Copyright © 2005-2008 INL
| Revision History | |
|---|---|
| Revision 0.9.7 | 2008/04/18 |
|
Information about NuFW multiplatform agents was added. | |
| Revision 0.9.6 | 2008/04/09 |
|
Added specific Xen information. | |
| Revision 0.9.5 | 2008/02/14 |
|
Added specific kernel (2.6.24) information. | |
| Revision 0.9.4 | 2008/01/10 |
|
Prelude log module documented. | |
| Revision 0.9.3 | 2008/01/10 |
|
A detailled description of SQL tables insertions and updates by nuauth. | |
| Revision 0.9.2 | 2008/01/09 |
|
Add information about TLS usage in all NuFW related fields. | |
| Revision 0.9.1 | 2007/12/20 |
|
License clarification. On earlier versions license was not expressed at all, making the document de facto proprietary. | |
| Revision 0.9 | 2007/12/10 |
|
Suppress reference to gdbm and ident. Suppress some remaining old docs. | |
| Revision 0.8.1 | 2007/11/30 |
|
Information about supported protocols. | |
| Revision 0.8 | 2007/10/29 |
|
Update for 2.2. Add information about new marking modules. | |
| Revision 0.7.3 | 2007/08/07 |
|
Add a section about distros where no kernel compilation is necessary. | |
| Revision 0.7.2 | 2007/02/09 |
|
Sync with options available in NuFW 2.0.15. | |
| Revision 0.7.1 | 2007/02/07 |
|
Add option available in NuFW 2.0.14. | |
| Revision 0.7.0 | 2006/12/23 |
|
Completed PAM/NSS for winbind. Added initialization instructions for setting up LDAP acls. | |
| Revision 0.6.1 | 2006/11/14 |
|
Completed PAM/NSS informations. Fixed a couple of links. | |
| Revision 0.6 | 2006/10/12 |
|
Added recent kernel related informations. | |
| Revision 0.5 | 2006/08/01 |
|
Modify howto to be a 2.0 documentation. | |
| Revision 0.4.3 | 2005/11/23 |
|
More informations about nuauth setup, especially with PAM. Minor style cleanups. | |
| Revision 0.4.2 | 2005/11/22 |
|
Informations about how to generate one's own certs, signed with CA | |
| Revision 0.4.1 | 2005/08/01 |
|
More SQL informations, especially about credentials and log rotation | |
| Revision 0.4 | 2005/07/25 |
|
RedHat experience,powerpc port | |
| Revision 0.3 | 2005/07/18 |
|
Reread after 1.0.10 release | |
| Revision 0.2 | 2005/03/30 |
|
Completion | |
| Revision 0.1 | 2005/03/09 |
|
Initial prerelease | |
Table of Contents
This document is copyrighted by INL, and distributed under the Creative Commons by-nc-sa license. The full text of the license is available at http://creativecommons.org/licenses/by-nc-sa/3.0/legalcode.
Table of Contents
NuFW is an enterprise grade firewall that performs an authentication of every single connection passing through the IP filter, by transparently requesting user's credentials before any filtering decision is taken. Practically, this means security policies can integrate with the user directory, and bring the notion of user ID down to the IP layers. NuFW lays on Netfilter, the state of the art IP filtering layer from the Linux kernel. It fully integrates with Netfilter and extends its capabilities. The daemons currently run on Linux and software clients are available for Windows, Linux, FreeBSD et Mac OSX.
NuFW can:
Authenticate any connection that goes through your gateway or only from/to a chosen subset or a specific protocol (iptables is used to select the connections to authenticate).
Perform accounting, routing and quality of service based on users and not simply on IPs.
Filter packets with criterium such as application and OS used by distant users.
Be the key of a secure and simple Single Sign On system.
NuFW is composed of two daemons that can be put on different systems and the main daemon nuauth is heavily multithreaded. nuauth uses loadable modules for any exterior interaction.
In this section, each invoked library will have to be installed and the header have to be in standard places (so configure can found them).
nuauth dependencies are as follows:
libglib2.0: nuauth heavily uses this library which provides a set of very useful high level objects. It needs at least 2.4 release.
libgnutls: encryption of communications between the different parts of the system is performed via TLS
libsasl2: authentication is done via sasl
libtool: It's needed for the compilation of library and modules
The libprelude library is required for compiling this module.
