NuFW - handbook22.xml - NuFW Project Homepage

handbook22.xml

Eric Leblond, 03/02/2010 01:34 am

 <?xml version='1.0'?>
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
 <book><title>NuFW Handbook</title>
   <bookinfo>
     <author>
       <firstname>Eric</firstname>
       <surname>Leblond</surname>
       <email>eric at inl dot fr</email>
     </author>
     <author>
       <firstname>Vincent</firstname>
       <surname>Deffontaines</surname>
       <email>gryzor at inl dot fr</email>
     </author>
     <author>
       <firstname>Pierre</firstname>
       <surname>Chifflier</surname>
       <email>chifflier at inl dot fr</email>
     </author>
     <copyright>
       <year>2005-2008</year>
       <holder>INL</holder>
     </copyright>
     <revhistory>
     <revision>
               <revnumber>1.0.3</revnumber>
         <date>2009/01/20</date>
         <revdescription>
         <para>Added a short note about OCSP support.</para>
         </revdescription>
     </revision>
     <revision>
               <revnumber>1.0.2</revnumber>
         <date>2008/12/10</date>
         <revdescription>
         <para>Updated the nuauth_command description. Synchronized nuauth and nufw output with current version in debug section.</para>
         </revdescription>
     </revision>
     <revision>
               <revnumber>1.0.1</revnumber>
         <date>2008/12/01</date>
         <revdescription>
         <para>Updated the recommended setup section, fixed image inclusions. Added a version choosing section. Better documentation for nuauth's user session disconnection.</para>
         </revdescription>
     </revision>
     <revision>
               <revnumber>1.0.0</revnumber>
         <date>2008/11/25</date>
         <revdescription>
         <para>This handbook is based on the original howto document, and has been dramatically enhanced (countless changes).</para>
         </revdescription>
     </revision>
     </revhistory>
   </bookinfo>
   <chapter><title>License</title>
   <para>
   This document is copyrighted by INL, and distributed under the Creative Commons <command>by-nc-sa</command> license. The full text of the license is available at  <ulink url="http://creativecommons.org/licenses/by-nc-sa/3.0/legalcode">http://creativecommons.org/licenses/by-nc-sa/3.0/legalcode</ulink>.
   </para>
   </chapter>
   <chapter><title>Introduction</title>
    <section><title>Presentation</title>
 <para>
 NuFW is an enterprise grade firewall that performs an authentication of every single connection passing through the IP filter, by transparently requesting user's credentials before any filtering decision is taken. Practically, this means security policies can integrate with the user directory, and bring the notion of user ID down to the IP layers.
 NuFW lays on Netfilter, the state of the art IP filtering layer from the Linux kernel. It fully integrates with Netfilter and extends its capabilities.
 The daemons currently run on Linux and software clients are available for Windows, Linux, FreeBSD et Mac OSX.
 </para>
 <para>
 NuFW can:
 <itemizedlist>
 <listitem><para>
 Authenticate any connection that goes through your gateway or only from/to a chosen subset or a specific protocol (iptables is used to select the connections to authenticate).</para></listitem>
 <listitem><para>Perform accounting, routing and quality of service based on users and not simply on IP.</para></listitem>
 <listitem><para> Filter packets with criteria such as application and OS used by remote users.</para></listitem>
 <listitem><para> Be the key of a secure and simple Single Sign On system.</para></listitem>
 </itemizedlist>
 </para>
 <para>
 NuFW is composed of two daemons that can be put on different systems and the
 main daemon nuauth is heavily multi-threaded.  nuauth uses loadable modules to
 add features, like SQL logging, reporting alert to IDS using Prelude, etc.
 </para>
    </section>
    <section><title>Architecture</title>
    <para>
     NuFW has very little needs in terms of architecture. It is a firewall, so it needs to be installed between the client and the server, concerning connections the admin wills to authenticate. In other words, if you look at the figure below, the requisite is that the firewall running NuFW is set between the client host (M) and the server (T). It doesn't matter whether you administrate the server (T) or whether it is a random host on the internet : NuFW authentication occurs at the time the firewall decision is taken for each connection.</para>
     <para>
     A very typical setup is to use NuFW on a central firewall, so that it can filter connections from LAN to DMZ, from LAN to Internet, from WAN to LAN, etc. Of course, this is no requisite and you can always chain NuFW with another implementation. Technically, NuFW has one requisite : no NAT should be applied on connections between the client and NuFW itself. If that occurs, NuFW authentication will not work. This can easily be turned around if you want to identify your users from the Internet, by setting up a VPN (road-warrior or network to network) tunnel.
     </para>
     <para>
     A typical architecture is as follows :
     <figure><title>NuFW Algorithm resume</title>
     <imageobject>
       <imagedata fileref="algorythm.png"/>
     </imageobject>
     </figure>
     <orderedlist>
       <listitem><para>A standard application sends a packet.</para></listitem>
       <listitem><para>The Nufw server queues the packet and sends an auth request packet to the Nuauth server.</para></listitem>
       <listitem><para>The Nuauth server sends to all nufw agents running on the client computer an authentication request.</para></listitem>
       <listitem><para>The Nufw client run by the user whose application sent traffic sees that a connection is being initiated and sends a user request packet. The Nuauth server sums the auth request and the user request packet and checks this against an authentication authority.</para></listitem>
       <listitem><para>The Nuauth server replies to the Nufw server accordingly.</para></listitem>
       <listitem><para>The Nufw server transmits the packet following the answer given to its request.</para></listitem>
       <listitem><para>The flow of the connection is handled by Netfilter's state table (the conntrack), like for any firewalling rule.</para></listitem>
     </orderedlist>
     </para>
     </section>
     <section><title>Requirements</title>
       <para>In this section, each invoked library will have to be installed and the
 header files have to be in standard places (so <command>./configure</command> can
                 find them).
 </para>
       <section><title>General</title>
       <para>NuFW is an advanced network filtering solution. For logging, as well as for domain integrations, it is highly recommended that all servers hosting NuFW services (<command>nufw</command>, <command>nuauth</command>, <command>LDAP/Active Directory</command>, and <command>the logging server (SQLi/syslog/prelude)</command>) be time-synchronized with a protocol such as NTP. NuFW does not provide time synchronization per se.
       </para>
       </section>
       <section><title>Nuauth dependencies</title>
        <section><title>nuauth core daemon</title>
         <para>
 nuauth dependencies are as follows:
 <itemizedlist>
             <listitem><para><filename>libglib2.0</filename>: nuauth heavily uses this library which provides a set of very useful high level objects. It needs at least 2.4 release.</para></listitem>
             <listitem><para><filename>libgnutls</filename>: communications between components are encrypted using TLS v1</para></listitem>
             <listitem><para><filename>libsasl2</filename>: authentication is done via sasl</para></listitem>
             <listitem><para><filename>libtool</filename>: It's needed for the compilation of library and modules</para></listitem>
           </itemizedlist>
         <note><para>Be careful when choosing your GnuTLS version : old versions may contain security breaches. Check the <ulink url="http://www.gnu.org/software/gnutls/security.html">GnuTLS security advisories page</ulink> or make sure your distribution is reactive enough with updates.</para>
         </note>
 </para>
       </section>
       <section><title>MySQL logging</title>
         <para>
 The <filename>libmysqlclient</filename> library is required for compiling of this module.
 </para>
       </section>
       <section><title>PostgreSQL logging</title>
         <para>
 The <filename>libpq</filename> library is required for compiling this module.
 </para>
       </section>
       <section><title>Prelude IDS alerts</title>
         <para>
 The <filename>libprelude</filename> library is required for compiling this module.
 Prelude allows for gathering security events at the scale of any organization, and NuFW can send Prelude the following events :
 <itemizedlist>
 <listitem><para>User authentication failures</para></listitem>
 <listitem><para>User authentication successes</para></listitem>
 <listitem><para>Start and end of user sessions</para></listitem>
 <listitem><para>Start and end of authenticated connections</para></listitem>
 <listitem><para>Rejected connections</para></listitem>
 </itemizedlist>
 NuFW is a native sensor for Prelude, allowing tight integration with any IDS based the IDMEF standard (RFC 4765).
 All information about the Prelude project is available at <ulink url="http://prelude-ids.org/">http://prelude-ids.org</ulink>
         </para>
       </section>
       <section><title>LDAP authentication and acl check</title>
         <para>
 <filename>libldap</filename> library is needed (version 2 or better).
 </para>
       </section>
       </section>
       <section><title>nufw dependencies</title>
         <para>The nufw daemon only depends on:
 <itemizedlist>
             <listitem><para><filename>iptables</filename>: <filename>libipq.a</filename> is necessary to compile the nufw server</para></listitem>
             <listitem><para><filename>libgnutls</filename>: nufw is connected to nuauth using a TLS encrypted channel</para></listitem>
           </itemizedlist>
 </para>
       </section>
       <section><title>User marking requirement on old kernel</title>
         <para>
 A system with a kernel prior to 2.6.14 needs a patched version of the ip_queue module and of
 its "sibling" library libipq.
 </para>
       </section>
       <section><title>Using nfnetlink and getting all latest NuFW features</title>
         <para>
 On kernel superior to 2.6.14, ipq is now deprecated in favor of libnetfilter_queue which
 uses the new nfnetlink system.
 On top of that nfnetlink also provides libnetfilter_conntrack which is used by NuFW to implement
 connection tracking, and strict time-based acls.
         </para>
         <para>To use this features, the following libraries are needed:
         <itemizedlist>
         <listitem><para>libnfnetlink</para></listitem>
         <listitem><para>libnetfilter_queue</para></listitem>
         <listitem><para>libnetfilter_conntrack</para></listitem>
         </itemizedlist>
         You can find working versions of these libraries at <ulink url="http://nufw.org/download/libs/index.html">http://nufw.org/download/libs/index.html</ulink>
         Debian packages are available at <ulink url="http://www.nufw.org/debian/">http://www.nufw.org/debian/</ulink>
         </para>
         <para>
 If you plan to use NuFW time-based acls, it is best to use a kernel superior to 2.6.18 or
 to apply patches provided on NuFW site.
         </para>
       </section>
     </section>
     <section><title>Recommended setup</title>
     <para>
     This section's aim is to provide the best practises to help admins start a NuFW installation.
     We recommend that you use :
     <itemizedlist>
      <listitem><para>A MySQL database for logs. Though nuauth as well as single sign on modules support PostgreSQL logging, NuLog PostgreSQL support should be considered experimental for now.</para></listitem>
      <listitem><para>A <command>NuLog</command> installation. This is not a formal requisite for setting up and using NuFW, but <ulink url="http://software.inl.fr/trac/wiki/EdenWall/NuLog">NuLog</ulink> is a great tool to keep track of what is going on on your firewall. It analyses data from a ulog SQL database.
     <figure><title>A Nulog screenshot</title>
     <imageobject>
       <imagedata fileref="nulog_scr.png"/>
     </imageobject>
     </figure>
      </para></listitem>
      <listitem><para>A <command>NuFace</command> installation. <ulink url="http://software.inl.fr/trac/wiki/EdenWall/NuFace">NuFace</ulink> is INL's tool to build consistent <command>Netfilter</command> + <command>nuauth</command> rules. You really should consider using <command>NuFace</command> unless you plan to write your own tool : dealing with filtering rules by hand can be tricky because you need to synchronise authenticating rules at <command>Netfilter</command> and <command>nuauth</command> levels.
