-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathuif.8
145 lines (143 loc) · 4.82 KB
/
uif.8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
.TH uif 8 "Apr 19th, 2022" "Version 1.99.0" "Universal Internet Firewall"
.SH NAME
uif \- Universal Internet Firewall
.SH SYNOPSIS
'nh
.fi
.ad l
\fBuif\fR \kx
.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
'in \n(.iu+\nxu
[-c \fI<configfile>\fR] [-n] [-p [-l]] [\fI-6\fR]
'in \n(.iu-\nxu
\fBuif\fR \kx
.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
'in \n(.iu+\nxu
-d [\fI-6\fR]
'in \n(.iu-\nxu
\fBuif\fR \kx
.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
'in \n(.iu+\nxu
[<ldap-options>]
'in \n(.iu-\nxu
.ad b
'hy
.SH DESCRIPTION
.PP
This manual page documents the \fBuif\fR command. It is used to generate
optimized
.BR nft (8)
or
.BR iptables (8)
packetfilter rules, using a simple description file specified by the
user. Generated rules are provided in
.BR nft (8)
(with option \fI-f <filename>\fR) or
.BR iptables\-save 8
style. \fBuif\fR can be used to read or write rulesets from or to LDAP
servers in your network, which provides a global storing mechanism (LDAP
support hasn't been tested for a long time). Note that you need to
include the \fIuif.schema\fR to your slapd configuration in order to use it.
.PP
.BR uif.conf (5)
provides an easy way to specify rules, without exact knowledge of the nft
/ iptables syntax. It provides groups and aliases to make your
packetfilter human readable.
.PP
Keep in mind that \fBuif\fR uif is intended to assist you when designing
firewalls, but will not tell you what to filter.
.SH OPTIONS
The options are as follows:
.TP
\fI\-6\fR
Turn on IPv6 mode so as to manipulate IPv6 rules. Default configuration
file is changed to /etc/uif/uif6.conf see \-c below. It should be noted
that nat rules are silently ignored if \-6 is used.
.TP
\fI\-b <basedn>\fR
Specify the base DN to act on when using LDAP based firewall
configuration. \fBuif\fR will look in the subtree
ou=filter,ou=sysconfig,<basedn> for your rulesets.
.TP
\fI\-c <configfile>\fR
This option specifies the configuration file to be read by
\fBuif\fR\.
See
.BR uif.conf (5)
for detailed information on the fileformat. It defaults to /etc/uif/uif.conf.
.TP
\fI\-C <configfile>\fR
When reading configuration data from other sources than specified with
\-c you may want to convert this information into a textual
configuration file. This options writes the parsed config back to the
file specified by <configfile>.
.TP
\fI\-d\fR
Clears all firewall rules immediately.
.TP
\fI\-D <bind_dn>\fR
If a special account is needed to bind to the LDAP database, the
account's DN can be specified at this point. Note: you should use this
when writing an existing configuration to the LDAP. Reading the
configuration may be done with an anonymous bind.
.TP
\fI\-p\fR
Prints rules specified in the configuration to stdout. This option is
mainly used for debugging the rule simplifier.
.TP
\fI\-l\fR
If printing rules (see \-p) prepend line numbers to the print-out.
.TP
\fI\-r <ruleset>\fR
Specifies the name of the ruleset to load from the LDAP database.
Remember to use the \-b option to set the base. Rulesets are stored using
the following dn: \fIcn=<ruleset>, ou=rulesets, ou=filter, ou=sysconfig,
basedn\fR, where <ruleset> will be replaced by the ruleset specified.
.TP
\fI\-R <ruleset>\fR
Specifies the name of the ruleset to write to the LDAP database. This
option can be used to convert i.e. a textual configuration to an LDAP
based ruleset. Like with using \-r you've to specify the LDAP base to
use. Target is \fIcn=<ruleset>, ou=rulesets, ou=filter, ou=sysconfig,
<basedn>\fR, where <ruleset> will be replaced by the ruleset specified.
.TP
\fI\-s <server>\fR
This option specifies the LDAP server to be used.
.TP
\fI\-t\fR
This option is used to validate the packetfilter configuration without applying
any rules. Mainly used for debugging.
.TP
\fI\-T <time>\fR
When changing your packetfiltering rules remotely, it is
useful to have a test option. Specify this one to apply
your rules for a period of <time> (in seconds). After that the original
rules will be restored.
.TP
\fI\-w <password>\fR
When connecting to an LDAP server, you may need to authenticate via a
password. If you really need to specify a password on the command line
(discouraged!), use this option, otherwise use \-W and enter it
interactively.
.TP
\fI\-W\fR
Activate interactive password query for LDAP authentication.
.PP
\fBuif\fR
is meant to leave the packetfilter rules in a defined state, so if
something went wrong during the initialisation, or \fBuif\fR is aborted
by the user, the rules that were active before starting will be restored.
.PP
Normally you will not need to call this binary directly. Use the init
script instead, since it does the most common steps for you.
.SH FILES
Configuration files are located in /etc/uif.
.SH SEE ALSO
uif.conf(5)
nft(8)
iptables(8)
.PP
.SH AUTHOR
This manual page was written by Cajus Pollmeier <[email protected]>
and Jörg Platte <[email protected]> and adjusted to nft support by Mike
Gabriel <[email protected]>.