Prelude allows for gathering security events at the scale of any organisation, and NuFW can send Prelude the following events :
User authentication failures
User authentication successes
Start and end of user sessions
Start and end of authenticated connections
Rejected connections
All information about the Prelude project is available at http://prelude-ids.org
The nufw daemon only depends on:
iptables: libipq.a is necessary to compile the nufw server
libgnutls: nufw speaks to nuauth via a TLS encrypted channel
A system with a kernel prior to 2.6.14 needs a patched version of the ip_queue module and of its "sibling" library libipq.
On kernel superior to 2.6.14, ipq is now deprecated in favor of libnetfilter_queue which uses the new nfnetlink system. We encourage you to switch to this library as it is the future. On top of that nfnetlink also provides libnetfilter_conntrack which is used by NuFW to implement time-based acls.
To be able to use this features, the following libraries are needed:
libnfnetlink
libnetfilter_queue
libnetfilter_conntrack
You can find working versions of these libraries at http://nufw.org/download/libs/index.html And if you run debian, packages are available at http://www.nufw.org/debian/
If you plan to use NuFW time-based acls, it is best to use a kernel superior to 2.6.18 or to apply patches provided on NuFW site.
Table of Contents
The following distributions do NOT need a kernel recompilation to run NuFW [1]:
Fedora Core 6 (kernel 2.6.18)
Debian Etch (kernel 2.6.18)
Debian Lenny
Also, please note that a Linux kernel recompilation will only be needed on the Firewall itself (the host running the nufw daemon). The nuauth daemon should run on any POSIX system, and clients are, by essence, multiplatform (meaning, NO kernel dependency).
You only need to patch your kernel sources with patch-o-matic if you want to use userid marking (from linux 2.6.14 there is no need to patch the kernel as this option is available in vanilla). This is necessary if you need to mark your network flows depending on the originating user ID, for instance, to perform per user Quality of Service. This is not needed to use NuFW. To do so, install patch-o-matic as usual and run
$./runme ip_queue_vwmark
Important note : it seems 2.6.24 netfilter_netlink capabilities only work if they are compiled as modules. Always compile these options as modules :
CONFIG_NETFILTER_NETLINK
CONFIG_NETFILTER_NETLINK_QUEUE
CONFIG_NETFILTER_NETLINK_LOG
CONFIG_NF_CT_NETLINK
The good news is that most distribution kernels come with these options compiled as modules.
If you run a kernel higher than 2.6.14 (and you should!), you should set the following options:
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=Y or m CONFIG_NETFILTER_NETLINK=Y or m CONFIG_IP_NF_CONNTRACK=m (we advise you don't set this option statically) CONFIG_IP_NF_CONNTRACK_EVENTS=Y
Setting these options will allow you to use the NFQUEUE target, and use very simple Netfilter rules.
Extract the source to the directory of your choice and go to the created directory.
NuFW uses autoconf and automake for compilation and a standard configure script is provided. Above standard options, the following flags (among other) are provided:
--with-mysql-log Support user activity logging in MySQL database
--with-pgsql-log Support user activity logging in PostgreSQL database
--with-system-auth Support PAM+NSS authentication
--with-ldap Support LDAP directory for users and acl lookups
A detailed list of the options is available via
$./configure --help
Thus you can run ./configure with the options you want and launch compilation and installation:
$ ./configure --with-ldap --with-system-auth --with-mysql-log \\ --sysconfdir=/etc/nufw/ $ make $ sudo make install
This is about copying the default certificates. Don't do that unless on very early tests ; you probably want to generate your own certificates: see next section.
For nufw
cp conf/certs/nufw-*.pem /etc/nufw/
For nuauth:
cp conf/certs/nuauth*.pem /etc/nufw/ cp conf/certs/NuFW*.pem /etc/nufw/
Generating your own Certificate authority:
mkdir private chmod 700 private openssl req -new -x509 -keyout private/CAkey.pem -out private/CAcert.pem
You have to set a strong password here and keep it secret.
Generating nufw and nuauth private keys:
openssl genrsa -out private/nufw-key.pem
openssl genrsa -out private/nuauth-key.pem
Generating Certificate Signing Requests for both nufw and nuauth keys:
openssl req -new -key private/nufw-key.pem -out nufw.csr
openssl req -new -key private/nuauth-key.pem -out nuauth.csr
Having our keys signed by the certificate authority we created:
openssl x509 -req -days 365 -in nufw.csr -CA private/CAcert.pem \
-CAkey private/CAkey.pem -CAcreateserial -out nufw-cert.pem
openssl x509 -req -days 365 -in nuauth.csr -CA private/CAcert.pem \
-CAkey private/CAkey.pem -CAcreateserial -out nuauth-cert.pem
Then, as in previous section, copy the files where needed: For nufw:
cp private/nufw-key.pem /etc/nufw/
cp nufw-cert.pem /etc/nufw/
For nuauth:
cp private/nuauth-key.pem /etc/nufw/
cp nuauth-cert.pem /etc/nufw/
And don't forget your key files (here, nufw-key.pem and nuauth-key.pem) should always remain private.