     <figure><title>A NuFace screenshot</title>
     <imageobject>
       <imagedata fileref="nuface_scr.png"/>
     </imageobject>
     </figure>
      </para></listitem>
      <listitem><para>A <ulink url="http://www.netfilter.org/projects/ulogd/index.html">ulogd</ulink> daemon setup for Netfilter logging. Ulogd can log Netfilter flows into the same database as nuauth, in order to provide a consistent log for both authenticated and unauthenticated connections. For now we recommend you use ulogd in version 1.X. Ulogd should run on the same host as your <computeroutput>nufw</computeroutput> daemon, and log in the same MySQL database as nuauth. The <link linkend='mysql_log' endterm='mysql_log.title'/> section describes a MySQL installation.</para></listitem>
      <listitem><para>A user directory, supported by PAM. This means Active Directory, LDAP, Novell e-directory, and other directories are supported. This is actually a PAM matter, see section <link linkend='nuauth_auth' endterm="nuauth_auth.title"/> for details. A plaintext nuauth module exists for user authentication, but it should be used for quick testing only. We really advise you have nuauth lay on a user directory. For instance, adding/removing users from the plaintext file requires that you restart nuauth, while those changes are transparent if nuauth uses the <computeroutput>system</computeroutput> module.</para></listitem>
      <listitem><para>A LDAP (local) directory, to store nuauth ACLs. Again, user authentication can be setup on a plaintext file, but this means you will need to handle it by hand, with a text editor, and warranty that your nuauth rules are consistent with Netfilter rules. On the other hand, <ulink url="http://software.inl.fr/trac/wiki/EdenWall/NuFace">Nuface</ulink> can deal with both Netfilter and LDAP rules. Again, nuauth will need to be restarted if you make changes in the plaintext file, while the LDAP changes will apply on the fly. The LDAP ACL directory needs not formally be local, it can be hosted on any LDAP directory that <computeroutput>nuauth</computeroutput> can reach. See the <link linkend='LDAP_acls' endterm='LDAP_acls.title'/> section for details about how to setup your LDAP acl tree.</para></listitem>
     </itemizedlist>
     </para>
     </section>
     <section><title>How to choose your NuFW version</title>
       <section><title>Installing</title>
        <para>If you are installing NuFW from scratch, it is advised that you use the latest stable version. You should avoid distribution packages if they distribute old versions, especially if security upgrades have been notified in latest versions. NuFW security announces are always available at <ulink url="http://nufw.org/-Security-announces-.html">this URL</ulink>.
         <note><para>Up to date Debian packages are distributed by INL, and can be used on your Debian systems by setting :
          <screen>
           deb http://packages.inl.fr/ testing/
          </screen>
          or
          <screen>
           deb http://packages.inl.fr/ stable/
          </screen>
          to your <computeroutput>/etc/apt/sources.list</computeroutput> file. Also note that this URL makes the <computeroutput>inl-keyring</computeroutput> package available, for package GPG signatures.
         </para>
         </note>
        </para>
        <para>Unless you are a developer or a very advanced user, we recommend that you do not attempt to use the trunk version of NuFW.
        </para>
       </section>
       <section><title>Upgrading</title>
        <para>You should upgrade your installation at least when security announces are released in new versions. Security announces are always available at <ulink url="http://nufw.org/-Security-announces-.html">this URL</ulink>.</para>
       </section>
       <section><title>Finding out the installed version</title>
        <para>You can easily find out which version of the software you are using, with each NuFW component, by using the <computeroutput>-V</computeroutput> switch with any program that we distribute :
         <screen>
 # nuauth -V
 nuauth (version 2.2.18 ($Revision: 5020 $))
 # nufw -V
 NuFW (version 2.2.19)
 # nutcpc -V
 nutcpc (version 2.2.19 $Revision: 5350 $)
         </screen>
         As an alternative, you can also use your distribution's package manager to find out, for instance :
         <screen>
 $ dpkg -l nutcpc
 [...]
 ii  nutcpc         2.2.19-1+inl1  The authentication firewall [client]
         </screen>
        </para>
       </section>
     </section>
   </chapter>
   <chapter><title>Compilation and installation</title>
     <section><title>Default distribution kernels</title>
       <para>
       The following distributions do NOT need a kernel recompilation to run NuFW <footnote><para>Please let us know if you find others ;)</para></footnote>:
       <itemizedlist>
         <listitem><para>Fedora Core 6 (kernel 2.6.18)</para></listitem>
         <listitem><para>Debian Etch (kernel 2.6.18)</para></listitem>
         <listitem><para>Debian Lenny</para></listitem>
       </itemizedlist>
       </para>
       <para>
       Please note that a Linux kernel recompilation will only be needed on the Firewall itself (the host running the nufw daemon). The nuauth daemon should run on any POSIX system, and clients are, by essence, multi-platform (meaning, NO kernel dependency).</para>
     </section>
     <section><title>Kernel preparation</title>
       <para>You only need to patch your kernel sources with patch-o-matic if you want to use userid marking (from Linux 2.6.14 there is no need to patch the kernel as this option is available in vanilla). This is necessary if you need to mark your network flows depending on the originating user ID, for instance, to perform per user Quality of Service. This is not needed to use NuFW. To do so, install patch-o-matic as usual and
       run <screen>$./runme ip_queue_vwmark</screen></para>
       <para>Important note : it seems 2.6.24 netfilter_netlink capabilities only work if they are compiled as modules. Always compile these options as modules :
       <itemizedlist>
         <listitem><para>CONFIG_NETFILTER_NETLINK</para></listitem>
         <listitem><para>CONFIG_NETFILTER_NETLINK_QUEUE</para></listitem>
         <listitem><para>CONFIG_NETFILTER_NETLINK_LOG</para></listitem>
         <listitem><para>CONFIG_NF_CT_NETLINK</para></listitem>
       </itemizedlist>
       Most distribution kernels come with these options compiled as modules.
       </para>
     </section>
     <section><title>Linux 2.6.14 and higher</title>
         <para>
         If you run a kernel higher than 2.6.14 (and you should!), you should set the following options:
 <screen>
 CONFIG_NETFILTER_XT_TARGET_NFQUEUE=Y or m
 CONFIG_NETFILTER_NETLINK=Y or m
 CONFIG_IP_NF_CONNTRACK=m (we advise you don't set this option statically)
 CONFIG_IP_NF_CONNTRACK_EVENTS=Y
 </screen>
         Setting these options will allow you to use the NFQUEUE target, and use very simple Netfilter rules.
         </para>
     </section>
     <section><title>NuFW compilation</title>
       <para>Extract the source to the directory of your choice and
 go to the created directory.</para>
       <para>
 NuFW uses autoconf and automake for compilation and a standard <command>configure</command> script
 is provided.
 Above standard options, the following flags (among other) are provided:
 <itemizedlist>
           <listitem><para> <option>--with-mysql-log </option>   Support user activity logging in MySQL database</para></listitem>
           <listitem><para> <option>--with-pgsql-log </option>   Support user activity logging in PostgreSQL database</para></listitem>
           <listitem><para> <option>--with-system-auth </option>   Support PAM+NSS authentication</para></listitem>
           <listitem><para> <option>--with-ldap </option>   Support LDAP directory for users and acl lookups</para></listitem>
         </itemizedlist>
 A detailed list of the options is available via
 <screen>$./configure --help</screen>
 Thus you can run <command>./configure</command> with the options you want and launch compilation and installation:
 <screen linenumbering="numbered">$ ./configure --with-ldap --with-system-auth --with-mysql-log \\
                 --sysconfdir=/etc/nufw/
 $ make
 $ sudo make install</screen>
 If you want to install default configuration files :
 <screen>sudo make install-conf</screen>
 This will only copy new configuration files when an old version of the file does not already exist in your <command>$prefix/conf</command> directory
 </para>
     </section>
     <section><title>Initial setup and tests</title>
       <section><title>Certificates and client installation</title>
         <para>This is about copying the default certificates. Don't do that unless on very early tests ; you probably want to generate your own certificates: see next section.</para>
         <para>For nufw
 <screen>cp conf/certs/nufw-*.pem /etc/nufw/</screen>
                 For nuauth:
 <screen>cp conf/certs/nuauth*.pem /etc/nufw/
 cp conf/certs/NuFW*.pem /etc/nufw/</screen>
 </para>
       </section>
       <section><title>Creating your own certificates</title>
       <para>The management of certificates, or the use of a Public Key Infrastructure (PKI), is
       not covered in this howto. Using a dedicated software, like
       <ulink url="http://www.openca.org/">OpenCA</ulink> or
       <ulink url="http://ejbca.sourceforge.net/">EBJCA</ulink>,
       is suggested.
       </para>
       <para>See section <link linkend='hardening' endterm="hardening.title"/> for details on how
       certificates are used in NuFW.
       </para>
       <para>The following commands show how to quickly create a Certificate Authority, and some
       certificates for nufw and nuauth.
       </para>
       <para>Generating your own Certificate authority:
       <screen>mkdir private
 chmod 700 private
 openssl req -new -x509 -keyout private/CAkey.pem -out private/CAcert.pem</screen>
 You have to set a strong password here and keep it secret.
       </para>
       <para>Generating nufw and nuauth private keys:
       <screen>openssl genrsa -out private/nufw-key.pem</screen>
       <screen>openssl genrsa -out private/nuauth-key.pem</screen>
       </para>
       <para>Generating Certificate Signing Requests for both nufw and nuauth
       keys:
       <screen>openssl req -new -key private/nufw-key.pem -out nufw.csr</screen>
       <screen>openssl req -new -key private/nuauth-key.pem -out nuauth.csr</screen>
       </para>
       <para>Having our keys signed by the certificate authority we created:
       <screen>openssl x509 -req -days 365 -in nufw.csr -CA private/CAcert.pem \
       -CAkey private/CAkey.pem -CAcreateserial -out nufw-cert.pem</screen>
       <screen>openssl x509 -req -days 365 -in nuauth.csr -CA private/CAcert.pem \
       -CAkey private/CAkey.pem -CAcreateserial -out nuauth-cert.pem</screen>
       </para>
       <para>Then, as in previous section, copy the files where needed:
       For nufw:
       <screen>cp private/nufw-key.pem /etc/nufw/</screen>
       <screen>cp nufw-cert.pem /etc/nufw/</screen>
       For nuauth:
       <screen>cp private/nuauth-key.pem /etc/nufw/</screen>
       <screen>cp nuauth-cert.pem /etc/nufw/</screen>
       And don't forget your key files (here, nufw-key.pem and nuauth-key.pem) should always remain private.
       </para>
       </section>
 <section><title>Basic nuauth setup</title>
 <para>NuFW sources provide a sample configuration file for nuauth <filename>nuauth.conf</filename>
 which is available in the <filename>conf</filename> directory.
 </para>
 <para>The two most important configuration variables are:
 <option>nuauth_client_listen_addr</option> which sets the address
 where <command>nuauth</command> listens for client requests and <option>nuauth_nufw_listen_addr</option>
 which sets the address where <command>nuauth</command> listens for nufw requests.
 The list of <command>nufw</command> servers authorized to connect to server <command>nuauth</command> is the
  <varname>nufw_gw_addr</varname>.</para>
 <para>
 The next thing to do after setting this variable is to choose
 your authentication and acl checking module.
 Authentication modules for user have to be chosen in:
 <itemizedlist>
 <listitem><para>plaintext: user credentials are stored in a text file. It is advised not to use this module, except for quick testing :
 you need to restart nuauth when updating the text file. Instead, on production, you should run the system module. This format supports both
 plaintext and encrypted passwords, see the sample config file (named <command>users-plaintext.nufw</command>) for formatting and details.</para>
             </listitem>
 <listitem><para>system: authentication is done against PAM and groups are system groups. This provides
  a convenient way to use nss features and/or pam-modules. This is the recommended way, as it lets you
  authenticate against your LDAP, Active Directory, or any directory.</para>
             </listitem>
           </itemizedlist>
 This is set with the option <option>nuauth_user_check_module</option>
 which default is <varname>libsystem</varname> (if not set in config file).
 Further choice for the acl checking  module has to be done if you choose:
 <itemizedlist><listitem><para>libldap : this is the recommended ACL checking module, as it is modular, and does not require a reload of the
 nuauth server when updating rules. You can manage iptables and LDAP rules in a consistent way, by using <ulink url="http://software.inl.fr/trac/wiki/EdenWall/NuFace">NuFace</ulink></para>
             </listitem>
 <listitem><para>plaintext : this module is intended to be used for quick testing only. It requires that you reload nuauth when modifying rules.</para>
             </listitem>
           </itemizedlist>
 by setting the variable <option>nuauth_acl_check_module</option>.
