Documentation
Support
Downloads
Links

www.edenwall.com

NuFW 2.2, what’s in the .2 ?

After more than one year of development NuFW 2.2 replaces NuFW 2.0.

A bunch of new features

News are numerous and heavy. The most important ones are:
- Full IPv6 support
- Advanced marking system (and thus advanced QoS and routing)
- Command mode in nuauth to reconfigure the server dynamically and get counters from it.

IPv6

One of the fundamental new features of NuFW 2.2 is IPv6 support. Introduced in the last versions of Netfilter, nf_conntrack brings connection tracking to IPv6. This allows to use the NuFW algorithm.

NuFW 2.2 includes complete support of IPv6. All the internal structures now use IPv6 and one can almost consider that IPv4 support is an extension of NuFW 2.2.

Backward compatibility

An important amount of work was done to guarantee compatibility between NuFW 2.2 and NuFW 2.0. Consequently, the new version supports:
- Connections from a NuFW 2.0 process
- Connections from clients 2.0
- The database format of 2.0 (which thus guarantees compatibility with a software component like Nulog or Nulog2)
- ACLs managing in LDAP in format 2.0

What’s more, nuauth correctly interprets configuration files for nuauth 2.0.

Routing and quality of service

NuFW 2.0 only partially took advantage of the possibilities of quality of service offered by the authentication algorithm. Version 2.2 improves this feature by introducing a hook which places itself just before the decision for a packet. It is then possible to compute the mark using all the information gathered on the packet:
- IP parameters
- user
- groups the user is a member of
- application
- operating system.

Three modules are currently implemented. They allow to build the packet’s mark stored on 32 bits by splitting it into arbitrary chunks. All the routing and quality of service tools can then use this mark to handle the streams differently, according to the mark.

mark_uid

The numerical identifier of the user is included in a part of the packet’s mark.

mark_group

This module allows to set a mark according to the groups the user is a member of.

mark_field

This module sets a part of the mark according to the checking of the OS or application field of an expression. For instance, one can write:

1:*firefox*
2:*explorer*

to set a mark of 1 to Firefox and a mark of 2 to Internet Explorer.

mark_flag

This module asks the ACLs to tell it the mark to apply to the packet. The granularity is therefore maximum, since one benefits from all the filtering power of Netfilter and NuFW.

Example

One can build a mark using following the different components of the connection:

0 - 16 16-17 18-24 25-32
user ID proxy or not (groupe) OS code application code

With this type of marking, one can decide whether a user must pass through a transparent proxy (according to the user’s group). The first 16 bits allow to calculate the use of bandwidth. The bits 18-24 and 25-32 can be used to manage bandwidth differently according to the OS or the application.

One can then imagine extremely varied policies, for example:
- Internet Explorer goes through the proxy but Firefox surfs directly
- The users of a given group are allocated 15KB/s of bandwidth from all the machines on the network, independently of the number of connected users.

Protocol improvement

All the protocols have been reviewed to allow IPv6 support. Moreover, communication between nufw and nuauth have been improved. With a recent version of Netfilter libraries, nufw is able to feed back:
- the name of the input and output network interfaces used by a packet
- the amount of data for the connections

Command mode

A command mode has been added to nuauth. One can now get and set certain properties of nuauth (without restarting it) by sending requests to it through a UNIX socket.

A script in Python nuauth_command is included in the source package. Among the available functions, the most notable are:
- users: list all connected users
- firewalls: list the connected nufw firewalls
- debug_level LEVEL: raise or lower the log level
- debug_areas AREAS: change the field of application of the logs
- disconnect: disconnect a user and force them to authenticate again.

Here is a session example:

>>> users
....
#24: u'lds' at ::ffff:c0a8:21c1 (port 57980) 2:20:09 since 2007-04-19 21:26:12
  id: 1012, groups: 513
  Linux 2.6.18-4-k7 (#1 SMP Mon Mar 26 17:57:15 UTC 2007)
#11: u'debian' at ::ffff:c0a8:21df (port 36562) 7:23:18 since 2007-04-19 16:23:03
  id: 1006, groups: 1043
  Linux 2.6.18-028stab023 (#1 SMP Sun Mar 25 01:38:10 CET 2007)
(list: 18 items)

>>> uptime
Uptime: 7:23:24 since 2007-04-19 16:23:00

>>> disconnect 11
users disconnected

>>> firewalls
#7: nufw at ::ffff:c0a8:2101, 2:17:03 since 2007-04-19 21:29:34 (usage=1, alive=True)
(list: 1 items)

Complete SASL support

The SASL support has been reworked so as to benefit from all the authentication mechanisms offered by the cyrus-sasl library:
- plain
- OTP
- cramMD5
- digestMD5

Application filtering by expression

The application filtering has been reworked to allow filtering by glob. The generation and maintenance of filtering rules which take the application into account is then made easier because, for example, one can write an ACL filtering on *firefox.exe.