Testing NuFW
NuFW installation
Dependencies
To compile nufw 1.0.x, you need :
glib2.0
gpg-error
gcrypt
gnutls
cyrus-sasl
gdbm
libident (optionnal - may be used for no client mode)
libpam and corresponding headers
Compilation
Compile with the following command :
./configure --sysconfdir=/etc/nufw/ --with-gdbm --with-ident --with-debug
make
make installNote, you can omit --with-debug as it is only here to provide verbose debug messages.
NuFW configuration
NuFW 1.0.x provides the following files in the conf/ directory :
nuauth.conf
acls.nufw
users-gdbm.nufw (to be used with dbm user module)
users.nufw (to be used with plaintext user module)
, copy them in your configuration directory (/etc/nufw if you have followed instructions). The provided configuration file (nuauth.conf) uses the dbm module for user authentication and the plaintext module for acls checking.
Running NuFW
Load the ip_queue module :
modprobe ip_queue
Create X509 certificate and key :
key file : /etc/nufw/nufw-key.pem
certificat file : /etc/nufw/nufw-cert.pem
The NuFW archive contains a set of certificates and keys in the conf/certs/ directory. For testing, you can simply do :
cp conf/certs/nufw-key.pem /etc/nufw/nufw-key.pem
cp conf/certs/nufw-cert.pem /etc/nufw/nufw-cert.pem
Launch NuFW :
/usr/local/sbin/nufw -D -vvvv -d 127.0.0.1 -p 4129
Generate certificate and key for nuauth or copy the ones given in the NuFW archive to the correct location.
cp conf/certs/nuauth-key.pem /etc/nufw/nuauth-key.pem
cp conf/certs/nuauth-cert.pem /etc/nufw/nuauth-cert.pem
cp conf/certs/NuFW-cacert.pem /etc/nufw/NuFW-cacert.pem
Launch NuAuth :
/usr/local/sbin/nuauth -D
Put a global queue command with iptables (we suppose the initial ruleset is empty) :
iptables -I OUTPUT ! -o lo -m state --state NEW -p tcp -j QUEUE
If you want to test the no-client mode, you need to install an ident server on client. It is known to work fine with identd server. Once installation is done you can proceed to tests. Note that, username on client system has to be the same as the one available on nufw. Also note that this deports the trust to the ident server.
Optional Generate or copy key and certificate for client, it has to be in $HOME/.nufw/key.pem:
mkdir ~/.nufw/
cp conf/certs/user@nufw.org-key.pem ~/.nufw/key.pem
cp conf/certs/user@nufw.org-cert.pem ~/.nufw/cert.pem
Run nutcpc :
nutcpc -U $LOGIN -H <nuauth_IP>
where Login is one of :
user with password imauser in group 102
admin with password iadmin in group 100,102
suadmin with password suroot in group 103
Each group has a set of permissions described in the acls.nufw file :
102 can surf the web
100 can do ssh
103 can do anything they please
If you use certificate authentication you need to specify the username that matches the one in the key (user or admin in our example).
To change filtering rules, you need to edit /etc/nufw/acls.nufw. If you want to test application and OS filtering, you have to add OS and AppName line to your configuration file, like in this example :
[sshapp]
decision=1
gid=100
proto=6
SrcIP=0.0.0.0/0
SrcPort=1024-65536
DstIP=0.0.0.0/0
DstPort=22
AppName=/usr/bin/ssh
OS=Linux
AppName contains the complete path of the executable and OS is :
for Unixes : the result of uname
for microsoft OSes : one of Windows 95, Windows NT, Windows 98, Windows Me, Windows 2000, Windows XP, Windows Server 2003.
Debugging NuFW problems
Both nufw and nuauth daemons can be run with multiple -v arguments. Each "v" adds verbosity to output of the daemons, and allows for easier debugging.
In this mode, your nuauth daemon should display the following when dealing with connections :
*** User
starting lines mean nuauth receives authentication packets from a client.
*** Packet
starting lines mean nuauth receives connection data from nufw. If any of these is missing make sure your clients and nufw are running and properly configured.