NuFW sources provide a sample configuration file for nuauth nuauth.conf
which is available in the conf directory.
The two most important configuration variables are:
nuauth_client_listen_addr which sets the address
where nuauth listens for client requests and nuauth_nufw_listen_addr
which sets the address where nuauth listens for nufw requests.
The list of nufw servers authorized to connect to server nuauth is the
nufw_gw_addr.
The next thing to do after setting this variable is to choose your authentication and acl checking module. Authentication modules for user have to be chosen in:
plaintext: user credentials are stored in a text file
system: authentication is done against PAM and groups are system groups. This provides a convenient way to use nss features and/or pam-modules
This is set with the option nuauth_user_check_module
which default is libsystem (if not set in config file).
Further choice for the acl checking module has to be done if you choose:
libldap
plaintext
by setting the variable nuauth_acl_check_module.
To be able to proceed quickly to test, we will use the system
module for user and the plaintext module for acl.
A sample file for the plaintext acl check module is available
in the conf directory, acls.nufw.
Copy it to /etc/nufw and adjust the
group of the ssh acl to have it matching the group of a system
user you will use later to authenticate on the system.
We will test the setup by connecting from the local host ssh server. For this we need to add filtering rules to ask for authentication:
iptables -A OUTPUT -s 192.168.75.0/24 -p tcp --dport 22 -m state --state NEW --syn -j QUEUE iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[2]
We will test the setup by connecting from the local host ssh server. For this we need to add filtering rules to ask for authentication:
iptables -A OUTPUT -s 192.168.75.0/24 -p tcp --dport 22 -m state --state NEW --syn -j NFQUEUE iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[3]
First, the daemons need to be started. We start nuauth in a terminal
nuauth -vvvvvvvvv
then we start
nufw -vvvvvvvvv
in another terminal.
Next, we can try to connect a user. Under Linux it can be done with:
nutcpc -d -H [NUAUTH IP]
enter name and password of a system user.
At nuauth level, we should see something like:
user bill@nufw uses OS Linux, 3.0.10, #1 Tue Oct 19 23:51:32 CEST 2008
If your PAM setup is based on shadow file, you will not be able to authenticate a user different from the one running nuauth. On this kind of setup, nuauth needs to be run as root to authenticate other users. [4]
A ssh connection from the computer to start the authentication process:
nufw gets a packet from Netfilter:
[PID] Sending request for 1
nufw initiates a TLS connection to nuauth:
[PID] Trying TLS connection
nuauth receives nufw's request:
** Message: Packet : ** Message: Connection : src=192.168.75.2 dst=192.168.75.2 proto=6 ** Message: sport=32848 dport=22
nuauth sends an authentication request to the clients on IP source:
** Message: need to warn client ** Message: sending request
nuauth receives packet from the client:
** Message: User : ** Message: Connection : src=192.168.75.2 dst=192.168.75.2 proto=6 ** Message: sport=32848 dport=22 ** Message: OS : Linux 2.6.9 #1 Tue Oct 19 23:51:32 CEST 2004 ** Message: Application : /usr/bin/ssh
nuauth sends back response to nufw:
Sending auth answer 1 for 1 on 0x42428482 ...
nufw pushes the packet back in the kernel:
[PID] Accepting 1
[2] Only SYN packets are sent to QUEUE. This is not enough to do advanced user activities logging, but enough for trafic authentication.
[3] Only SYN packets are sent to NFQUEUE. This is enough to do advanced user activities logging, because events on the connections will be automatically sent to nufw by Netfilter. This requires, in particular, that the CONFIG_IP_NF_CONNTRACK_EVENTS kernel option be set.
[4] Never launch nutcpc against 'localhost' or '127.0.0.1', even if nuauth is on the same computer. Packets sent to nuauth by the firewall will hardly have the address of the loopback but rather have a source address which is one of the network interface.
Table of Contents
OpenLDAP server installation is standard. Use your Linux distribution packages, example with Debian:
apt-get install slapd
Read OpenLDAP Software Administrator's Guide, section "Building and Installing OpenLDAP Software" to get more information.
