What’s new ? A comparison from NuFW 1.0 to NuFW 2.0
First difference is really simple : NuFW 2.0 comes one year after NuFW 1.0 and this is a year of work and code. Thus differences are quite important.
2.0 vs 1.0 for the admin
Let’s start from a firewall administrator point of view.
User session logging
Connection of user to nuauth can now be easily logged into SQL or syslog:
nuauth_user_session_logs_module="mysql"
This will maintain a SQL table "users" containing the list of user sessions with all available parameters (OS, start and end date).
True time based acls
NuFW 2.0 implements complete time based ACLs. It is now possible to define acls that match during a given period. But better than this, it is possible to destroy the concerned established connections at the end of the period. And this is done cleanly by removing the connection from Netfilter’s conntrack.
Thanks for Netfilter Core team for its recent work on connection tracking modification from userspace !
Prelude logging
NuFW can now directly log informations into the Prelude IDS. A new Prelude module is available for user session and packet logging.
Modules chaining
All modules can now be called one after another. This mean that you can do things like :
nuauth_user_logs_module="syslog mysql pgsql"
With that nuauth will log packets in syslog, mysql and pgsql.
But it is possible to do more by having multiple instances of the same module loaded simultaneously :
name : load module "name" with config file included in nuauth.conf
name:type : load module "type" with config file CONFIG_DIR/modules/name.conf
name:type:conf : load module "type" with config file "conf"
For example :
nuauth_user_logs_module="mysql1:mysql mytesdb:mysql:/etc/nufw/test.conf"
This will load mysql with configuration parameters stored in /etc/nufw/modules/mysql1.conf and another instance with parameters of the file /etc/nufw/test.conf.
Dynamic reloading of configuration
All module and associated module configuration can now be reloaded dynamically with a simple HUP signal sent to nuauth. Some of the variables that do not involve a too deep change in nuauth inner working can also be modified and dynamically taken into account by nuauth.
Hello authentication
This new authentication method can be used to provide a full IP authentication. This is in fact an a-posteriori authentication. Please do not use it...
2.0 vs 1.0 for the user
ICMP reject
Acls can now be set up to send an ICMP reject (As Netfilter does not support this with its QUEUE mechanisms, it has to be done by nufw). Thus, it is now possible to warn the user about packet being dropped.
An icmp reject message can also be triggered when the packet reach timeout (set nuauth_reject_after_timeout to 1) or when the user is in any group of the acl matching a packet (set nuauth_reject_authenticated_drop to 1)
pam_nufw module
Yes ! it can now be used transparently on Linux or other system that supports PAM.
2.0 vs 1.0 for the developper
Better documented code
Who said "better" should be removed ? Anyway, NuFW 2.0 has a doxygen generated documentation which is available : http://www.nufw.org/doxygen/
Code has also been intensively cleaned and is now ANSI C compliant.
Use of last Netfilter features
NuFW 2.0 is now able to use the last Netfilter feature based on the new nfnetlink infrastructure.
It uses :
libnetfilter_queue : it provides out of the box userspace packet marking and we can now have multiple nufw on the same firewall.
libnetfilter_conntrack : conntrack interaction can now be used to maintain the authenticated conntrack. Complicated iptables rules are no more necessary.
This, of course, requires a recent 2.6 kernel (>=2.6.14), best will be >=2.6.18 when it is out.
Improved libnuclient
Libnuclient has been improved and error handling capabilities have been added to ease client developpement and use.
Endian and multilingual friendly protocol
All dialogs between the different components (nufw<->nuauth, nuauth<->clients) are now done in network byte order and all strings are UTF-8 encoded. This increases portability of NuFW to all OSes and all languages.