Provided by: nufw_2.4.3-3.3build2_amd64 
NAME
nufw - NUFW User filtering gateway server
SYNOPSIS
nufw [ -h ] [ -V ] [ -D ] [ -m ] [ -v[v...] ] [ -s ] [ -S ] [ -N ] [ -A debug_area ] [ -k
keyfile ] [ -c certfile ] [ -a cafile ] [ -r crlfile ] [ -n nuauth_cert_dn ] [ -d address
] [ -p (remote) port ] [ -t timeout ] [ -T track_size ] [ -q NfQueue_num ] [ -L
Nfqueue_length ] [ -C ] [ -M ]
DESCRIPTION
This manual page documents the nufw command.
nufw is the minimalist server, designed to run on the gateway(s) of the network. nufw is
designed to run in conjunction with nuauth, the authenticating server. nufw receives
network packets from the local firewall (on Linux 2.4 and 2.6, this is set up with the
help of '-j NFQUEUE' or '-j QUEUE' netfilter target), and synchronizes with a nuauth
server to check packet is authorized to travel through the gateway.
The design of the NUFW package lets administrator filter network traffic per user, not
only per IP. This means you can now deal with different permissions for user A and user B,
even if they work at the same moment, on the same multiuser machine. In other words, this
extends firewalling criteria to userID, at the network scale.
Original packaging and informations and help can be found from http://www.nufw.org/
OPTIONS
-h Issues usage details and exits.
-V Issues version and exits.
-D Run as a daemon. If started as a daemon, nufw logs message to syslog. If you don't
specify this option, messages go to the console nufw is running on, both on STDOUT
and STDERR. Unless you are debugging something, you should run nufw with this
option.
-m Mark packets with UserID. This requires the wvmark POM patch applied to netfilter,
and is necessary for per user QoS or routing.
-v Increases debug level. Multiple switches are accepted and each of them increases
the debug level by one. Default debug level is 2, max is 10.
-A debug_areas
Chooses debug_area. Default debug area is ALL. To select a subset add value from
the following list:
• DEBUG_AREA_MAIN (1) main domain
• DEBUG_AREA_PACKET (2) packet domain
• DEBUG_AREA_USER (4) user domain
• DEBUG_AREA_GW (8) Gateway domain, interaction with nufw servers.
• DEBUG_AREA_AUTH (16) Authentication domain
-k keyfile
Use specified file as SSL (private) key file.
-c certfile
Use specified file as SSL (public) certificate file.
-a cafile
Use specified file as SSL certificate authority file.
-r crlfile
Use specified file as SSL certificate revocation list file. You will need to
restart nufw if you modify this file. Since 2.2.19, nufw reloads this file
dynamically when receiving a HUP signal.
-n nuauth_dn
Use specified string as the needed DN of nuauth. nufw will refuse to connect if the
provided string does not match the DN of the certificate provided by nuauth. If you
do not use this option, the DN of the nuauth certificate will be checked against
the fully qualified domain name of the nuauth server, obtained from a reverse DNS
lookup on nuauth IP address.
-s Disable strict TLS checking of the certificate provided by nuauth.
-S Force strict TLS checking of the certificate provided by nuauth. This is the
default behavior of the daemon since 2.2.18.
-N Suppress error if server FQDN does not match certificate CN.
-d address
Network address of the nuauth server.
-p port
Specifies TCP port to send data to when addressing the nuauth server. Nuauth server
must be setup to listen on that port. Default value : 4128
-t seconds
Specifies timeout to forget packets not answered for by nuauth. Default value : 15
s.
-T track_size
Set maximum number of packets that can wait a decision in nufw. Default value :
1000.
-q NfQueue number
If Nufw was compiled with NfQueue support, Id of the NfQueue to use (default : 0).
-L NfQueue length
Specify the length of the nfnetlink queue used by nufw. This is the number of
packets that the kernel will keep internally before dropping new coming packets.
-C Listen to conntrack events (needed for connection expiration).
-M Only report event on marked connections to nuauth (implies -C and -m)
This is the way to do an efficient selection of events to be sent to nuauth but
this REQUIRES a kernel with transmit_mark applied (should be ok for 2.6.18+) and
the use of CONNMARK to propagate the initial mark across all the packets of the
connection.
SIGNALS
The nufw daemon is designed to deal with several signals : USR1, USR2, SYS, WINCH and
POLL.
USR1 Increases verbosity. The daemon then acts as if it had been launched with one
supplementary '-v'.A line is also added to the system log to mention the signal
event.
USR2 Decreases verbosity. The daemon then acts as if it had been launched with one less
'-v'. A line is also added to the system log to mention the signal event.
SYS Removes the Conntrack events thread. This gets the daemon to work as if the "-C"
switch had not been set. This is useful on HA configurations, when one firewall
gets passive, for instance.
WINCH Starts the Conntrack events thread. This gets the daemon to work as if the "-C"
switch had been set at startup. This is useful on HA configurations, when one
firewall gets active, for instance.
POLL Logs an "audit" line, mentionning how many network datagrams were received and sent
since daemon startup.
SEE ALSO
nuauth(8)
AUTHOR
Nufw was designed and coded by Eric Leblond, aka Regit (<eric@regit.org>) , and Vincent
Deffontaines, aka gryzor (<vincent@gryzor.com>). Original idea in 2001, while working on
NSM Ldap support.
This manual page was written by Vincent Deffontaines
Permission is granted to copy, distribute and/or modify this document under the terms of
the GNU Free Documentation License, Version 2 as published by the Free Software
Foundation; with no Invariant Sections, no Front-Cover Texts and no Back-Cover Texts.
25 November 2008 NUFW(8)