 </para>
       </section>
         </section>
      <section><title>Testing</title>
 <para>To be able to proceed quickly to test, we will use the system
 module for user and the plaintext module for acl.
 A sample file for the plaintext acl check module is available
 in the <filename>conf</filename> directory, <filename>acls.nufw</filename>.
 Copy it to <filename>/etc/nufw</filename> and adjust the
 group of the ssh acl to have it matching the group of a system
 user you will use later to authenticate on the system.</para>
         <section><title>Setting up Netfilter rules before 2.6.14</title>
           <para>
 We will test the setup by connecting from the local host ssh server. For this
 we need to add filtering rules to ask for authentication:
 <screen>iptables -A OUTPUT -s 192.168.75.0/24 -p tcp --dport 22 -m state --state NEW --syn -j QUEUE
 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</screen>
 <footnote><para>
 Only SYN packets are sent to QUEUE. This is not enough to do advanced
 user activities logging, but enough for traffic authentication.
 </para></footnote>
 </para>
         </section>
         <section><title>Setting up Netfilter rules from 2.6.14</title>
           <para>
 We will test the setup by connecting from the local host ssh server. For this
 we need to add filtering rules to ask for authentication:
 <screen>iptables -A OUTPUT -s 192.168.75.0/24 -p tcp --dport 22 -m state --state NEW --syn -j NFQUEUE
 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</screen>
 <footnote><para>
 Only SYN packets are sent to NFQUEUE. This is enough to do advanced
 user activities logging, because events on the connections will be automatically sent to nufw by Netfilter.
 This requires, in particular, that the CONFIG_IP_NF_CONNTRACK_EVENTS kernel option be set.
 </para></footnote>
 </para>
         </section>
         <section><title>Testing the authentication system</title>
           <para>First, the daemons need to be started. We start nuauth in a terminal
 <screen>nuauth -vvvvvvvvv</screen>
 then we start <screen>nufw -s -vvvvvvvvv</screen> in another terminal.
 </para>
 <note>
 <para>When starting <command>nufw</command> or <command>nuauth</command> daemons without the <command>-D</command> switch,
 they do not run as daemon : they remain attached to the console. In such conditions, both programs log to STDOUT/STDERR instead of
 using syslog. On production, you should always start the daemons with the <command>-D</command> option.</para>
 </note>
 <para>
 Next, we can try to connect a user. Under Linux it can be done with:
 <screen>nutcpc -N -d -U [USERNAME] -H [NUAUTH IP]</screen>
 Next step is to enter the user's password. Without the <command>-U</command> option, the current system user's name is used.</para>
 <para>At nuauth level, we should see something like:
 <screen>user bill@nufw uses OS Linux, 3.0.10, #1 Tue Oct 19 23:51:32 CEST 2008</screen>
 If your PAM setup is based on shadow file, you will not be able to authenticate a user different from the one running nuauth. On this kind of setup, nuauth needs to be run as root to authenticate other users.
 <footnote>
       <para> Never launch nutcpc against 'localhost' or '127.0.0.1',
 even if nuauth is on the same computer.
 Packets sent to nuauth by the firewall will hardly have the address of the loopback but rather have a
 source address which is one of the network interface.
 </para>
             </footnote>
 </para>
         </section>
         <section><title>Initial tests and debug process</title>
           <para>
         Let's authenticate a ssh connection from the computer.
 <itemizedlist>
               <listitem><para>nufw gets a packet from  Netfilter:
     <screen>[PID] Sending request for 12</screen>
 is the ID of the packet inside the kernel.
 </para>
               </listitem>
               <listitem><para>nuauth receives nufw's request:
     <screen>* Message: NuFW Packet: src=127.0.0.1 dst=127.0.0.1 proto=6 sport=48505 dport=22, IN=lo OUT=, packet_id=12, mark=0</screen></para>
               </listitem>
               <listitem><para>nuauth sends an authentication request to the clients
 on IP source:
     <screen>** Message: Warn client(s) on IP 127.0.0.1</screen></para>
               </listitem>
               <listitem><para>nuauth receives packet from the client:
     <screen>** Message: User Packet: src=127.0.0.1 dst=127.0.0.1 proto=6 sport=48504 dport=22, mark=0, user=regit, \\
 OS=Linux 2.6.26-1-amd64 #1 SMP Wed Sep 10 15:31:12 UTC 2008, app=/usr/bin/ssh</screen>
     </para>
               </listitem>
               <listitem><para>nuauth sends back response to nufw:
     <screen>** Message: Answ Packet: src=127.0.0.1 dst=127.0.0.1 proto=6 sport=48505 dport=22, decision=ACCEPT, IN=lo OUT=, \\
 packet_id=12, mark=1000, user=regit, OS=Linux 2.6.26-1-amd64 #1 SMP Wed Sep 10 15:31:12 UTC 2008, app=/usr/bin/ssh</screen>
     </para>
               </listitem>
               <listitem><para>nufw pushes the packet back in the kernel:
     <screen>[PID] (*) Accepting packet with id=12</screen>
 </para>
               </listitem>
             </itemizedlist>
                 </para>
         </section>
       </section>
   </chapter>
   <chapter><title>Setting up NuFW</title>
     <section id='LDAP_acls'><title id='LDAP_acls.title'>Using the LDAP module for acl checking</title>
       <section><title>Installation of OpenLDAP server (slapd)</title>
         <para>OpenLDAP server installation is standard. Use your Linux distribution packages,
 example with Debian:
 <screen>apt-get install slapd</screen>
 Read <ulink url="http://www.openldap.org/doc/admin/">OpenLDAP Software
 Administrator's Guide</ulink>, section "Building and Installing OpenLDAP Software" to get more information.
         </para>
       </section>
       <section><title>Slapd configuration</title>
         <para>
 The file <filename>acls.schema</filename> has to be put in <filename class="directory">/etc/ldap/schema</filename>
 and a line
 <screen>include         /etc/ldap/schema/acls.schema</screen>
 has to be added at the beginning of the <filename>/etc/ldap/slapd.conf</filename>.
 In the level of access setup in this file, one can add:
 <screen>#INL access for acls
 access to  dn="ou=acls,dc=nufw,dc=org"
        by dn="uid=nufw,ou=Users,dc=nufw,dc=org" write
        by dn="uid=nuauth,ou=Users,dc=nufw,dc=org" read
        by dn="cn=admin,dc=nufw,dc=org" write
        by * none</screen>
 nufw user is able to modify the policy and the nuauth user
 can only read the acls.
 </para>
 <para>
 To speed up search request you can add the following index to your <filename>slapd.conf</filename>:
 <screen>
 index OsName,OsRelease,OsVersion,AppName pres,eq
 index SrcIPStart,SrcIPEnd,DstIPStart,DstIPEnd pres,eq
 index Proto,SrcPortStart,SrcPortEnd,DstPortStart,DstPortEnd pres,eq
 index SrcPort,DstPort pres,eq
 </screen>
 </para>
 <para>
 You can start with a LDIF file such as:
 <screen>dn: dc=nufw,dc=org
 objectClass: top
 objectClass: dcObject
 objectClass: organization
 o: nufw.org
 dc: nufw
 structuralObjectClass: organization
 dn: ou=Users,dc=nufw,dc=org
 objectClass: organizationalUnit
 ou: Users
 structuralObjectClass: organizationalUnit
 dn: ou=acls,dc=nufw,dc=org
 objectClass: organizationalUnit
 ou: acls
 structuralObjectClass: organizationalUnit
 dn: uid=nuauth,ou=Users,dc=nufw,dc=org
 objectClass: top
 objectClass: simpleSecurityObject
 uid: nuauth
 userPassword: nuauth
 dn: uid=nufw,ou=Users,dc=nufw,dc=org
 objectClass: top
 objectClass: simpleSecurityObject
 uid: nufw
 userPassword: nufw
 </screen>
 </para>
       </section>
      <section><title>nuauth configuration</title>
         <para>
 To use LDAP support for acl checking, we need to modify the <filename>nuauth.conf</filename> file:
 <screen>nuauth_acl_check_module="ldap"</screen>
 and we have to setup the connection parameters:
 <screen>ldap_bind_dn="uid=nuauth,ou=Users,dc=nufw,dc=org"
 ldap_bind_password="secretpassword"
 ldap_basedn="dc=nufw,dc=org"
 ldap_acls_base_dn="ou=Acls,dc=nufw,dc=org"</screen>
 </para>
       </section>
       <section><title>Using nuface, a web-based rules generator</title>
 <para>
 <ulink url="http://www.inl.fr">INL</ulink> has released a powerful Netfilter rules generator system for NuFW and Netfilter.
 It is called Nuface and it is available at:
 <ulink url="http://software.inl.fr/trac/wiki/EdenWall/NuFace">http://software.inl.fr/trac/wiki/EdenWall/NuFace</ulink>
 It generates a set of rules for NuFW and Netfilter that can directly be applied from the web interface. All Netfilter rules generated by Netfilter use the stateful capabilities of Netfilter, without user intervention.
 </para>
       </section>
       <section><title>nuaclgen configuration</title>
       <para>nuaclgen is a script that can help you maintain a simple
       set of acls in an LDAP tree.</para>
       <para>It is advised that you use Nuface rather than Nuaclgen, if possible, since it makes things simpler. In particular,
       be aware that when you use nuaclgen, you need to also modify by hand your Netfilter rules.</para>
         <para>
 The file <filename>nuaclgen.conf</filename> contains the informations about LDAP
 connections. It needs to be modified to suit your configuration, for example:
 <screen>$ldap_host="localhost";
 $username="uid=nufw,ou=Users,dc=nufw,dc=org";
 $password="writepasswd";
 $basedn="ou=Acls,dc=nufw,dc=org";</screen>
 <footnote><para>The nuaclgen.conf file contains sensitive data
 and thus must have limited rights.</para>
           </footnote>
 </para>
         <para>To allow ssh for users
 of group 513 if they use <filename>/usr/bin/ssh</filename> application, we can use:
 <screen>nuaclgen --Aclname cn=ssh,ou=Acls,dc=nufw,dc=org -p 6 --dport 22 -AppName "/usr/bin/ssh" -j ACCEPT -g 513</screen>
 </para>
         <para>Or for access directed to a web server:
 <screen>
 nuaclgen --Aclname cn=apt,ou=Acls,dc=nufw,dc=org -p 6 --dport 80 \
   -AppName "/usr/lib/apt/methods/http" -j ACCEPT -g 1042
 </screen>
 This ACL gives access to group 1042  which is used by root user of some server of ours.
 Thus root user can only get file to update the computer, but other users can not access
 the web.
 </para>
       </section>
     </section>
     <section><title>Setting up NuFW authenticated connections tracking</title>
       <section><title>nuauth settings</title>
         <para>
  To achieve NuFW connection tracking it is necessary to have these options in <filename>nuauth.conf</filename>:
  <screen>nuauth_log_users_sync=1
 nuauth_log_users=9</screen>
 </para>
       </section>
 <section id='mysql_log'><title id='mysql_log.title'>Installation of MySQL server</title>
         <para>MySQL server installation is standard. Use your Linux distribution packages,
 example with Debian:
 <screen>apt-get install mysql-server</screen>
 Read <ulink url="http://dev.mysql.com/doc/">MySQL Documentation</ulink>, section
 "2 Installing and Upgrading MySQL" to get more information.
         </para>
 </section>
 <section><title>Installation of PostgreSQL server</title>
         <para>PostgreSQL server installation is standard. Use your Linux distribution packages,
 example with Debian (replace 8.2 by the latest server version):
 <screen>apt-get install postgresql-8.2</screen>
 Read <ulink url="http://www.postgresql.org/docs/">PostgreSQL Documentation</ulink>, section
 "III. 14. Installation Instructions" to get more information.
