Provided by: uif_1.1.1-1_all bug

NAME

     uif — Tool for generating optimized packetfilter rules

SYNOPSIS

     uif [-6] [-dptW] [-b base] [-c config_file] [-C config_file] [-D bind_dn] [-r ruleset]
         [-R ruleset] [-s server] [-T time] [-w password]

DESCRIPTION

     This manual page documents  the uif command. It is used to generate optimized iptables(8)
     packetfilter rules, using a simple description file specified by the user. Generated rules
     are provided in iptables-save(8) style.  uif can be used to read or write rulesets from or
     to LDAP servers in your network, which provides a global storing mechanism. (LDAP support is
     currently broken, note that you need to include the uif.schema to your slapd configuration
     in order to use it.)

     uif.conf(5) provides an easy way to specify rules, without exact knowledge of the iptables
     syntax. It provides groups and aliases to make your packetfilter human readable.

     Keep in mind that uif is intended to assist you when designing firewalls, but will not tell
     you what to filter.

Options

     The options are as follows:

     -6      Turn on IPv6 mode so as to manipulate ip6tables rules.  Default configuration file
             is changed to /etc/uif/uif6.conf see -c below. It should be noted that nat rules are
             silently ignored if -6 is used.

     -b base
             Specify the base to act on when using LDAP based firewall configuration.  uif will
             look in the subtree ou=filter, ou=sysconfig, base for your rulesets.

     -c config_file
             This option specifies the configuration file to be read by uif.  See uif.conf(5) for
             detailed information on the fileformat. It defaults to /etc/uif/uif.conf.

     -C config_file
             When reading configuration data from other sources than specified with -c you may
             want to convert this information into a textual configuration file. This options
             writes the parsed config back to the file specified by config_file.

     -d      Clears all firewall rules immediatly.

     -D bind_dn
             If a special account is needed to bind to the LDAP database, the account dn can be
             specified at this point. Note: you should use this when writing an existing
             configuration to the LDAP. Reading the configuration may be done with an anonymous
             bind.

     -p      Prints rules specified in the configuration to stdout. This option is mainly used
             for debugging the rule simplifier.

     -r ruleset
             Specifies the name of the ruleset to load from the LDAP database. Remember to use
             the -b option to set the base. Rulesets are stored using the following dn: cn=name,
             ou=rulesets, ou=filter, ou=sysconfig, base, where name will be replaced by the
             ruleset specified.

     -R ruleset
             Specifies the name of the ruleset to write to the LDAP database. This option can be
             used to convert i.e. a textual configuration to a LDAP based ruleset.  Like using -r
             you've to specify the LDAP base to use. Target is cn=name, ou=rulesets, ou=filter,
             ou=sysconfig, base, where name will be replaced by the ruleset specified.

     -s server
             This option specified the LDAP server to be used.

     -t      This option is used to validate the packetfilter configuration without applying any
             rules.  Mainly used for debugging.

     -T time
             When changing your packetfiltering rules remotely, it is useful to have a test
             option. Specify this one to apply your rules for a period of time (in seconds).
             After that the original rules will be restored.

     -w password
             When connecting to the LDAP server, you may need to authenticate via passwords. If
             you really need to specify a password, use this option, otherwise use -W and enter
             it interactivly.

     -W      Activate interactive password query for LDAP authentication.

     uif is meant to leave the packetfilter rules in a defined state, so if something went wrong
     during the initialisation, or uif is aborted by the user, the rules that were active before
     starting will be restored.

     Normally you will not need to call this binary directly. Use the init script instead, since
     it does the most common steps for you.

FILES

     Configuration files are located in /etc/uif.

SEE ALSO

     uif.conf(5) iptables(8)

AUTHOR

     This manual page was written by Cajus Pollmeier <pollmeier@gonicus.de> and Jörg Platte
     <joerg.platte@gmx.de>, for the Debian GNU/Linux system (but may be used by others).