The file acls.schema has to be put in /etc/ldap/schema
and a line
include /etc/ldap/schema/acls.schema
has to be added at the beginning of the /etc/ldap/slapd.conf.
In the level of access setup in this file, one can add:
#INL access for acls
access to dn="ou=acls,dc=nufw,dc=org"
by dn="uid=nufw,ou=Users,dc=nufw,dc=org" write
by dn="uid=nuauth,ou=Users,dc=nufw,dc=org" read
by dn="cn=admin,dc=nufw,dc=org" write
by * nonenufw user is able to modify the policy and the nuauth user can only read the acls.
You can start with a LDIF file such as:
dn: dc=nufw,dc=org objectClass: top objectClass: dcObject objectClass: organization o: nufw.org dc: nufw structuralObjectClass: organization dn: ou=Users,dc=nufw,dc=org objectClass: organizationalUnit ou: Users structuralObjectClass: organizationalUnit dn: ou=acls,dc=nufw,dc=org objectClass: organizationalUnit ou: acls structuralObjectClass: organizationalUnit
To use LDAP support for acl checking, we need to modify the nuauth.conf file:
nuauth_acl_check_module="libldap"
and we have to setup the connection parameters:
ldap_bind_dn="uid=nuauth,ou=Users,dc=nufw,dc=org" ldap_bind_password="secretpassword" ldap_basedn="dc=nufw,dc=org" ldap_acls_base_dn="ou=Acls,dc=nufw,dc=org"
INL has released a powerful Netfilter rules generator system for NuFW and Netfilter. It is called Nuface and it is available at: http://software.inl.fr/trac/trac.cgi/wiki/EdenWall/NuFace It generates a set of rules for NuFW and Netfilter that can directly be applied from the web interface.
nuaclgen is a script that can help you maintain a simple set of acls in an LDAP tree.
It is advised that you use Nuface rather than Nuaclgen, if possible, since it makes things simpler. In particular, be aware that when you use nuaclgen, you need to also modify by hand your Netfilter rules.
The file nuaclgen.conf contains the informations about LDAP
connections. It needs to be modified to suit your configuration, for example:
$ldap_host="localhost"; $username="uid=nufw,ou=Users,dc=nufw,dc=org"; $password="writepasswd"; $basedn="ou=Acls,dc=nufw,dc=org";
[5]
To allow ssh for users
of group 513 if they use /usr/bin/ssh application, we can use:
nuaclgen --Aclname cn=ssh,ou=Acls,dc=nufw,dc=org -p 6 --dport 22 -AppName "/usr/bin/ssh" -j ACCEPT -g 513
Or for access directed to a web server:
nuaclgen --Aclname cn=apt,ou=Acls,dc=nufw,dc=org -p 6 --dport 80 \ -AppName "/usr/lib/apt/methods/http" -j ACCEPT -g 1042
This ACL gives access to group 1042 which is used by root user of some server of ours. Thus root user can only get file to update the computer, but other users can not access the web.
To achieve NuFW connection tracking it is necessary to have these options in nuauth.conf:
nuauth_log_users_sync=1 nuauth_log_users=9
MySQL server installation is standard. Use your Linux distribution packages, example with Debian:
apt-get install mysql-server
Read MySQL Documentation, section "2 Installing and Upgrading MySQL" to get more information.
PostgreSQL server installation is standard. Use your Linux distribution packages, example with Debian (replace 8.2 by the last server version):
apt-get install postgresql-8.2
Read PostgreSQL Documentation, section "III. 14. Installation Instructions" to get more information.
The connection tracking system is really useful with SQL logging modules. We will describe here the setup of the MySQL module.
You have to create the SQL database from the dump file available in the conf/ subdir of the archive. Create a SQL account, which must have UPDATE, INSERT privileges on the "conntrack_ulog" table. You will have to set the credentials for that user in the nuauth.conf file.
You may choose between to schema an IPv4 only one and an IPv4/IPv6 one. Recent tools like Nulog2 are able to use the IPv6 schema. If you have old script or older tools, you better use the IPv4 only schema. To import the IPv4 schema into a newly created database, you can use:
mysqladmin create nufw cat nulog.ipv4.mysql.dump | mysql nufw
For the IPv6 schema, simply use:
mysqladmin create nufw cat nulog.ipv6.mysql.dump | mysql nufw
When installing NuFW in production, you have to use the clean_conntrack.pl
script, which is available in the scripts/ subdir of the NuFW archive from
version 1.0.12 on. For prior versions, you can get the script from Nulog project homepage.
