Provided by: nufw_2.4.3-3_amd64 bug

NAME

       nufw - NUFW User filtering gateway server

SYNOPSIS

       nufw  [ -h ] [ -V ] [ -D ] [ -m ] [ -v[v...] ] [ -s ] [ -S ] [ -N ] [ -A debug_area ] [ -k
       keyfile ] [ -c certfile ] [ -a cafile ] [ -r crlfile ] [ -n nuauth_cert_dn ] [ -d  address
       ]  [  -p  (remote)  port  ]  [  -t  timeout  ]  [  -T track_size ] [ -q NfQueue_num ] [ -L
       Nfqueue_length ] [ -C ] [ -M ]

DESCRIPTION

       This manual page documents the nufw command.

       nufw is the minimalist server, designed to run on the gateway(s) of the network.  nufw  is
       designed  to  run  in  conjunction  with  nuauth, the authenticating server. nufw receives
       network packets from the local firewall (on Linux 2.4 and 2.6, this is  set  up  with  the
       help  of  '-j  NFQUEUE'  or  '-j  QUEUE' netfilter target), and synchronizes with a nuauth
       server to check packet is authorized to travel through the gateway.

       The design of the NUFW package lets administrator filter network  traffic  per  user,  not
       only per IP. This means you can now deal with different permissions for user A and user B,
       even if they work at the same moment, on the same multiuser machine. In other words,  this
       extends firewalling criteria to userID, at the network scale.

       Original packaging and informations and help can be found from http://www.nufw.org/

OPTIONS

       -h     Issues usage details and exits.

       -V     Issues version and exits.

       -D     Run  as a daemon. If started as a daemon, nufw logs message to syslog. If you don't
              specify this option, messages go to the console nufw is running on, both on  STDOUT
              and  STDERR.  Unless  you  are  debugging  something, you should run nufw with this
              option.

       -m     Mark packets with UserID. This requires the wvmark POM patch applied to  netfilter,
              and is necessary for per user QoS or routing.

       -v     Increases  debug  level.  Multiple switches are accepted and each of them increases
              the debug level by one. Default debug level is 2, max is 10.

       -A debug_areas
              Chooses debug_area. Default debug area is ALL. To select a subset  add  value  from
              the following list:

              · DEBUG_AREA_MAIN (1) main domain

              · DEBUG_AREA_PACKET (2) packet domain

              · DEBUG_AREA_USER (4) user domain

              · DEBUG_AREA_GW (8) Gateway domain, interaction with nufw servers.

              · DEBUG_AREA_AUTH (16) Authentication domain

       -k keyfile
              Use specified file as SSL (private) key file.

       -c certfile
              Use specified file as SSL (public) certificate file.

       -a cafile
              Use specified file as SSL certificate authority file.

       -r crlfile
              Use  specified  file  as  SSL  certificate  revocation  list file. You will need to
              restart nufw if you  modify  this  file.  Since  2.2.19,  nufw  reloads  this  file
              dynamically when receiving a HUP signal.

       -n nuauth_dn
              Use specified string as the needed DN of nuauth. nufw will refuse to connect if the
              provided string does not match the DN of the certificate provided by nuauth. If you
              do  not  use  this option, the DN of the nuauth certificate will be checked against
              the fully qualified domain name of the nuauth server, obtained from a  reverse  DNS
              lookup on nuauth IP address.

       -s     Disable strict TLS checking of the certificate provided by nuauth.

       -S     Force  strict  TLS  checking  of  the  certificate  provided by nuauth. This is the
              default behavior of the daemon since 2.2.18.

       -N     Suppress error if server FQDN does not match certificate CN.

       -d address
              Network address of the nuauth server.

       -p port
              Specifies TCP port to send data to when addressing the nuauth server. Nuauth server
              must be setup to listen on that port. Default value : 4128

       -t seconds
              Specifies timeout to forget packets not answered for by nuauth.  Default value : 15
              s.

       -T track_size
              Set maximum number of packets that can wait a decision in  nufw.  Default  value  :
              1000.

       -q NfQueue number
              If Nufw was compiled with NfQueue support, Id of the NfQueue to use (default : 0).

       -L NfQueue length
              Specify  the  length  of  the  nfnetlink  queue used by nufw. This is the number of
              packets that the kernel will keep internally before dropping new coming packets.

       -C     Listen to conntrack events (needed for connection expiration).

       -M     Only report event on marked connections to nuauth (implies -C and -m)

              This is the way to do an efficient selection of events to be  sent  to  nuauth  but
              this  REQUIRES  a  kernel with transmit_mark applied (should be ok for 2.6.18+) and
              the use of CONNMARK to propagate the initial mark across all  the  packets  of  the
              connection.

SIGNALS

       The  nufw  daemon  is  designed  to deal with several signals : USR1, USR2, SYS, WINCH and
       POLL.

       USR1   Increases verbosity. The daemon then acts as if  it  had  been  launched  with  one
              supplementary  '-v'.A  line  is  also added to the system log to mention the signal
              event.

       USR2   Decreases verbosity. The daemon then acts as if it had been launched with one  less
              '-v'. A line is also added to the system log to mention the signal event.

       SYS    Removes  the  Conntrack  events thread. This gets the daemon to work as if the "-C"
              switch had not been set. This is useful on HA  configurations,  when  one  firewall
              gets passive, for instance.

       WINCH  Starts  the  Conntrack  events  thread. This gets the daemon to work as if the "-C"
              switch had been set at startup. This is  useful  on  HA  configurations,  when  one
              firewall gets active, for instance.

       POLL   Logs an "audit" line, mentionning how many network datagrams were received and sent
              since daemon startup.

SEE ALSO

       nuauth(8)

AUTHOR

       Nufw was designed and coded by Eric Leblond, aka Regit (<eric@regit.org>)  ,  and  Vincent
       Deffontaines,  aka  gryzor (<vincent@gryzor.com>). Original idea in 2001, while working on
       NSM Ldap support.

       This manual page was written by Vincent Deffontaines

       Permission is granted to copy, distribute and/or modify this document under the  terms  of
       the  GNU  Free  Documentation  License,  Version  2  as  published  by  the  Free Software
       Foundation; with no Invariant Sections, no Front-Cover Texts and no Back-Cover Texts.

                                         25 November 2008                                 NUFW(8)