw, nat, masq, slin, slout or slfw, followed by '+',
'-' or a mark identifier enclosed in curly braces (or, in case of fw followed by '>'). The identifiers
in, out and fw define rules for incoming, outgoing and forwarded IP-packets. Each packet with an INVALID
state (see nft(8) or iptables(8)) is matched by slin, slout and slfw. The lines starting with nat and
masq define rules to modify the source or destination address or the destination port.
Note: The identifiers nat and masq are non-operational in IPv6 mode. They simply get ignored as NAT and
Masquerading are not supported by the IPv6 protocol.
The plus and minus signs specify the type of the rule: '+' accepts matching packets and '-' drops them.
As a special case the identifier out and fw accept the greater than (>) sign to modify the MSS depending
on the PMTU (see iptables(8)).
A very basic ruleset may look like this: out+
This allows every outgoing traffic and rejects all incoming connections (because of the default policy).
To be more specific, each line may contain several parameters. Each parameter starts with a single
character followed by an equal sign (=) and one or more previously defined identifiers (in the
corresponding sections) separated by commas. The following parameters are valid:
s The source address or network. Append "(4)" or "(6)" to the network name to make this rule apply
to IPv4 or IPv6 only.
d The destination address or network. Append "(4)" or "(6)" to the network name to make this rule
apply to IPv4 or IPv6 only.
i The input interface.
o The output interface.
pi The physical input interface (only useful when used with bridged interfaces, not supported with
nft as deprecated there).
po The physical output interface (only useful when used with bridged interfaces, not supported with
nft as deprecated there).
p The service description (protocol).
m The mark field associated with a packet.
S The the new source address in nat rules. Supported in IPv4 mode only. Ignored in IPv6 mode.
D The the new destination address in nat rules. Supported in IPv4 mode only. Ignored in IPv6 mode.
P The the new service description in nat rules. This is only valid with tcp or udp packets.
f This parameter sets some 'flags'. A flag definition starts with the flag identifier and optional
parameters in parenthesis. Valid flags are:
log - Logs matching packages to syslog. The given parameter is included in the log entry. The number of
logged packets and the loglevel can be set in the sysconfig section.
reject - Only valid in DROP rules. This is used to send back an error packet in response to the matched
packet. The default behaviour is a packet with set RST flag on tcp connections and a
destination-unreachable icmp packet in every other case. Valid parameters are listed in iptables(8) in
the REJECT section.
account - Create an accounting chain for all matching packages and possible responses. The optional
parameter is a part of the name of the chain.
limit - Limits the number of matching packets. The default values are set in the sysconfig section. Other
values can be defined with the optional parameter. The first entry sets a new limit and the second
parameter (separated by a comma (,)) sets the burst value (see Limit and Burst in sysconfig section).
It's possible to invert the identifier of one of following parameters - if it expands to ecactly one
object - by prepending a exclamation mark (!): s, d, i, o, p (eg.: s=!local p=!http).
FILES
Configuration files are located in /etc/uif. There is a sample configuration in
/usr/share/doc/uif/uif.conf.tmpl.gz.
SEE ALSO
nft(8) iptables(8) uif(8)
AUTHOR
This manual page was written by Jörg Platte <joerg.platte@gmx.de> and Cajus Pollmeier
<pollmeier@gonicus.de>, and has been adjusted for nft support by Mike Gabriel <mike.gabriel@das-
netzwerkteam.de>.