         </para>
         <note>
         <para>Note that, even though nuauth PostgreSQL support is complete, you probably want to use
         a MySQL server for now, if you want to use <ulink url="http://software.inl.fr/trac/wiki/EdenWall/NuLog">Nulog</ulink>.
         Single Sign On modules (<ulink url="http://software.inl.fr/trac/wiki/EdenWall/mod_auth_nufw">apache</ulink>
         and <ulink url="http://software.inl.fr/trac/wiki/EdenWall/squid_nufw_helper">squid</ulink>) have
         PostgreSQL support.</para>
         </note>
 </section>
 <section><title>SQL configuration</title>
 <para>The connection tracking system is really useful with SQL logging modules.
 We will describe here the setup of the MySQL module.</para>
 <para>
 You have to create the SQL database from the dump file available in the conf/
 subdir of the archive. Create a SQL account, which must have UPDATE,
 INSERT privileges on the "conntrack_ulog" table. You will have to set the
 credentials for that user in the nuauth.conf file.
 </para>
 <para>
 You may choose between to schema an IPv4 only one and an IPv4/IPv6 one.
 Recent tools like <ulink
 url="http://software.inl.fr/trac/wiki/EdenWall/NuLog">Nulog2</ulink> are able to use
 the IPv6 schema. If you have old script or older tools, you better use the IPv4 only schema.
 To import the IPv4 schema into a newly created database, you can use:
 </para>
 <screen>mysqladmin create nufw
 cat nulog.ipv4.mysql.dump | mysql nufw</screen>
 <para>For the IPv6 schema, simply use:</para>
 <screen>mysqladmin create nufw
 cat nulog.ipv6.mysql.dump | mysql nufw</screen>
 <para>
 You may also want to rotate the "ulog" table, so that it doesn't grow to infinite
 size with time. The ulog_rotate.py script is available in the
 <ulink url="http://software.inl.fr/trac/wiki/EdenWall/NuLog">Nulog project</ulink>
 tarball.
 At the present time, it is assumed those scripts are run as the root SQL user,
 as cronjobs. Of course the better way to go is to create a separate user for
 this and grant it the needed privileges. Please provide updates for this
 document if you implement this before we do.
 </para>
       </section>
 <section><title>Life of a connection in the SQL table</title>
 <para>
 If nuauth is configured to log network flow information in a SQL database, here is how the logging system works :
 </para>
 <itemizedlist><listitem><para>When the connexion opening datagram is authenticated (for TCP, that is the SYN datagram), nuauth creates an entry in database, with a request looking like this (for TCP) :
 <screen>INSERT INTO conntrack_ulog (state, oob_time_sec, ip_protocol, ip_saddr, ip_daddr, oob_in, oob_out, oob_prefix, user_id,
 username, client_os, client_app, tcp_sport, tcp_dport) VALUES (... our datagram values ...);</screen>
 If nuauth decision for that datagram is to drop or reject it, log of the "connexion" stops here. The connexion will never be opened, and this database entry will no longer be manipulated by nuauth.
 </para></listitem>
 <listitem><para>At the time when connection changes state (For TCP, and for any accepted connection, state changes to ESTABLISHED as soon as the server answers the SYN datagram), this request is performed by nuauth, if the nufw daemon is run with "-C" :
 <screen>
 UPDATE conntrack_ulog SET state=ESTABLISHED, start_timestamp=FROM_UNIXTIME(timestamp)
 WHERE (ip_daddr=%s AND ip_saddr=%s "AND tcp_dport='%hu' AND tcp_sport='%hu' AND state=OPEN)
 </screen>
 The only fields that are altered by this request are "state", which changes to "ESTABLISHED", and start_timestamp, which wasn't set before. It is important to note that no information is lost when this modification is performed. It is indeed obvious that the connection was previously in "OPEN" state, since that's a TCP preamble to the "ESTABLISHED" state, and the database keeps track of the timestamp when the connection was opened in the "oob_time_sec" field. The "start_timestamp" field simply marks the timestamp of switch to the "ESTABLISHED" state.
 </para></listitem>
 <listitem><para>When the connection expires, this request is executed by nuauth, if the nufw daemon is run with "-C" :
 <screen>
 UPDATE conntrack_ulog SET end_timestamp=FROM_UNIXTIME(timestamp), state=CLOSE, packets_in=%d , packets_out=%d , bytes_in=%d , bytes_out=%d
 WHERE (ip_saddr=%s AND ip_daddr=%sAND tcp_sport='%hu' AND tcp_dport='%hu' AND (state=OPEN OR state=ESTABLISHED))
 </screen>
 State is updated, it becomes "CLOSE", and we set the end_timestamp field, which was empty before this, as well as packet number and byte number counters for the now dead connexion. Time of opening and time of establishment of the connection remain available in the oob_time_sec and start_timestamp fields.
 </para></listitem></itemizedlist>
 <para>
 The SQL logging feature keeps track of the whole history of each connexion, and updates that nuauth performs on the database do never erase data that was previously logged. This log mode is the most powerful one that a firewall can achieve, because it is very synthetic : one single SQL entry is maintained for each connection ; and it keeps the whole history of all elements of connections.
 </para>
 </section>
       <section><title>Netfilter settings</title>
       <section><title>Settings on post 2.6.14 kernel</title>
       <para>
 This is the good case compared to pre 2.6.14.
 To enable authenticated connection tracking,
 you only have to add the <option>-C</option> to nufw command line.
 This flag asks nufw to send any ESTABLISHED and DESTROY message coming from Netfilter connections tracking to nuauth.
 </para>
 <para>
 As an important number of events can be sent through this mean, nufw offers the capability to only send a subset.
 It uses the fact that the initial mark can be put with CONNMARK
 on every packets of the connection.
 This mode is activated via the <option>-M</option> flag of nufw.
 On Netfilter side, the following rules have to be added:
 <screen>iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark
 iptables -A POSTROUTING -t mangle -m mark ! --mark 0 -j CONNMARK --save-mark
 </screen>
 </para>
 <para>
 In short, you should always use <option>-C</option> if you use libnetfilter_conntrack (this is available from linux 2.6.14), and you should use <option>-M</option> if you want all your connections marked per userID (please note that you need to apply <ulink url="http://nufw.org/download/patches/transmit_mark.patch">transmit_mark patch</ulink> on your kernel to use this). Library compatibility is better with a >=2.6.16 kernel.
       </para>
       </section>
       <section><title>Settings on pre 2.6.14 kernel</title>
         <para>
 NuFW stores the following states in the life of a TCP connection:
     <itemizedlist><listitem><para>opening: bit SYN is set</para></listitem>
             <listitem><para>established: SYN ACK is sent</para></listitem>
             <listitem><para>closed: the tcp flags are FIN or FIN,ACK</para></listitem>
           </itemizedlist>
 To match those packets we need to use the <option>--syn</option> and the
 <option>--tcp-flags</option> options.
 Let's use the following configuration as an example: our web servers are protected by a NuFW firewall. They are in the network $DMZ.
 The following rules achieve to realize a user connection tracking on the web
 server outgoing connections.
 <screen>iptables -A FORWARD -p tcp -m state --state ESTABLISHED --tcp-flags ACK,FIN NONE -j ACCEPT
 iptables -A FORWARD -d $DMZ -p tcp -m state --state ESTABLISHED --dport 80 --tcp-flags SYN,RST,ACK RST -j QUEUE
 iptables -A FORWARD -d $DMZ -p tcp -m state --state ESTABLISHED --dport 80 --tcp-flags FIN FIN -j QUEUE
 iptables -A FORWARD -s $DMZ -p tcp -m state --state ESTABLISHED --sport 80 --tcp-flags SYN,ACK SYN,ACK -j QUEUE
 iptables -A FORWARD -p tcp -m state --state ESTABLISHED -j ACCEPT
 iptables -A FORWARD -d $DMZ -p tcp --syn --dport 80 -m state --state NEW -j QUEUE</screen>
 The first rule optimizes the filter by matching an important part of the ESTABLISHED traffic. The last rule with --state ESTABLISHED is the standard accepted established packets. It has to be put after NuFW flags matching rules.
 </para>
 </section>
       <section><title>Settings on >= 2.6.14 kernel</title>
         <para>
           No special complicated rule should be set, the kernel will automatically send new events on connections to NuFW.
           This is the reason why you don't want to use a pre-2.6.14 kernel ;)
         </para>
       </section>
       </section>
 <section><title>Using the connection tracking</title>
 <para>
 <command>nutop</command> is a perl script provided with nufw sources. It is a
 top like tool that displays the active and authenticated connections in real-time.
 </para>
 <para>The best way<footnote><para>as far as the author of this document knows at the time of the writing of
 this document</para>
           </footnote> to use the logs generated by the connection tracking is to install
 <command>nulog</command> which provides a convenient web interface.
 <command>nulog</command> is available under GPL on this page:
 <ulink url="http://software.inl.fr/trac/trac/wiki/EdenWall/NuLog">http://software.inl.fr/trac/wiki/EdenWall/NuLog</ulink>
 </para>
         </section>
 </section>
 <section><title>Single Sign On setup</title>
 <section><title>Apache</title>
 <para>All you need to do is to setup a SQL user with SELECT permissions on the
 "conntrack_ulog" table. Then setup mod_auth_nufw to use the configured SQL
 user/database/table. The source code of the apache module is available at <ulink
 url="http://software.inl.fr/trac/wiki/EdenWall/mod_auth_nufw">NuFW Apache SSO page</ulink></para>
         </section>
 <section><title>Squid</title>
 <para>All you need to do is to setup a SQL user with SELECT permissions on the
 "conntrack_ulog" table. Then setup squid_nufw_helper to use the configured SQL
 user/database/table. The source code of the squid helper is available at
 <ulink url="http://software.inl.fr/trac/wiki/EdenWall/squid_nufw_helper">NuFW Squid SSO page</ulink></para>
         </section>
         <section><title>Troubleshooting single sign on problems</title>
          <section><title>General information</title>
           <para>If you experience problems with Single Sign On problems, one common way to find out where the problem lays is to check whether the SSO code performs SQL lookups correctly. You can check it out easily at the database level. On MySQL, check you have in <filename>my.cnf</filename> something like: <screen>log             = /var/log/mysql/mysql.log</screen> This ensures that MySQL logs request that it receives. Then all you need to do is test the module, while running <screen>tail -f /var/log/mysql/mysql.log</screen> If the Single Sign On module is doing its job, you should see lines such as : <screen>SELECT DISTINCT username FROM conntrack_ulog WHERE (tcp_sport=50423 AND ip_saddr=3232235761 AND tcp_dport=80 AND ip_daddr=3232235761 AND (state=1 OR state=2))</screen> in the log, revealing that the Single Sign On module actually requests the database. If you run a PostgreSQL database, you can do similar operations by setting <screen>log_min_duration_statement = 0</screen> in <filename>postgresql.conf</filename>. On Debian, the default PostgreSQL log file is probably located in <filename>/var/log/postgresql/postgresql-8.X-main.log</filename>.</para>
          </section>
          <section><title>Apache module troubleshooting</title>
           <para>Like any Apache module, the mod_auth[n]_nufw module dumps verbose/debug information in the Apache error log when you set :<screen>Loglevel debug</screen> in the Apache <filename>httpd.conf</filename> file.</para>
 <!--          <note>This works on Apache 1.3, Apache 2.0 and Apache 2.2</note> -->
          </section>
         </section>
       </section>
 <section><title>User based Quality of Service</title>
 <section><title>Setting up Kernel on non libnetfilter_queue system</title>
 <para>
 Official Linux kernels are not able to mark packets
 with ip_queue framework before 2.6.14 release.
 It is thus necessary to patch the kernel (if pre 2.6.14), this has to be done by using
 the <filename>ip_queue_vwmark</filename> patch available in the
 patch-o-matic-ng from netfilter. This will generate a modified version of both
 ip_queue module and libipq.a file.
