History

NuFW Troubleshooting

When NuFW doesn't work, you have to check each point of the authentification process in this order:

Is the nufw daemon running?

If the nufw daemon doesn't start, and gives you a message like :

[!] Error during nfq_bind_pf()

Try to compile your kernel with 

CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NF_CT_NETLINK=m

For some reason, compiling these options in the kernel is NOT a good idea, and prevents nufw from running, at least on 2.6.24.

Does Netfilter apply decision NFQUEUE to first packet?

  • Watch Netfilter packets counter. Initial state:
# watch -d -n 3 iptables -L -v
(...)
Chain OUTPUT (policy ACCEPT 52435 packets, 2670K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 NFQUEUE    tcp  --  any    any     anywhere             anywhere            tcp dpt:5000 state NEW NFQUEUE num 0
  • And few seconds later (pckts column changed and is highlighted):
(...)
Chain OUTPUT (policy ACCEPT 54607 packets, 2780K bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    60 NFQUEUE    tcp  --  any    any     anywhere             anywhere            tcp dpt:5000 state NEW NFQUEUE num 0
  • If the packet counter doesn't change, check you iptables rules.

Does nufw daemon catch the packet?

Kernel configuration

  • Are kernel modules loaded?
# lsmod|grep nfnetlink
nfnetlink_queue        13760  0 
nfnetlink               6936  3 nf_conntrack_ipv4,nf_conntrack,nfnetlink_queue
  • If modules are not loaded:
# modprobe nfnetlink nfnetlink_queue

Watch nufw logs

  • Display nufw packet counter using SIGPOLL signal (alias of SIGIO signal):
# killall -IO nufw
  • Watch received packet counter ('''rx'''): it should be incremented for each new connection. Example of working setup:
[14:25:27] AUDIT: rx=0 tx=0 track_size=0 list=empty
[14:26:45] AUDIT: rx=1 tx=0 track_size=0 list=empty <--- packet received
  • Example of Netfilter rules problem:
[10:29:07] AUDIT: rx=0 tx=0 track_size=0 list=empty
[10:29:11] AUDIT: rx=0 tx=0 track_size=0 list=empty <--- no packet received from NFQUEUE
  • If nufw doesn't receive packet: recheck iptables rules and your kernel configuration

Is nufw connected to nuauth?

Check netstat

# netstat -tnp|grep :4128
tcp        0      0 127.0.0.1:4128          127.0.0.1:53922         ESTABLISHED8818/nuauth         
tcp        0      0 127.0.0.1:53922         127.0.0.1:4128          ESTABLISHED8851/nufw

Check nufw logs

  • Watch nufw logs. Example of nufw connection to nuauth failure message:
[14:31:07] [!] TLS connection to nuauth can NOT be restored
  • nufw connection to nuauth success:
[14:32:24] [+] TLS connection to nuauth restored

Check nuauth logs

  • Example of nufw connection success:
** Message: NuFW TLS Handshaking (last error: 0)
** Message: NuFW TLS Handshaked
** Message: NuFW TLS mac: SHA
** Message: NuFW TLS kx: RSA
** Message: NuFW TLS Handshake was completed
** Message: Certificate verification is not done as requested
** Message: [+] NuFW: new client connected on socket 6

Reasons of nufw connection failure

  • nuauth server is not running
  • nufw use the wrong port to connect to nuauth. Right port number is: * TCP 4128 since NuFW 2.2 * TCP 4129 for NuFW 1.0 and 2.0
  • X.509 certificate problems

Does nufw send packet ot nuauth?

  • Watch nuauth logs:
    ** Message: nufw activity on socket 6
** Message: Auth pckt: Working on new connection (id=1)
** Message: NuFW Packet: src=127.0.0.1 dst=127.0.0.1 proto=6 sport=53372 dport=5000, packet_id=1
** Message: (*) NuFW auth request (nufw mode): packetid=1

Is nuauth able to decode packet and warn the right IP?

  • Watch nuauth logs. Example of nuauth log message:
    ** Message: (*) NuFW auth request (nufw mode): packetid=1
** Message: Starting search and fill
** Message: Creating new packet
** Message: search&push: need to warn client
** Message: Warn client(s) on IP 127.0.0.1

Does the user answer to nuauth?

Is the client connected to nuauth?

  • Check with netstat:
    # netstat -np|grep 4129
tcp        0      0 127.0.0.1:4129          127.0.0.1:40359         ESTABLISHED8995/nuauth         
tcp        0      0 127.0.0.1:40359         127.0.0.1:4129          ESTABLISHED9028/nutcpc

Check nuauth logs

  • Watch nuauth logs:
    ** Message: Warn client(s) on IP 127.0.0.1
** Message: user activity on socket 7
** Message: Pushing packet to user_checker
** Message: entering user_check
** Message: Authreq start
** Message:     got IPv4 field
** Message:     got APP field
** Message: Authreq end
** Message: User Packet: src=127.0.0.1 dst=127.0.0.1 proto=6 sport=53379 dport=5000, OS=Linux 2.6.22-14-generic #1 SMP Sun Oct 14 23:05:12 GMT 2007, app=/bin/nc
** Message: Starting search and fill

Check nutcpc logs

  • Use nutcpc in debug mode (nutcpc -d):
    $ nutcpc -H 127.0.0.1 -d (...)
Connecting to NuFW gateway (127.0.0.1)
(...)
[+] Client is asked to send new connections.
[+] Send 1 new connection(s) to nuauth

Does nuauth check user's ACL?

  • Check which nuauth modules are used for ACL checks
  • Make sure that nuauth ask the acl check modules to process the packet: watch nuauth logs
  • Check nuauth logs:
    ** Message: Starting search and fill
** Message: Complete authreq: Filling user data for haypo
** Message: entering acl_check
(...)
** Message: Answ Packet: src=127.0.0.1 dst=127.0.0.1 proto=6 sport=55217 dport=22, decision=ACCEPT, packet_id=1, OS=Linux 2.6.22-14-generic #1 SMP Sun Oct 14 23:05:12 GMT 2007, app=/usr/bin/ssh
** Message: leaving acl_check

Is user connection accepted?

  • Check nuauth logs:
    (...)
** Message: Answ Packet: src=127.0.0.1 dst=127.0.0.1 (...) decision=ACCEPT (...)
  • If the connection is dropped (decision is DROP), first check your user authentication module: nuauth_user_check_module configuration variable. If it's different to packet authentication module (nuauth_acl_check_module configuration variable): make sure that user groups are the same.

system module

  • Check authentication logs: /var/log/auth.log
  • nuauth have to run under root user to be able to authenticate user with system module (PAM)

Does nuauth send decision (ACCEPT or DROP) to nufw?

  • Display nufw packet counter using SIGPOLL signal:
    # killall -IO nufw
    * And check transmit packet counter (tx): it should be incremented for each accepted (decision ACCEPT) connection. Example of working setup:
    [14:30:29] AUDIT: rx=1 tx=0 track_size=0 list=empty
[14:30:59] AUDIT: rx=1 tx=1 track_size=0 list=empty <--- packet accepted

Does nufw apply the decision?

  • Check that your test connection is open
  • If not, make sure that /proc/sys/net/ipv4/ip_forward is 1

Also available in: HTML TXT