You have to create a SQL user to run the script, with the following permissions
: SELECT and DELETE on the "conntrack_ulog" table,
INSERT on the "ulog" table. The script must be run, every few
minutes, from cron, especially on busy firewalls. If you don't run this script, your "conntrack_ulog" table
will grow quickly with "dead" connections, and will cause NuFW to act slower and
slower. All the script does is transfer "dead" data (ie closed connections,
dropped connections) to the ulog table, which is plainly an archive table, not
used on production by NuFW, nor by the SSO subsystems.
You may also want to rotate the "ulog" table, so that it doesn't grow to infinite size with time. From 1.0.12 on, scripts are available for this task in the scripts/ subdir of the archive. Before 1.0.12, you can get those two scripts from the Nulog archive at Nulog project homepage Look for the ulog_rotate_*.sh scripts. At the present time, it is assumed those scripts are run as the root SQL user, as cronjobs. Of course the better way to go is to create a separate user for this and grant it the needed privileges. Please provide updates for this document if you implement this before we do.
If nuauth is configured to log network flow information in a SQL database, here is how the logging system works :
When the connexion opening datagram is authenticated (for TCP, that is the SYN datagram), nuauth creates an entry in database, with a request looking like this (for TCP) :
INSERT INTO conntrack_ulog (state, oob_time_sec, ip_protocol, ip_saddr, ip_daddr, oob_in, oob_out, oob_prefix, user_id, username, client_os, client_app, tcp_sport, tcp_dport) VALUES (... our datagram values ...);
If nuauth decision for that datagram is to drop or reject it, log of the "connexion" stops here. The connexion will never be opened, and this database entry will no longer be manipulated by nuauth.
At the time when connection changes state (For TCP, and for any accepted connection, state changes to ESTABLISHED as soon as the server answers the SYN datagram), this request is performed by nuauth, if the nufw daemon is run with "-C" :
UPDATE conntrack_ulog SET state=ESTABLISHED, start_timestamp=FROM_UNIXTIME(timestamp) WHERE (ip_daddr=%s AND ip_saddr=%s "AND tcp_dport='%hu' AND tcp_sport='%hu' AND state=OPEN)
The only fields that are altered by this request are "state", which changes to "ESTABLISHED", and start_timestamp, which wasn't set before. It is important to note that no information is lost when this modification is performed. It is indeed obvious that the connection was previously in "OPEN" state, since that's a TCP preambule to the "ESTABLISHED" state, and the database keeps track of the timestamp when the connection was opened in the "oob_time_sec" field. The "start_timestamp" field simply marks the timestamp of switch to the "ESTABLISHED" state.
When the connection expires, this request is executed by nuauth, if the nufw daemon is run with "-C" :
UPDATE conntrack_ulog SET end_timestamp=FROM_UNIXTIME(timestamp), state=CLOSE, packets_in=%d , packets_out=%d , bytes_in=%d , bytes_out=%d WHERE (ip_saddr=%s AND ip_daddr=%sAND tcp_sport='%hu' AND tcp_dport='%hu' AND (state=OPEN OR state=ESTABLISHED))
State is updated, it becomes "CLOSE", and we set the end_timestamp field, which was empty before this, as well as packet number and byte number counters for the now dead connexion. Time of opening and time of establishment of the connection remain available in the oob_time_sec and start_timestamp fields.
The SQL logging feature keeps track of the whole history of each connexion, and updates that nuauth performs on the database do never erase data that was previously logged. This log mode is the most powerful one that a firewall can achieve, because it is very synthetic : one single SQL entry is maintained for each connection ; and it keeps the whole history of all elements of connections.
This is the good case compared to pre 2.6.14.
To enable authenticated connection tracking,
you only have to add the -C to nufw command line.
This flag asks nufw to send any ESTABLISHED and DESTROY message coming from Netfilter connections tracking to nuauth.
As an important number of events can be sent through this mean, nufw offers the capability to only send a subset.
It uses the fact that the initial mark can be put with CONNMARK
on every packets of the connection.
This mode is activated via the -M flag of nufw.
On Netfilter side, the following rules have to be added:
iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark iptables -A POSTROUTING -t mangle -m mark ! --mark 0 -j CONNMARK --save-mark
In short, you should always use -C if you use libnetfilter_conntrack (this is available from linux 2.6.14), and you should use -M if you want all your connections marked per userID (please note that you need to apply transmit_mark patch on your kernel to use this). Library compatibilty is better with a >=2.6.16 kernel.
