Administration

Compilation

Prerequisites

 libipq (in iptables-dev on debian).
 automake1.7 and libtool to cleanly execute autogen.sh. (If you compile from CVS)
 libldap and glib for Nuauth server.

Userid Mark

To use the userid mark you need to apply patch-o-matic to your kernel. Releases posterior to pom-20031219 contain the required patch. The needed patches are ip_queue_vwmark and CONNMARK.

Don’t forget to compile and install the modified version of libipq before compiling nufw.

Compiling

To compile, use the standard [1]:

./configure; make; make install;

Next, you have to create to install the configuration file in the location you have selected during configure.

Usage

Next, you will have to run (as root) nufw. nufw -h will give you a usage message.

You will also have to launch the authorisation server nuauth -h will give you a usage message.

On the client machine, you have to run a client. For the moment only nutctpc is provided. To authenticate as user 1002 to the nuauth server 192.168.1.1 launch :

nutcpc -U 1002 -H 192.168.1.1

To have SSL encrypted flow, add the -S flag.

Configuration

Nuauth configuration file

We try to comment the configuration file to have it almost self-documented.

The main configuration variables are :

 nuauth_addr : nuauth listen to that address
 nuauth_gw_packet_port : the port receiving gw packet
 nuauth_user_packet_port : the port receiving user packet
 nufw_gw_addr : the IP address that will receive our authentication answer packet
 nufw_gw_port : the port where the nufw server wait our authentification answer packet

Setting up LDAP

Slapd configuration

The configuration of the LDAP server is done in two steps :

 Copy the file conf/acls.schema in the /etc/lapd/schema/ directory.
 Add the following line under the last include line at the beginning of /etc/ldap/slapd.conf :

include /etc/ldap/schema/acls.schema

ACL definition

A NuAccessControlList entry in ldap. Object name is almost self explanatory. One of the only things to know is that you will need to put internet addresses in their integer notation.

The 0 Group is the group that contains all users. So no user permission client is required when an ACL on this group is used on it. Using nuaclgen.pl

The nuaclgen.pl script provides a convenient way to add ACL to the ldap tree.

You must first set bind parameters in /etc/nufw/nuaclgen.conf to a user with read-write permission on the acl subtree.

You also need to create, in your LDAP tree, the dc=acls and the ou=people branches. For instance, in our example, we created (with gq) "dc=acls,dc=nufw,dc=org", with full inheritance from "dc=nufw,dc=org" ; and we created "ou=people,dc=nufw,dc=org" with objectclass "OrganisationalUnit" and "Top".

Once it is done you can, or example, add ssh access to group 100,101 to the server with IP 192.168.16.1 we can use :

nuaclgen.pl -A "cn=serverssh,dc=acls,dc=nufw,dc=org" \
 da 192.168.16.1 -p 6 —dport 22 -j ACCEPT -g 101,100

You can also list acls for a given group by using :

nuaclgen.pl -L -g 101

User definition

A NuAccount in ldap. This object is derived from the posixAccount with the difference that we can have multiple Group attributes. At this state of the project, passwords have to be stocked in clear text in the base and have to be readable by the specified user. Thus, the LDAP server must be in a DMZ.

User accounts have to be set up with external tools. gq can correctly manage user insertion.

This is a typical entry :

dn: cn=nuuser,o=people,dc=nufw,dc=org objectClass: top objectClass: NuAccount objectClass: person cn: nuuser uid: 1002 uidNumber: 1002 Group: 100 Group: 101 Group: 103 homeDirectory: /home/xxxx/ sn: NuFW users userPassword: mypassword

This user will have to identify with id 1002 and give password "mypassword". He is member of group 100,101 and 102.

LDAP parameters have to be configured in nuauth.conf.

Setting up Netfilter

Adding some rules

Let’s define here a full nufw firewall :

Sending RST, FIN, and SYN,ACK packets to Nufw allows for a fine connection tracking et NuFW level. All the queued packets are received by nufw and are checked at user level. Marking the packets

Using the provided patch for lipipq and the ip_queue module, NuFW is able to put a mark equal to the userid on the packet it deals with. Thus every first packets of a connection are marked.

To have every packet of a connection marked, we can use the following iptables commands :

As the mark is set with a mask of 0xffff you can combine the user mark with another mark set with a mask of 0xffff0000. There’s a limitation coming from iptables because you can’t put a mark with a mask. So you need to first set the iptables MARK, the NuFW will set the mark with respect to the netfilter mark. For example (completing the above rules):

The mark as to be set in the FORWARD mangle table because it will here be set before it reach the QUEUE target. As 1441792=22*2^16, we put a mark 22 with offset 2^16 on each packet initiatin a connection to port 22. Next NuFW adds a mark when the paquet comes back from userspace. In the POSTROUTING chain CONNMARK save and/or restore this composed mark for the rest of the connection.

So the first counter increments for any packets coming from user 1002 and the second counter increments for any ssh packets. On top of that,if the user 1002 uses ssh both counter increase.

The same system can be used to direct packet into the queuing disciplines.