 </para>
 <para>
 Once the new libipq.a is installed, you can now compile nufw:
 <screen>./configure --with-user-mark ${EXTRA_OPTIONS_YOU_LIKE}
 make
 make install</screen>
 </para>
 </section>
 <section><title>Setting up nufw</title>
 <para>
 nufw can now be run with <option>-m</option> to use userid marking.
 This option is compatible with <option>-M</option>.
 </para>
     </section>
 <section><title>Setting up Netfilter</title>
 <para>
 As nufw only works with initialization packets it can not pull the userid mark of each packet
 of a connection. Thus, this is necessary to use
 <application>CONNMARK<footnote><para>CONNMARK is only available in patch-o-matic
 before 2.6.11, it is included in 2.6.12+ kernels</para>
             </footnote></application>
 which is a target able to propagate marks across connections.
 A basic setup is the following:
 <screen>iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark
 iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark</screen>
 First line restores the existing mark when a packet arrives and second line
 saves mark on the connection so it can be restored later.
 </para>
       </section>
       <section><title>Using marking modules</title>
       <para>
 The nuauth variable <option>nuauth_finalize_packet_module</option> lists module which attach a hook called just before
 nuauth answer to nufw about a packet.
 It is usually used to modify the mark of the packet following a given strategy.
 By splitting the mark in different part, this is possible to define complex marking policy which can later be used
 by Linux routing and QoS systems.
 </para>
       <para>
       Extensive documentation can be found in the file <ulink url="http://software.inl.fr/trac/browser/mirror/edenwall/nufw/trunk/nufw/doc/README.mark">README.mark</ulink>
       </para>
       </section>
 <section><title>Using NuFW mark</title>
 <para>Netfilter mark can be use by the Quality of Service system and
 the routing system of Linux.</para>
 <para>
 So it is possible to do differentiated routing between different users
 by using command like:
 <screen>ip rule add fwmark XXX lookup TABLE</screen>
 </para>
 <para>This is almost the same for QoS, by using <command>tc filter</command> one needs to put
 user's flows in a specific class:
 <screen>tc filter add dev IFACE  prio 5 protocol ip handle 102 fw flowid FLOWID</screen>
 </para>
 <para>For more information about routing and quality of service you can read
 <ulink url="http://www.lartc.org">lartc</ulink>.
 </para>
       </section>
     </section>
     <section><title>Controlling nuauth finely at runtime</title>
     <para>NuFW 2.2.0 introduced new nuauth control capabilities, thanks to <command>nuauth_command</command>. This command should
     be installed when you install nuauth, and it can be run by the administrator, on the same server as <command>nuauth</command>.
     <command>nuauth_command</command> connects to nuauth, and lets you do the following tasks :
     <itemizedlist>
     <listitem><para><option>help</option> display inline help with a summary of available subcommands</para></listitem>
     <listitem><para><option>version</option> display nuauth version</para></listitem>
     <listitem><para><option>users</option> list connected users</para></listitem>
     <listitem><para><option>firewalls</option> list connected nufw firewalls</para></listitem>
     <listitem><para><option>packets count</option> display number of decision waiting packets</para></listitem>
     <listitem><para><option>refresh cache</option> refresh all caches</para></listitem>
     <listitem><para><option>refresh crl</option> refresh the TLS crl file</para></listitem>
     <listitem><para><option>disconnect (ID|regexp)</option> disconnect a user with his session identifier or a regular expression apply on logging name.</para></listitem>
     <listitem><para><option>disconnect all</option> disconnect all users</para></listitem>
     <listitem><para><option>uptime</option> display nuauth starting time and uptime</para></listitem>
     <listitem><para><option>reload</option> reload the configuration and reload the modules</para></listitem>
     <listitem><para><option>reload periods</option> reload the time periods</para></listitem>
     <listitem><para><option>display debug_level</option></para></listitem>
     <listitem><para><option>display debug_areas</option></para></listitem>
     <listitem><para><option>debug_level <replaceable>LEVEL</replaceable></option></para></listitem>
     <listitem><para><option>debug_areas <replaceable>AREAS</replaceable></option></para></listitem>
     <listitem><para><option>help</option> display this help</para></listitem>
     <listitem><para><option>quit</option> disconnect</para></listitem>
     </itemizedlist>
     You can, for instance, use the <option>disconnect</option> task, in order to force a user reconnect, and have their groups reloaded.
     <note>
      <para>As a POSIX compliance, <command>nuauth</command> checks the user's authentication, as well as groups, at the time the user's NuFW agent connects. It is
      never refreshed, until the client disconnects, or the administrator forces a disconnect. Nuauth configuration file <computeroutput>nuauth.conf</computeroutput> can also force all users
      to reconnect regularly, by setting the <option>nuauth_session_duration</option> parameter.
      </para>
     </note>
     </para>
     </section>
     <section><title>Time-based ACLs</title>
     <section><title>Global configuration</title>
     <para>
 NuFW can be used to implement strict time-based acls. When a period using time interval is defined (like say 08am-6pm)
 a authenticated connection can only start in the interval and is destroyed at the end of the interval.
     </para>
     <para>Configuration is done by defining a set of periods and using them (by their name) in the acls backend.
     The <option>plaintext</option> acl backend uses the <option>period</option> key to defined the period
     to apply to the acl. The <option>LDAP</option> acls backend uses the <option>TimeRange</option> atttribute.
     </para>
     <para>
     Definition of periods is done by modules and the corresponding option is <option>nuauth_periods_module</option>.
     For now, the     only available module  is <filename>xml_defs</filename>.
     </para>
     </section>
     <section><title>XML period definition module</title>
     <para>
 <filename>xml_defs</filename> is a period definition module. It uses a XML formatted file to store
 the periods. The path to this file can be set by using the <option>xml_defs_periodfile</option>:
     </para>
 <screen>
 xml_defs_periodfile="/etc/nufw/periods.xml"
 </screen>
 <para>
 The XML structure of the file is the following:
 </para>
 <screen>
 <![CDATA[
 <?xml version="1.0"?>
 <periods>
 <period name="5x8" desc="open hour">
     <perioditem>
         <days start="1" end="5"/>
         <hours start="8" end="18"/>
     </perioditem>
 </period>
 <period name="long" desc="date example">
     <perioditem>
         <dates start="1128282" end="323232323"/>
     </perioditem>
 </period>
 <period name="interval" desc="one hour interval">
     <perioditem>
         <!-- Duration in second (1 hour) -->
         <duration length="3600"/>
     </perioditem>
 </period>
 </periods>
 ]]>
 </screen>
 <para>
 There are two major types of period definitions:
 <itemizedlist>
 <listitem><para><option>Time interval</option>: the period is defined by using specifying days, hours or dates interval. Days and hours can be combined to define more complex period.
 </para></listitem>
 <listitem><para><option>Duration</option>: the period is defined by a duration expressed in seconds.</para></listitem>
 </itemizedlist>
 </para>
 <para>Multiple <option>perioditem</option> can be put in the same <option>period</option> to increase the flexibility of period definition.</para>
  </section>
  <note>
  <para>When using Nuface to manage filtering rules, time-based ACLs can be setup through the web interface, without editing any file by hand.</para>
  </note>
  </section>
     <section><title>Chaining modules in nuauth</title>
     <section><title>Syntax description</title>
     <para>
 The syntax is the following: Each option that sets up the use of a hook is
 a space separated list of modules.</para>
 <para>For each module type, the syntax is as follows :
 <option>name[:type[:config file]]</option>
 If syntax is:
 <itemizedlist>
 <listitem><para><option>name</option>: loads module "name" with config file included in nuauth.conf</para></listitem>
 <listitem><para><option>name:type</option>: loads module "type" with config file CONFIG_DIR/modules/name.conf</para></listitem>
 <listitem><para><option>name:type:conf</option>: loads module "type" with config file "conf"</para></listitem>
 </itemizedlist>
     </para>
     </section>
     <section><title>Some examples</title>
     <para>
  Let's analyze the following line:
 <computeroutput>nuauth_user_logs_module="syslog dblocal:mysql maindb:mysql:/etc/nufw/mainmysql.conf"</computeroutput>
 Packet will be logged multiple times:
 <orderedlist>
 <listitem><para>In syslog</para></listitem>
 <listitem><para>In a MySQL database using configuration file /etc/nufw/modules/dblocal.conf</para></listitem>
 <listitem><para>In a second MySQL database using configuration file /etc/nufw/mainmysql.conf</para></listitem>
 </orderedlist>
     </para>
     </section>
     </section>
 <section id='hardening'><title id='hardening.title'>Hardening NuFW</title>
 <section><title>Nufw certificate verification</title>
 <para>It is highly recommended to install nuauth and nufw on a dedicated server, hardened
 for security. Other projects like GrSec <footnote><para>http://www.grsecurity.net/</para></footnote> or
 SELinux <footnote><para>http://www.nsa.gov/selinux/</para></footnote> can be used to increase local (system)
 security.
 <note>
 <para>Since NuFW 2.2.19, a SeLinux configuration is distributed in the <computeroutput>selinux/</computeroutput> directory of the archive. Read the <computeroutput>README.selinux</computeroutput>
 file there if you want to implement SELinux policies to the NuFW daemons. However, this security policy set is not yet considered stable and
 is distributed for testing purpose. You are welcome to send the NuFW team feedback about it!</para>
 </note>
 </para>
 <para>To ensure confidentiality of communications between nufw, nuauth, and the clients,
 all connections are encrypted using TLSv1.</para>
 <para>
 As the firewall policy is applied by nuauth, the trust relationship between nufw and nuauth
 should be verified. The certificate provided by nuauth during the TLS negotiation
 will be checked if a certificate authority is configured in nufw.
 This is done by using the <option>-a</option> option at start
 of nufw followed by the name of the certificate authority file.
 With this option set, <varname>nufw</varname> will require a signed certificate
 from nuauth, and verify it.</para>
 <para>The CN (complete name) field from nufw certificate must contain the FQDN (fully
 qualified domain name) of nufw server.
 </para>
 <para>
 Since release 2.2.18, NuFW runs in TLS strict mode by default.
  It means nufw will not start if nuauth certificate is:
 <orderedlist>
 <listitem><para>Not verifiable against an authority</para></listitem>
 <listitem><para>Invalid</para></listitem>
 <listitem><para>Revoked</para></listitem>
 <listitem><para>Without signer</para></listitem>
 <listitem><para>Signed, but the signer is not a CA</para></listitem>
 <listitem><para>With an insecure algorithm (if GnuTLS is compiled with its support)</para></listitem>
 <listitem><para>Not yet activated</para></listitem>
 <listitem><para>Expired</para></listitem>
 </orderedlist>
 See the <link linkend='FinerTLS' endterm="FinerTLS.title"/> section of this document for advanced TLS options of nufw and other components.
 </para>
 <warning>
 <para>
 Since release 2.2.18, this mode is now activated by default. You can disable it, at your own risks, using the <option>-s</option> option of nufw.
