File: uif.8

package info (click to toggle)
uif 1.1.9-2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, sid
  • size: 520 kB
  • sloc: perl: 1,991; sh: 324; makefile: 37
file content (144 lines) | stat: -rw-r--r-- 4,600 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
.\"  -*- nroff -*-
.TH UIF 8 "Aug 20th, 2018"
.\" Please adjust this date whenever revising the manpage.
.Dd Aug 20th, 2018
.Dt UIF 8
.Os
.ds operating-system UIF(8)
.Sh NAME
.Nm uif
.Nd Tool for generating optimized packetfilter rules
.Sh SYNOPSIS
.Nm uif
.Op Fl 6
.Op Fl dptW
.Op Fl b Ar base
.Op Fl c Ar config_file
.Op Fl C Ar config_file
.Op Fl D Ar bind_dn
.Op Fl r Ar ruleset
.Op Fl R Ar ruleset
.Op Fl s Ar server
.Op Fl T Ar time
.Op Fl w Ar password
.Sh DESCRIPTION
.Pp
This manual page documents  the
.Nm
command. It is used to generate optimized
.Xr iptables 8
packetfilter rules, using a simple description file specified
by the user. Generated rules are provided in 
.Xr iptables\-save 8
style.
.Nm
can be used to read or write rulesets from or to LDAP servers in your
network, which provides a global storing mechanism. (LDAP support is
currently broken, note that you need to include the uif.schema to your
slapd configuration in order to use it.)
.Pp
.Xr uif.conf 5
provides an easy way to specify rules, without exact
knowledge of the iptables syntax. It provides groups and aliases to make your
packetfilter human readable.
.Pp
Keep in mind that 
.Nm uif
is intended to assist you when designing firewalls, but will not
tell you what to filter.
.Sh Options
The options are as follows:
.Bl -tag -width Ds
.It Fl 6
Turn on IPv6 mode so as to manipulate ip6tables rules. 
Default configuration file is changed to
.Ar /etc/uif/uif6.conf
see 
.Ar \-c 
below. It should be noted that nat rules are silently ignored if 
.Ar \-6
is used.
.It Fl b Ar base
Specify the base to act on when using LDAP based firewall configuration.
.Nm
will look in the subtree
.Ar ou=filter, ou=sysconfig, base
for your rulesets.
.It Fl c Ar config_file
This option specifies the configuration file to be read by
.Nm \.
See
.Xr uif.conf 5
for detailed information on the fileformat. It defaults to
.Ar /etc/uif/uif.conf.
.It Fl C Ar config_file
When reading configuration data from other sources than specified with
.Ar \-c 
you may want to convert this information into a textual configuration
file. This options writes the parsed config back to the file specified by
.Ar config_file.
.It Fl d
Clears all firewall rules immediately.
.It Fl D Ar bind_dn
If a special account is needed to bind to the LDAP database, the account
dn can be specified at this point. Note: you should use this when writing
an existing configuration to the LDAP. Reading the configuration may be
done with an anonymous bind.
.It Fl p
Prints rules specified in the configuration to stdout. This option is
mainly used for debugging the rule simplifier.
.It Fl r Ar ruleset
Specifies the name of the ruleset to load from the LDAP database. Remember
to use the
.Ar \-b
option to set the base. Rulesets are stored using the following dn:
.Ar cn=name, ou=rulesets, ou=filter, ou=sysconfig, base,
where name will be replaced by the ruleset specified.
.It Fl R Ar ruleset
Specifies the name of the ruleset to write to the LDAP database. This option
can be used to convert i.e. a textual configuration to a LDAP based ruleset.
Like using
.Ar \-r
you've to specify the LDAP base to use. Target is
.Ar cn=name, ou=rulesets, ou=filter, ou=sysconfig, base,
where name will be replaced by the ruleset specified.
.It Fl s Ar server
This option specified the LDAP server to be used.
.It Fl t
This option is used to validate the packetfilter configuration without applying
any rules.  Mainly used for debugging.
.It Fl T Ar time
When changing your packetfiltering rules remotely, it is
useful to have a test option. Specify this one to apply
your rules for a period of time (in seconds). After that the original
rules will be restored.
.It Fl w Ar password
When connecting to the LDAP server, you may need to 
authenticate via passwords. If you really need to
specify a password, use this option, otherwise use
.Ar \-W
and enter it interactivly.
.It Fl W
Activate interactive password query for LDAP authentication.
.El
.Pp
.Nm
is meant to leave the packetfilter rules in a defined state,
so if something went wrong during the initialisation, or
.Nm
is aborted by the user, the rules that were active before
starting will be restored.
.Pp
Normally you will not need to call this binary directly. Use
the init script instead, since it does the most common steps
for you.
.Sh FILES
Configuration files are located in /etc/uif.
.Sh SEE ALSO
uif.conf(5)
iptables(8)
.Pp
.Sh AUTHOR
This manual page was written by Cajus Pollmeier <pollmeier@gonicus.de> and
Jörg Platte <joerg.platte@gmx.de>, for the Debian GNU/Linux system (but may
be used by others).