NuFW stores the following states in the life of a TCP connection:
opening: bit SYN is set
established: SYN ACK is sent
closed: the tcp flags are FIN or FIN,ACK
To match those packets we need to use the --syn and the
--tcp-flags options.
Let's use the following configuration as an example: our web servers are protected by a NuFW firewall. They are in the network $DMZ.
The following rules achieve to realize a user connection tracking on the web
server outgoing connections.
iptables -A FORWARD -p tcp -m state --state ESTABLISHED --tcp-flags ACK,FIN NONE -j ACCEPT iptables -A FORWARD -d $DMZ -p tcp -m state --state ESTABLISHED --dport 80 --tcp-flags SYN,RST,ACK RST -j QUEUE iptables -A FORWARD -d $DMZ -p tcp -m state --state ESTABLISHED --dport 80 --tcp-flags FIN FIN -j QUEUE iptables -A FORWARD -s $DMZ -p tcp -m state --state ESTABLISHED --sport 80 --tcp-flags SYN,ACK SYN,ACK -j QUEUE iptables -A FORWARD -p tcp -m state --state ESTABLISHED -j ACCEPT iptables -A FORWARD -d $DMZ -p tcp --syn --dport 80 -m state --state NEW -j QUEUE
The first rule optimizes the filter by matching an important part of the ESTABLISHED traffic. The last rule with --state ESTABLISHED is the standard accepted established packets. It has to be put after NuFW flags matching rules.
nutop is a perl script provided with nufw sources. It is a top like tool that displays the active and authenticated connections in real-time.
The best way[6] to use the logs generated by the connection tracking is to install nulog(a.k.a ulog-php) which provides a convenient web interface. nulog is available under GPL on this page: http://software.inl.fr/trac/trac.cgi/wiki/EdenWall/NuLog
All you need to do is to setup a SQL user with SELECT permissions on the "conntrack_ulog" table. Then setup mod_auth_nufw to use the configured SQL user/database/table. The source code of the apache module is available at NuFW Apache SSO page
All you need to do is to setup a SQL user with SELECT permissions on the "conntrack_ulog" table. Then setup squid_nufw_helper to use the configured SQL user/database/table. The source code of the squid helper is available at NuFW Squid SSO page
It is possible to use certificate authentication of clients: If
a user provides at TLS negotiation a certificate which DN matches a known
user then nuauth assumes the users is authenticated and doesn't ask for a
password.
To activate this functionnality, you need to set the option
nuauth_tls_auth_by_cert to 1.
Note that, nuauth_tls_request_cert has to be set
to 1 or 2 in the mean time.
Official Linux kernels are not able to mark packets
with ip_queue framework before 2.6.14 release.
It is thus necessary to patch the kernel (if pre 2.6.14), this has to be done by using
the ip_queue_vwmark patch available in the
patch-o-matic-ng from netfilter. This will generate a modified version of both
ip_queue module and libipq.a file.
Once the new libipq.a is installed, you can now compile nufw:
./configure --with-user-mark ${EXTRA_OPTIONS_YOU_LIKE}
make
make install
nufw can now be run with -m to use userid marking.
This option is compatible with -M.
As nufw only works with initialisation packets it can not pull the userid mark of each packet of a connection. Thus, this is necessary to use CONNMARK[7] which is a target able to propagate marks accross connections. A basic setup is the following:
iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark
First line restores the existing mark when a packet arrives and second line saves mark on the connection so it can be restored later.
The nuauth variable nuauth_finalize_packet_module lists module which attach a hook called just before
nuauth answer to nufw about a packet.
It is usually used to modify the mark of the packet following a given strategy.
By splitting the mark in different part, this is possible to define complexe marking policy which can later be used
by Linux routing and QoS systems.
Extensive documentation can be found in the file README.mark
Netfilter mark can be use by the Quality of Service system and the routing system of Linux.
So it is possible to do differenciated routing between different users by using command like:
ip rule add fwmark XXX lookup TABLE
This is almost the same for QoS, by using tc filter one needs to put user's flows in a specific class:
tc filter add dev IFACE prio 5 protocol ip handle 102 fw flowid FLOWID
For more information about routing and quality of service you can read lartc.
The syntax is the following: Each option that set up the use of a hook is a list of modules separated by space.