 </para>
 </warning>
 <para>
 To run nufw with strict TLS checking, you will have to specify the following option:
 <itemizedlist>
 <listitem><para><option>-a</option>: Specify the authority file to use.</para></listitem>
 <listitem><para><option>-k</option>: Specify the key file to use.</para></listitem>
 <listitem><para><option>-c</option>: Specify the certificate file to use.</para></listitem>
 <listitem><para><option>-r</option>: Specify the certificate revocation list file to use (if available). A nufw restart  or a SIGHUP signal will be needed if you want change to the file to be taken into account.</para></listitem>
 <listitem><para><option>-d</option>: Fully qualified domain name of the nuauth server.</para></listitem>
 </itemizedlist>
 Thus a typical nufw command line should look like:
 </para>
 <screen>nufw -d nuauth.nufw.org -a localCA-cacert.pem -k server.nufw.org-key.pem -c server.nufw.org-cert.pem -r localCA-crl.pem</screen>
 <note><para><ulink
 url="http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol">OCSP</ulink>
 is currently not supported by NuFW 2.2.X. OCSP support is being worked on in the
 trunk (currently unstable) branch of NuFW. Please contact NuFW developers if you need OCSP in 2.2.X,
 maybe we can add it to the 2.2 TODO list.</para></note>
 </section>
 <section><title>Authentication server (nuauth)</title>
 <para>The option <option>nuauth_tls_request_cert</option> defines if client
 certificates are optional or not. Possible values are:
 <itemizedlist>
 <listitem><para><option>0</option>: nuauth will not ask client to provide a certificate, they won't send one
 even if they have some to give.</para></listitem>
 <listitem><para><option>1</option>: client is asked to send a certificate, but the server will not refuse connection if none is provided.</para></listitem>
 <listitem><para><option>2</option>: client is asked to send a certificate, and the server will drop the connection if none is provided.</para></listitem>
 </itemizedlist>
 </para>
 <para>The default setting (<option>nuauth_tls_request_cert=2</option>) is that nuauth will require and verify client certificates for all
 connections (clients, and NuFW servers). Certificates are used to verify the identity
 of all components of a NuFW installation (nufw, nuauth, and clients), and ensure that
 no forgery or false representation has occurred.
 </para>
 <para>All components must share the same certificate authority (CA).
 See the <link linkend='FinerTLS' endterm="FinerTLS.title"/> section of this document for advanced TLS options of nuauth and other components.
 </para>
 <para>The CN (complete name) field from nuauth certificate must contain the FQDN (fully
 qualified domain name) of nuauth server. All clients and nufw servers will check that
 the DNS name of nuauth server matches the name in the certificate.
 </para>
 <note>
 <para>It is possible to generate a certificate with additional names, using the
 <computeroutput>subjectAltName</computeroutput> extension (See
 <ulink url="http://tools.ietf.org/html/rfc3280#section-4.2.1.7">Section 4.2.1.7 of RFC
 </ulink>).
 </para>
 </note>
 <para>
 You have to:
 <orderedlist>
   <listitem><para>Configure the certificate authority (<option>nuauth_tls_cacert</option>)</para></listitem>
   <listitem><para>Configure nuauth certificate (<option>nuauth_tls_cert</option>) and key (<option>nuauth_tls_key</option>) files.</para></listitem>
   <listitem>
     <para>Deploy client certificates. If you only want to verify server
 identity, you can share a certificate between several clients. If you want to
 use certificates for authentication, or if you will revoke certificates, you
 have to deploy a certificate for each client.
     </para>
   </listitem>
 </orderedlist>
 Warning: since release 2.2.18, this mode is now activated by default. You can
 disable it, at your own risks, by setting <option>nuauth_tls_request_cert=0</option> in nuauth
 configuration file.
 </para>
 <para>nuauth will check that the CN (complete name) field from nufw certificate contains the FQDN (fully
 qualified domain name) of the nufw server. You can disable it, at your own risks, by setting
 <option>nuauth_tls_disable_nufw_fqdn_check=1</option> in nuauth configuration file.
 </para>
 <para>You should also configure a Certificate Revocation List (CRL), with the
 <option>nuauth_tls_crl</option> parameter in nuauth configuration file. This file contains
 the list of all revoked certificates, in standard CRL format. You have to create a
 planified task (cron job) to update this file periodically, nuauth will check for
 modifications every <option>nuauth_tls_crl_refresh</option> seconds and will reload the file
 if necessary. You can use the HUP signal or the <command>refresh crl</command> command
 to force an update of the CRL.
 </para>
 <note>
 <para>Note that currently, private keys cannot be password protected : neither nufw nor nuauth support entering a passphrase.
 The reference documentation mentions the <computeroutput>nuauth_tls_key_passwd</computeroutput> option, but it is not implemented for now.
 </para>
 </note>
 </section>
 <section><title>User authentication restrictions</title>
 <para>You can restrict the number of simultaneous nuauth clients, per user or per IP address.
 <orderedlist>
 <listitem><para><option>nuauth_single_user_client_limit</option>: maximum number of nuauth clients per user</para></listitem>
 <listitem><para><option>nuauth_single_ip_client_limit</option>: maximum number of nuauth clients per IP</para></listitem>
 </orderedlist>
 </para>
 </section>
 <section><title>On client side</title>
 <para>nuauth client (nutcpc or nuapplet) will verify nuauth certificate when connecting, if a
 certificate authority is configured on the client (option <option>-A</option> of nutcpc). The certificate
 of the nuauth server will be verified, and the DNS name must match the CN field of the certificate.
 See the <link linkend='FinerTLS' endterm="FinerTLS.title"/> section of this document for advanced TLS options of nutcpc and other components.
 </para>
 <para>You can disable, at your own risks, the verifications:
 <orderedlist>
   <listitem><para>If no certificate authority is defined, the trust relation with nuauth will not be
   checked. Other attributes of nuauth certificate (expiration,etc.) will be checked, though.
     </para>
   </listitem>
   <listitem><para>Option <option>-N</option> disables the verification of the DNS name of nuauth server.
     </para>
   </listitem>
   <listitem><para>Option <option>-Q</option> disables warnings if no certificate authority is configured.
     </para>
   </listitem>
 </orderedlist>
 </para>
 <para>Clients should provide a client certificate, signed by the same authority.
 <orderedlist>
   <listitem><para>If the certificate is used to login, the name of the user must be stored in the CN field
   of the client certificate.</para>
   </listitem>
   <listitem><para>If the certificate is not used to login, the CN field of the client certificate is
   not checked.</para>
   </listitem>
 </orderedlist>
 </para>
 <para>
 The <computeroutput>nutcpc</computeroutput> client supports multiple options to achieve a strict verification of
 nuauth certificates:
 <itemizedlist>
 <listitem><para><option>-A</option>: Specify the authority file to use.</para></listitem>
 <listitem><para><option>-K</option>: Specify the key file to use.</para></listitem>
 <listitem><para><option>-C</option>: Specify the certificate file to use.</para></listitem>
 <listitem><para><option>-R</option>: Specify the certificate revocation list file to use. A nutcpc restart or a SIGHUP signal
 will be needed if you want change to the file to be taken into account.</para></listitem>
 <listitem><para><option>-H</option>: Fully qualified domain name of the nuauth server.</para></listitem>
 </itemizedlist>
 To sum up a typical nutcpc command line should look like:
 </para>
 <screen>nutcpc -H nuauth.nufw.org -A localCA-cacert.pem -K client.nufw.org-key.pem -C client.nufw.org-cert.pem -R localCA-crl.pem</screen>
 <para>
 It is possible to use the configuration file <filename>nuclient.conf</filename> to specify value
 for these options and be able to run client without having to specify all
 options on the commandline. A typical <filename>nuclient.conf</filename> should look like.
 </para>
 <screen>
 # Name of the nuauth server (fully qualified domain name, or IP address).
 nuauth_ip=nuauth.nufw.org
 # Certificate authority used to check the validity of nuauth certificate
 nuauth_tls_ca=/etc/nufw/localCA-cacert.pem
 # Certificate file used to negotiate the TLS connection to nuauth.
 nuauth_tls_cert=/etc/nufw/client.nufw.org-cert.pem
 # Key of the certificate file from the nuauth_tls_cert option.
 nuauth_tls_key=/etc/nufw/client.nufw.org-key.pem
 # Certificate revocation list file to use.
 nuauth_tls_crl=/etc/nufw/localCA-crl.pem
 </screen>
 <para>
 To combine strict TLS usage and login/password authentication, the recommended setup for
 client certificate deploiement is to deploy a per-computer certificate with FQDN matching
 computer domain name with the associated CA and key in the configuration directory of NuFW
 (usually <filename>/etc/nufw/</filename>). By setting the correct values in
 <filename>/etc/nufw/nuclient.conf</filename> (as previously seen), the computer user will be
 able to run client without providing any options (omit for -U option which is needed if the local
 user name is different from the nuauth user name).
 </para>
 </section>
 <section><title>Certificate authentication</title>
 <para>Certificates can be used to authenticate clients, if a user provides
 a client certificate during the TLS negotiation. Nuauth will extract the username
 based on the CN of the provided certificate. The username computation is made by taking the
 CN string till a slash or a comma is encountered. For example, for <computeroutput>admin/email=admin@inl.fr</computeroutput>,
 it will return <computeroutput>admin</computeroutput>.
 The obtained username must match a known user on the system.
 Nuauth will check the certificate, and if
 validated, will mark the user as authenticated (no password asked). </para>
 <para>
 To activate this functionality, nuauth configuration file must include:
 <screen>nuauth_tls_auth_by_cert=1</screen>
 Note that, <option>nuauth_tls_request_cert</option> has to be set
 to 1 or 2 in the mean time. If set to 2, certificates authentication is
 mandatory.</para>
 </section>
 <section><title>Using secure LDAP (LDAPs) for ACLs checking</title>
 <para>
 If the LDAP server supports TLS connections, you should setup nuauth to
 have the LDAP acls checking module using LDAP over SSL.
 </para>
 <para>To do so, edit <filename>nuauth.conf</filename> and modify LDAP
 port to 636 (LDAPs):
 <screen>
 ldap_server_port=636
 </screen>
 Then, edit <filename>/etc/ldap/ldap.conf</filename> to indicate the policy used
 for SSL connections.
 If you only want to encrypt data, you can simply add to <filename>ldap.conf</filename>:
 <screen>
 TLS_REQCERT never
 </screen>
 The recommended setup is to fill in <filename>ldap.conf</filename> with the path to certificate authority.
 <filename>ldap.conf</filename> should look like:
 <screen>
 TLS_CACERT /etc/ldap/cacert-ldap.pem
 TLS_REQCERT demand
 </screen>
 Please note that the certificate must precisely match the hostname set in
 the <option>ldap_server_addr</option> option in <filename>nuauth.conf</filename>.
 </para>
 <para>See the <ulink url="http://www.openldap.org/doc/admin24/tls.html">TLS section</ulink> in
 <ulink url="http://www.openldap.org/doc/admin24/">LDAP Configuration guide</ulink>, and
 <ulink url="http://www.openldap.org/faq/data/cache/185.html">OpenLDAP TLS FAQ</ulink>
 for more information.
 </para>
 </section>
 <section><title>OS and application filtering</title>
 <para>
 On client side, system needs to be trustworthy to perform
 valuable application and OS filtering. You must never forget that
 it is the application on client side which tells the application name as
 well as the operating system name and version: these informations CAN and WILL
 be spoofed if a malicious user installs a modified NuFW agent.
 </para>
 <para>Thus, the value of application and OS filtering depends on the trust you have
 on the system which issues the authentication. On a secure system (for ex. SELinux)
 where users can not install software, this sort of filtering is "quite
 secure".</para>
       </section>
 <section><title>Intrusion Detection System (IDS)</title>
 <para>NuFW is free software, and as such does not duplicate features from other softwares, but prefer
 to integrate with them, to benefit from their experience, and specific features.
 </para>
 <para>For example, NuFW is a native Prelude<footnote><para>http://www.prelude-ids.com</para></footnote>
 sensor, using the <option>nuprelude</option> module.
 This allows to send alerts (user login success or failure, connections, etc.) to Prelude, and
 use correlation, for ex., to combine a Network IDS like Snort<footnote><para>http://www.snort.org/</para></footnote>.
 </para>
 <para>See <ulink url="https://trac.prelude-ids.org/wiki/ManualUser">Prelude user manual</ulink>, and
 <ulink url="https://trac.prelude-ids.org/wiki/InstallingAgentThirdpartyNufw">Configuring NuFW for Prelude</ulink>
 for more information.