For each module type, the syntax is the following:
name[:type[:config file]]
If syntax is:
name: load module "name" with config file included in nuauth.conf
name:type: load module "type" with config file CONFIG_DIR/modules/name.conf
name:type:conf: load module "type" with config file "conf"
Let's analyse the following line:
nuauth_user_logs_module="syslog dblocal:mysql maindb:mysql:/etc/nufw/mainmysql.conf"
Packet will be logged multiple times:
In syslog
In a MySQL database using configuration file /etc/nufw/modules/dblocal.conf
In a second MySQL database using configuration file /etc/nufw/mainmysql.conf
It is warmly recommanded to put the nuauth
in a protected place to ensure the security of
communications between nufw and nuauth[8].
As the firewall policy relay on the answer of nuauth, is it good to check that
the nuauth server is trustworthy. To do so we can ask nufw to check the certificate provided
by nuauth during the TLS negotiation. This is done by using the -a at start
of nufw followed by the name of the certificate authority file.
With this option set nufw will check the presence of a signed certificat
on nuauth side.
You can even run nufw in strict TLS mode using -S parameter. We highly recommend
to use this option. It means nufw will not start if your certificate is:
Not verifiable against an authority
Invalid
Revoked
Without signer
With a signer that is not a CA
With an insecure algorithm (if GnuTLS is compiled with its support)
Not yet activated
Expired
Warning: This mode will be activated by default in next major stable release.
You can restrict both the number of connections a given user can start, either on any IP address or per IP address.
nuauth_single_user_client_limit: enforce the number of connections a user can start
nuauth_single_ip_client_limit: enforce the number of connections per IP a user can start
On client side, system needs to be trustworthy if you want to perform valuable application and OS filtering. You must never forget that it is the application on client side which tells the application name as well as the operating system name and version: these informations CAN and WILL be spoofed if a malicious user installs a modified NuFW agent.
This warning needs to be taken into account but one can not forget this feature exists to secure flows that an administrator would have to keep open on a standard system[9].
Thus, the value of application and os filtering depends on the confidence you have on the system which issues the authentication. On a secured system where users can not install software, this sort of filtering is "quite secure".
If your ldap server has support for TLS, you can setup nuauth to have the ldap acls checking module using ldap over SSL.
To do so, edit nuauth.conf and modify ldap
port to 636 (ldaps):
ldap_server_port=636
Next step is to edit /etc/ldap/ldap.conf to indicate which policy you want to use
for SSL connection.
If you only want to encrypt data, you can simply add to ldap.conf:
TLS_REQCERT never
The recommanded setup is to fill in ldap.conf with the path to certificate authority.
Your ldap.conf should look like:
TLS_CACERT /etc/ldap/cacert-ldap.pem TLS_REQCERT demand
Please note that you need to have a certificate that match precisely the hostname put in
the ldap_server_addr of nuauth.conf.
PAM is a very convenient way for extending authentication to "exotic" directories. In particular, PAM lets one interface nuauth on NT domains, Active Directory, Radius, etc.
To have nuauth authenticate users based on PAM/Ldap, one must set in nuauth.conf:
nuauth_user_check_module="system"
In addition, PAM needs to be properly setup, which is external to NuFW, and basically out of the scope of this document. Here are a couple of files to set on Debian to get PAM/LDAP working with nuauth: /etc/pam.d/nuauth:
#This is to set PAM-LDAP, modify to suit your needs! auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_deny.so account required /lib/security/pam_ldap.so session required /lib/security/pam_limits.so session optional /lib/security/pam_ldap.so
The /etc/nsswitch.conf file also needs to be tuned:
#This is to set PAM-LDAP, modify to suit your needs! passwd: compat ldap group: compat ldap
(leave the other lines unchanged). And you probably also need to tune the /etc/pam_ldap.conf file. This file works for us, provided there is no line beginning with "uri":
host 127.0.0.1 ldap_version 3 scope one pam_password crypt nss_base_passwd ou=Users,dc=nufw,dc=org?one nss_base_group ou=Group,dc=nufw,dc=org?one
You also need to install and configure libnss-ldap. Configuration that works for us (still on debian) in /etc/libnss-ldap.conf:
host 127.0.0.1 base replace_with_your_base ldap_version 3 rootbinddn cn=admin,dc=replace_with_your_base #Optional, set if you need these: nss_base_passwd ou=users,dc=replace_with_your_base?one nss_base_group ou=groups,dc=replace_with_your_base?one
Of course, tune this to suit your needs, and be aware that these system instructions may not be accurate for other distributions!