 </para>
 </section>
 <note>
  <para>It is to be noted that, for now, all TLS certificates of your installation must be signed by the same CA, for
  valid checks to be performed. It is planned to implement support of chained CAs in a future release (possibly 2.2.20). Currently, using chained CAs might work, and might not. The behavior of NuFW with chained CA is considered to be unspecified for now.</para>
 </note>
 </section>
 <section id='nuauth_auth'><title id='nuauth_auth.title'>Nuauth authentication configurations</title>
  <section><title>PAM/LDAP authentication with Nuauth</title>
   <para>PAM is a very convenient way for extending authentication to "exotic"
   directories. In particular, PAM lets one interface nuauth on NT domains,
   Active Directory, Radius, etc.
   </para>
 <note>
 <para>When using PAM authentication for local users (<option>shadow</option> file),
 nuauth must run as root to be able to read system files. This is the only case where nuauth should be run as root !
 It is, however, advised, that you use a real directory (LDAP, Active Directory...) rather than authenticating users
 against the shadow file.
 </para>
 </note>
   <para>To have nuauth authenticate users based on PAM/ldap, use the <option>
   system</option> user checking module in nuauth.conf:
   <screen>nuauth_user_check_module="system"</screen>
   </para>
   <para>
   In addition, PAM needs to be properly setup, which is external to NuFW, and
   basically out of the scope of this document. Here are a couple of files to set
   on Debian to get PAM/LDAP working with nuauth:
   /etc/pam.d/nuauth:
   <screen>#This is to set PAM-LDAP, modify to suit your needs!
   auth    required      /lib/security/pam_env.so
   auth    sufficient    /lib/security/pam_ldap.so
   auth    required      /lib/security/pam_deny.so
   account required      /lib/security/pam_ldap.so
   session required      /lib/security/pam_limits.so
   session optional      /lib/security/pam_ldap.so</screen>
   The <filename>/etc/nsswitch.conf</filename> file also needs to be tuned:
   <screen>#This is to set PAM-LDAP, modify to suit your needs!
   passwd:         compat ldap
   group:          compat ldap
   </screen>
   (leave the other lines unchanged).
   And you probably also need to tune the /etc/pam_ldap.conf file. This file
   works for us, provided there is no line beginning with "uri":
   <screen>
   host 127.0.0.1
   ldap_version 3
   scope one
   pam_password crypt
   nss_base_passwd         ou=Users,dc=nufw,dc=org?one
   nss_base_group          ou=Group,dc=nufw,dc=org?one
   </screen>
   You also need to install and configure libnss-ldap.
   Configuration that works for us (still on Debian) in /etc/libnss-ldap.conf:
   <screen>
   host 127.0.0.1
   base replace_with_your_base
   ldap_version 3
   rootbinddn cn=admin,dc=replace_with_your_base
   #Optional, set if you need these:
   nss_base_passwd ou=users,dc=nufw,dc=org?one
   nss_base_group ou=groups,dc=nufw,dc=org?one
   </screen>
   Of course, tune this to suit your needs, and be aware that these system
   instructions may not be accurate for other distributions!
   </para>
  </section>
  <section><title>PAM/Winbind authentication with Nuauth</title>
   <para>On Debian/Ubuntu, you will need the following packages:
    <screen>
     krb5-user
     krb4-config
     samba
     winbind
    </screen>
   </para>
   <para>The /etc/krb5.conf file should contain something like:
    <screen>
 [libdefaults]
         default_realm = DOMAIN.NAME
 # The following krb5.conf variables are only for MIT Kerberos.
         krb4_config = /etc/krb.conf
         krb4_realms = /etc/krb.realms
         kdc_timesync = 1
         ccache_type = 4
         forwardable = true
         proxiable = true
 [realms]
         DOMAIN.NAME = {
                 kdc = 10.0.122.5
                 admin_server = 10.0.122.5
                 default_domain = DOMAIN.NAME
+        }
 [domain_realm]
         .domain.name = DOMAIN.NAME
         domain.name = DOMAIN.NAME
         shortname = DOMAIN.NAME
         .shortname = DOMAIN.NAME
    </screen>
   </para>
   <para>It is very important that your system is time-synchronized with the AD/NT server. You should setup NTP to achieve this!
   </para>
   <para>
   The /etc/samba/smb.conf file should also be customized:
    <screen>
 [global]
 # Change this to the workgroup/NT-domain name your Samba server will part of
    realm = DOMAIN.NAME
    password server = AD-SERVER
    netbios name = NUAUTH-SERVER
    workgroup = SHORTNAME
 # server string is the equivalent of the NT Description field
    server string = %h server sexa-prn1 (Samba, Ubuntu)
 ####### Authentication #######
    security = ads
    encrypt passwords = true
    guest account = nobody
 ############ Misc ############
    socket options = TCP_NODELAY
    domain master = no
 # Some defaults for winbind (make sure you're not using the ranges
 # for something else.)
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template shell = /bin/bash
    template homedir = /home/%D/%U
    client use spnego = yes
    client ntlmv2 auth = yes
    restrict anonymous = 2
    </screen>
   </para>
   <para>To join the Windows Domain:
 <screen>
 kinit administrator@DOMAIN.NAME
 net ads join -U administrator
 </screen>
   The last command should display the short domain name, and should specify that the machine was successfully added to the domain.
   </para>
   <para>Winbind (or winbindd) should be running on your system. You can check things are going fine by reading samba logs (probably in /var/log/samba/*).</para>
   <para>You will then have to declare that you want to use winbind authentication for nuauth by cooking a <filename>/etc/pam.d/nuauth</filename> file:
   <screen>#This is to set PAM-winbind, modify to suit your needs!
   auth    required      /lib/security/pam_env.so
   auth    sufficient    /lib/security/pam_winbind.so
   auth    required      /lib/security/pam_deny.so
   account required      /lib/security/pam_winbind.so
   session required      /lib/security/pam_limits.so
   session optional      /lib/security/pam_winbind.so</screen>
   </para>
   <para>
    To be able to use winbind group fetching, the <filename>/etc/nsswitch.conf</filename> file should look like:
    <screen>
 passwd:         compat winbind
 group:          compat winbind
 shadow:         compat
 hosts:          files dns mdns
 networks:       files
 protocols:      db files
 services:       db files
 ethers:         db files
 rpc:            db files
 netgroup:       nis
    </screen>
   </para>
  </section>
 </section>
   </chapter>
 <chapter><title>Authentication Agents</title>
 <section><title>Supported OSes</title>
 <section><title>Windows</title>
 <para>NuWinC (NuFW Windows Client) provides NuFW authentication for Microsoft Windows 95/98/NT/2000/XP/2003/Vista. This software is available from <ulink url="http://inl.fr/">INL</ulink>. NuWinC can provide, when installed on machines of a Windows domain, a 100% transparent behavior, meaning users will not even notice it starting or running. For more information about NuWinC, see <ulink url="http://www.inl.fr/NuWINc,68.html">http://www.inl.fr/NuWINc,68.html</ulink>.</para>
 </section>
 <section><title>Linux</title>
 <para>Several clients run on Linux :
 <orderedlist>
 <listitem><para>nutcpc : the lightest, command line agent.</para></listitem>
 <listitem><para>Nuapplet2 : The graphical client.</para></listitem>
 <listitem><para>PAM authentication, through the pam_nufw module. This provides transparent authentication on nuauth.</para></listitem>
 </orderedlist>
 </para>
 </section>
 <section><title>MacOS</title>
 <para>MacOS X is supported by the Nuapplet2 graphical client. The nutcpc command line client also runs on MacOS X.</para>
 </section>
 <section><title>UNIX and BSD systems</title>
 <para>
 nutcpc is known to work on FreeBSD. For other systems, test feedbacks are greatly welcome! Porting NuFW agents to *NIX systems should be fairly easy, too.
 </para>
 </section>
 </section>
 <section><title>pam_nufw</title>
 <para>
 The <command>pam_nufw</command> PAM module enables transparent user authentication to NuFW. Of course, this will only work if the login and password you use to login to
 the <command>pam_nufw</command> system are the same as requested by <command>nuauth</command>, ie in your user directory!
 </para>
 <section><title>Options</title>
 <para>
 pam_nufw accepts the following command line options:
 <itemizedlist>
 <listitem><para><option>server=<replaceable>nuauth_ip</replaceable></option>: Nuauth server IP/hostname</para></listitem>
 <listitem><para><option>port=<replaceable>nuauth_port</replaceable></option>: Nuauth port/service name</para></listitem>
 <listitem><para><option>lock=<replaceable>.pam_nufw</replaceable></option>: Lock filename</para></listitem>
 <listitem><para><option>noauth=<replaceable>user1,user2,(...)</replaceable></option>: Don't authenticate these users.</para></listitem>
 </itemizedlist>
 </para>
 <para>
 Default values:
 <itemizedlist>
 <listitem><para><option>port</option> is 4129</para></listitem>
 <listitem><para><option>lockfile</option> is <filename>.pam_nufw</filename>, located in <filename>$HOME/.nufw/</filename></para></listitem>
 </itemizedlist>
 </para>
 </section>
 <section><title>Configuration file example</title>
 <para>
 PAM configuration files are located in <filename>/etc/pam.d/</filename>. Each program which uses PAM
 may have its own file (eg. /etc/pam.d/ssh and /etc/pam.d/kdm) ; it is up to the administrator to choose which programs should
 trigger the pam_nufw authentication. Of course, requisite are :
 <itemizedlist>
 <listitem><para>The program concerned by the configuration is about opening a session.</para></listitem>
 <listitem><para>The program concerned by the configuration runs on the userID you want to authenticate connections for.</para></listitem>
 <listitem><para>The authentication is performed through a login and password.</para></listitem>
 </itemizedlist>
 A typical configuration
 file looks like this:
 <screen>
  #%PAM-1.0
  auth    requisite       pam_nologin.so
  auth    required        pam_env.so
  @include common-auth
  auth optional pam_nufw.so server=nuauth.inl.fr port=4129
  @include common-account
  session required        pam_limits.so
  @include common-session
  session optional pam_nufw.so server=nuauth.inl.fr port=4129
  @include common-password
 </screen>
 We use auth because we have to know user's password in order to authenticate
 on nuauth. The pam module closes the connection to nuauth when the application
 closes the pam session. You can comment out the session line to suppress disconnection at
 logout.
 <note>
  <para>Make sure you use the same lock file for all pam_nufw config files on a given system, or connections will be authenticated multiple times.
  </para>
 </note>
 </para>
 <para>
 <command>pam_nufw</command> respects the <filename>nuclient.conf</filename> configuration file
 for all options. See section <link linkend='hardening' endterm="hardening.title"/> for more information
 about <filename>nuclient.conf</filename> usage and TLS setup.
 </para>
 </section>
 </section>
 </chapter>
 <chapter><title>Miscellaneous</title>
 <section><title>Supported protocols</title>
 <para>The NuFW daemons can virtually support any protocol, provided a stateful inspection exists
 in Netfilter to deal with the given protocol. However, the main concern about protocol support is client-side.
 <itemizedlist>
 <listitem><para><option>TCP</option>: TCP is supported by all existing clients (Linux, MacOS X, Windows).</para></listitem>
 <listitem><para><option>UDP</option>: Requires some administrator operations, for now only the Windows client supports UDP.</para></listitem>
 <listitem><para><option>ICMP</option>: Uses raw socket. We are unsure whether this can be authenticated at all. For now, no client supports ICMP.</para></listitem>
 <listitem><para><option>IPv6</option>: IPv6 is supported since branch 2.2, with the same restrictions as IPv4.</para></listitem>
 <listitem><para><option>other</option>: No support. Contact us if you feel some other protocol could be supported.</para></listitem>
 </itemizedlist>
 </para>
 </section>
 <section><title>Big endian architectures</title>
 <para>Big endian architectures are supported since version 1.0.11. Prior
 releases do not work on big endian.</para>
 </section>
 <section><title>System with glibc 2.3.2</title>
 <para>
 Glibc 2.3.2 is buggy and you need to set
 <option>system_glibc_cant_guess_maxgroups</option> to the maximum number of groups
 for a single user.
 </para>
 </section>
 <section><title>Linux distributions specific</title>
 <para>Packages can be provided by some distributions. However,
 these packages can be modified by the maintainer, or might not be up to date, so
 check the local modifications carefully.