On Debian/Ubuntu, you will need the following packages:
krb5-user
krb4-config
samba
winbind
The /etc/krb5.conf file should contain something like:
[libdefaults]
default_realm = DOMAIN.NAME
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
DOMAIN.NAME = {
kdc = 10.0.122.5
admin_server = 10.0.122.5
default_domain = DOMAIN.NAME
}
[domain_realm]
.domain.name = DOMAIN.NAME
domain.name = DOMAIN.NAME
shortname = DOMAIN.NAME
.shortname = DOMAIN.NAME
The /etc/nsswitch file should look like:
passwd: compat winbind group: compat winbind shadow: compat hosts: files dns mdns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
It is very important that your system is time-synchronized with the AD/NT server. You should setup ntp to achieve this!
The /etc/samba/smb.conf file should also be customized:
[global] # Change this to the workgroup/NT-domain name your Samba server will part of realm = DOMAIN.NAME password server = AD-SERVER netbios name = NUAUTH-SERVER workgroup = SHORTNAME # server string is the equivalent of the NT Description field server string = %h server sexa-prn1 (Samba, Ubuntu) ####### Authentication ####### security = ads encrypt passwords = true guest account = nobody ############ Misc ############ socket options = TCP_NODELAY domain master = no # Some defaults for winbind (make sure you're not using the ranges # for something else.) idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash template homedir = /home/%D/%U client use spnego = yes client ntlmv2 auth = yes restrict anonymous = 2
To join the Windows Domain, one will use:
kinit administrator@DOMAIN.NAME net ads join -U administrator
The last command should display the short domain name, and should specify that the machine was successfully added to the domain.
Winbind (or winbindd) should be running on your system. You can check things are going allright by reading samba logs (probably in /var/log/samba/*).
Table of Contents
NuWinC (NuFW Windows Client) provides NuFW authentication for Microsoft Windows 95/98/NT/2000/XP/2003/Vista. This software is available from INL. NuWinC can provide, when installed on machines of a Windows domain, a 100% transparent behaviour, meaning users will not even notice it starting or running. For more information about NuWinC, see http://www.inl.fr/NuWINc,68.html.
Several clients run on Linux :
nutcpc : the lightest, command line agent.
Nuapplet2 : The graphical client.
PAM authentication, through the pam_nufw module. This provides transparent authentication on nuauth.
MacOS X is supported by the Nuapplet2 graphical client. The nutcpc command line client also runs on MacOS X.
Table of Contents
The NuFW daemons can virtually support any protocol, provided a stateful inspection exists in Netfilter to deal with the given protocol. However, the main concern about protocol support is client-side.
TCP: TCP is supported by all existing clients (Linux, MacOS X, Windows).
UDP: Requires some administrator operations, for now only the Windows client supports UDP.
ICMP: Uses raw socket. We are unsure whether this can be authenticated at all. For now, no client supports ICMP.
other: No support. Contact us if you feel some other protocol could be supported.
Big endian architectures are supported since version 1.0.11. Prior releases do not work on big endian.
Glibc 2.3.2 is buggy and you need to set
system_glibc_cant_guess_maxgroups to the maximum number of groups
for a single user.
NuFW packages are part of the debian distribution. Those packages are as stable as we make them,so please backup your config before upgrading them and provide feedback ! From 1.0.16 on we believe the debian packaging is getting pretty stable.
Suse version 9 seems to use a very old Glib, which is not compatible with NuFW. It seems this is true for all Suse versions until v9.
There's an ip_queue bug on kernels prior to 2.6.12. It can hang the system when an ACCEPT decision is done on the INPUT chain. Thus DO NOT use a QUEUE target on INPUT with these kernels or it could freeze your computer. And anyway, you should use a recent kernel and NFQUEUE, as explained hereup in this howto.
NuFW should run seamlessly in virtualized environments. However it seems a Xen 3.1 does not allow the use of nfnetlink without problems. The following facts were reported (with NuFW 2.2.14, but NuFW versioning is not the matter) :
Xen 3.1, kernel 2.6.22 BUG : No network trafic when launching the nufw daemon.
Xen 3.2, kernel 2.6.22 BUG : No network trafic when launching the nufw daemon.
Xen 3.2, kernel 2.6.24 Everything works.
nufw is the server running on the firewall which receives the packets coming from kernel and send them to the authentication server and wait a response.
nuauth is the authentication server which receives the packets coming from nufw and the packets coming from user and send back a decision to nufw.