 </para>
 <para>
 While these packages can be good, it is encouraged to use the official releases from
 nufw.org, which are officially supported by the developers.
 </para>
       </section>
 <section><title>Debian specific</title>
 <para>NuFW packages are part of the Debian main distribution.</para>
 <note><para>However, we recommend that you use the latest available NuFW version. Debian packages are available at <ulink url="http://packages.inl.fr/">packages.inl.fr</ulink></para>
 </note>
       </section>
 <section><title>Mandrake specific</title>
 <para>NuFW is packaged in Mandriva Corporate Server 4.</para>
       </section>
 <section><title>Suse specific</title>
 <para>Suse version 9 seems to use a very old Glib, which is not compatible with
 NuFW. It seems this is true for all Suse versions until v9.</para>
       </section>
 <section><title>Redhat specific</title>
 <section><title>RedHat Enterprise Linux 4</title>
 <para>As RHEL4 is shipped with a 2.6.9 kernel that is subject to the ip_queue
 problem mentioned later in this document. With this
 kernel the bug occurs systematically (at least on SMP machines).</para>
 </section>
       </section>
 <section><title>Known issues</title>
 <section><title>Problem with ip_queue on kernel prior to 2.6.12</title>
 <para>
 There's an ip_queue bug on kernels prior to 2.6.12. It can hang the system when an ACCEPT decision is done
 on the INPUT chain. Thus DO NOT use a QUEUE target on INPUT with these kernels or it could freeze your computer.
 And anyway, you should use a recent kernel and NFQUEUE, as explained here-up in this howto.
 </para>
 </section>
 <section><title>Running NuFW in a bridged network</title>
 <para>NuFW should run seamlessly in bridge networking. However it seems a bug in some kernel does not allow the use of
 nfnetlink without problems. The following facts were reported (with NuFW 2.2.14, but NuFW versioning is not the matter) :
 <itemizedlist>
 <listitem><para><option>Kernel 2.6.22</option> BUG : No network traffic when launching the nufw daemon.</para></listitem>
 <listitem><para><option>Kernel 2.6.24</option> Everything works.</para></listitem>
 </itemizedlist>
 </para>
 </section>
       </section>
   </chapter>
   <chapter><title>Appendix</title>
  <section id="FinerTLS"><title id="FinerTLS.title">Managing finer TLS settings with NuFW</title>
 <para>
 <xref linkend="nufw-tls"/> describes the TLS options that the nufw daemon accepts. All these options are accepted since the 2.2.18 release (some options existed earlier).
 <table border="1" id="nufw-tls">
 <title>nufw daemon (command line) TLS options resume</title>
 <tgroup cols="2">
 <colspec colnum="1" colname="col1" colwidth="4em"/>
 <thead>
   <row>
     <entry>Option</entry>
     <entry>Description</entry>
   </row>
 </thead>
 <tbody>
   <row>
     <entry>-k</entry>
     <entry>specifies as argument the filename of the (private) key to use.</entry>
   </row>
   <row>
     <entry>-c</entry>
     <entry>specifies as argument the filename of the (public) certificate to use.</entry>
   </row>
   <row>
     <entry>-a</entry>
     <entry>specifies as argument the filename of the certificate authority file.</entry>
   </row>
   <row>
     <entry>-N</entry>
     <entry>If you use this switch, nufw will skip the nuauth CN check.</entry>
   </row>
   <row>
     <entry>-r</entry>
     <entry>specifies as argument the filename of the certificate revocation list. The daemon will also re-read the revocation list if it is disconnected from nuauth and needs to reconnect. Since 2.2.19, nufw reloads this file when receiving a HUP signal.</entry>
   </row>
   <row>
     <entry>-n</entry>
     <entry>specifies as argument the string of the expected DN that should be received by nuauth. The DN advertised by nuauth will have to match the string exactly, else nufw will drop the connection. If you do not specify this option, the DN of the certificate will be checked against the FQDN of the nuauth server (nufw will obtain it from a reverse DNS lookup on nuauth IP address).</entry>
   </row>
   <row>
     <entry>-S</entry>
     <entry>Request that nufw strictly validates the TLS connection when opening the connection to the nuauth server. This means that the nuauth certificate has to be signed by the CA, that it is not revoked, and that the DN of the certificate is also checked (see the <command>-n</command>) option. Since 2.2.18, this is the default behaviour of the nufw daemon.</entry>
   </row>
   <row>
     <entry>-s</entry>
     <entry>Opposite of <command>-S</command>. This means all TLS checks are disabled. Use at your own risk!!</entry>
   </row>
 </tbody>
 </tgroup>
 </table>
 </para>
 <para>
 <xref linkend="nuauth-tls"/> describes the TLS options that the nuauth daemon accepts (in nuauth.conf). All these options are accepted since the 2.2.18 release (some options existed earlier).
 <table id="nuauth-tls" border="1">
 <title>nuauth daemon configuration TLS options resume</title>
 <tgroup cols="2">
 <colspec colnum="1" colname="col1" colwidth="17em"/>
 <thead>
   <row>
     <entry>Option</entry>
     <entry>Description</entry>
   </row>
 </thead>
 <tbody>
   <row>
     <entry>nuauth_tls_key</entry>
     <entry>specifies as argument the filename of the (private) key to use.</entry>
   </row>
   <row>
     <entry>nuauth_tls_cert</entry>
     <entry>specifies as argument the filename of the (public) certificate to use.</entry>
   </row>
   <row>
     <entry>nuauth_tls_cacert</entry>
     <entry>specifies as argument the filename of the certificate authority file.</entry>
   </row>
   <row>
     <entry>nuauth_tls_crl</entry>
     <entry>specifies as argument the filename of the certificate revocation list.</entry>
   </row>
   <row>
     <entry>nuauth_tls_crl_refresh</entry>
     <entry>specifies the time period (in seconds) at which nuauth refreshes the <command>nuauth_tls_crl</command> file.</entry>
   </row>
   <row>
     <entry>nuauth_tls_request_cert</entry>
     <entry>Whether nuauth performs TLS checks. Since 2.2.18, the default value is <command>2</command>, which means that all certificates need to be signed by the CA, must not have expired, and must not be revoked. If you specify <command>0</command>, nuauth will perform no TLS check at all (use at your own risk!!). If you specify <command>1</command>, nuauth will ask the clients and nufw to provide a certificate, but will not fail if no certificate is provided. You should always use the default setting of <command>2</command> if you want a safe installation!</entry>
   </row>
   <row>
     <entry>nuauth_tls_disable_request_warning</entry>
     <entry>If you set <command>nuauth_tls_request_cert</command> to an insecure value, nuauth will complain in the log everytime a client connects, but will not reject connections. If you want to prevent such logging from nuauth, you can set this option to <command>1</command>. The default value is <command>0</command>.</entry>
   </row>
   <row>
     <entry>nuauth_tls_disable_nufw_fqdn_check</entry>
     <entry>If you set <command>nuauth_tls_request_cert</command> to <command>2</command> (the default value), the nufw daemon certificate DN will be checked against the nufw fully qualified domain name (which nuauth obtains thanks to a reverse DNS lookup). If they do not match, nuauth will reject the connection. You can set this parameter to <command>1</command> if you want nuauth to accept the connection without checking this match.</entry>
   </row>
   <row>
     <entry>nuauth_tls_auth_by_cert</entry>
     <entry>This lets clients authenticate with a certificate, rather than with a login/password.</entry>
   </row>
  </tbody>
  </tgroup>
 </table>
 </para>
 <para>
 <xref linkend="nutcpc-tls"/> describes the TLS options that the nutcpc client accepts on command line. All these options are accepted since the 2.2.18 release (some options existed earlier).
 You can also get nutcpc to read configuration from <command>nuclient.conf</command> config file (see below).
 <table id="nutcpc-tls" border="1">
 <title>nutcpc command line TLS options resume</title>
 <tgroup cols="2">
 <colspec colnum="1" colname="col1" colwidth="4em"/>
 <thead>
   <row>
     <entry>Option</entry>
     <entry>Description</entry>
   </row>
 </thead>
 <tbody>
   <row>
     <entry>-C</entry>
     <entry>specifies as argument the filename of the (public) certificate to use.</entry>
   </row>
   <row>
     <entry>-A</entry>
     <entry>specifies as argument the filename of the certificate authority file.</entry>
   </row>
   <row>
     <entry>-K</entry>
     <entry>specifies as argument the filename of the (private) key.</entry>
   </row>
   <row>
     <entry>-W</entry>
     <entry>if you use a keyfile (with <command>-K</command>), and it is password-protected, you can specify the password to use with this switch. Use with <command>-q</command> for security reasons.</entry>
   </row>
   <row>
     <entry>-R</entry>
     <entry>specifies as argument the filename of the certificate revocation list. This file is only checked when nutcpc is launched : you currently need to stop and restart nutcpc if the revocation list is changed. Since 2.2.19, nutcpc reloads this file when receiving a HUP signal.</entry>
   </row>
   <row>
     <entry>-a</entry>
     <entry>specifies as argument the string to use to check the CN nuauth certificate contains. If you do not use this option, nuauth certificate DN will be checked against nuauth fully qualified domain name, which will be found by performing a reverse DNS lookup on nuauth IP address.</entry>
   </row>
   <row>
     <entry>-N</entry>
     <entry>If you use this switch, nutcpc will skip the nuauth CN check.</entry>
   </row>
   <row>
     <entry>-Q</entry>
     <entry>By default, nutcpc leaves with an error if the CA is not configured (see <command>-A</command>), and (since 2.2.19) forces user to type "yes" to bypass the warning. If you use this option, the problem will be ignored. Use at your own risk!!</entry>
   </row>
  </tbody>
  </tgroup>
 </table>
 </para>
 <para>
 <xref linkend="nuclient-tls"/>  describes the TLS options that the libnuclient client accepts on command line. All these options are accepted since the 2.2.18 release (some options existed earlier).
 Currently, these options work with nutcpc, as well as nuapplet.
 </para>
 <para>
 <table border="1" id="nuclient-tls">
 <title>nuclient.conf TLS options resume</title>
 <tgroup cols="2">
 <colspec colnum="1" colname="col1" colwidth="15em"/>
 <thead>
   <row>
     <entry>Option</entry>
     <entry>Description</entry>
   </row>
 </thead>
 <tbody>
   <row>
     <entry>nuauth_tls_cert</entry>
     <entry>specifies as argument the filename of the (public) certificate to use.</entry>
   </row>
   <row>
     <entry>nuauth_tls_ca</entry>
     <entry>specifies as argument the filename of the certificate authority file.</entry>
   </row>
   <row>
     <entry>nuauth_tls_key</entry>
     <entry>specifies as argument the filename of the (private) key.</entry>
   </row>
   <row>
     <entry>nuauth_tls_crl</entry>
     <entry>specifies as argument the filename of the certificate revocation list. This file is checked when the client is launched, and anytime the client is disconnected from nuauth and needs to reconnect.</entry>
   </row>
   <row>
     <entry>nuauth_suppress_fqdn_verif</entry>
     <entry>If set to <command>1</command>, the client will skip the nuauth CN check.</entry>
   </row>
  </tbody>
  </tgroup>
 </table>
 </para>
  </section>
   </chapter>
   <glossary>
     <glossentry><glossterm>nufw</glossterm>
       <indexterm><primary>nufw</primary></indexterm>
       <glossdef>
         <para>nufw is the server running on the firewall which receives the packets coming from
 kernel and send them to the authentication server and wait a response.</para>
       </glossdef>
     </glossentry>
     <glossentry><glossterm>nuauth</glossterm>
       <indexterm><primary>nuauth</primary></indexterm>
       <glossdef>
         <para>nuauth is the authentication server which receives the packets coming from
 nufw and the packets coming from user and send back a decision to nufw.</para>
       </glossdef>
     </glossentry>
   </glossary>
 </book>