uif - Universal Internet Firewall
uif
[-c <configfile>] [-n] [-p [-l]] [-6]
uif
-d [-6]
uif
[<ldap-options>]
This manual page documents the uif command. It is used to
generate optimized nft(8) or iptables(8) packetfilter rules,
using a simple description file specified by the user. Generated rules are
provided in nft(8) (with option -f <filename>) or
iptables-save8 style. uif can be used to read or write
rulesets from or to LDAP servers in your network, which provides a global
storing mechanism (LDAP support hasn't been tested for a long time). Note
that you need to include the uif.schema to your slapd configuration
in order to use it.
uif.conf(5) provides an easy way to specify rules, without
exact knowledge of the nft / iptables syntax. It provides groups and aliases
to make your packetfilter human readable.
Keep in mind that uif uif is intended to assist you when
designing firewalls, but will not tell you what to filter.
The options are as follows:
- -6
- Turn on IPv6 mode so as to manipulate IPv6 rules. Default configuration
file is changed to /etc/uif/uif6.conf see -c below. It should be noted
that nat rules are silently ignored if -6 is used.
- -b <basedn>
- Specify the base DN to act on when using LDAP based firewall
configuration. uif will look in the subtree
ou=filter,ou=sysconfig,<basedn> for your rulesets.
- -c
<configfile>
- This option specifies the configuration file to be read by uif. See
uif.conf(5) for detailed information on the fileformat. It defaults
to /etc/uif/uif.conf.
- -C
<configfile>
- When reading configuration data from other sources than specified with -c
you may want to convert this information into a textual configuration
file. This options writes the parsed config back to the file specified by
<configfile>.
- -d
- Clears all firewall rules immediately.
- -D <bind_dn>
- If a special account is needed to bind to the LDAP database, the account's
DN can be specified at this point. Note: you should use this when writing
an existing configuration to the LDAP. Reading the configuration may be
done with an anonymous bind.
- -p
- Prints rules specified in the configuration to stdout. This option is
mainly used for debugging the rule simplifier.
- -l
- If printing rules (see -p) prepend line numbers to the print-out.
- -r <ruleset>
- Specifies the name of the ruleset to load from the LDAP database. Remember
to use the -b option to set the base. Rulesets are stored using the
following dn: cn=<ruleset>, ou=rulesets, ou=filter,
ou=sysconfig, basedn, where <ruleset> will be replaced by
the ruleset specified.
- -R <ruleset>
- Specifies the name of the ruleset to write to the LDAP database. This
option can be used to convert i.e. a textual configuration to an LDAP
based ruleset. Like with using -r you've to specify the LDAP base to use.
Target is cn=<ruleset>, ou=rulesets, ou=filter, ou=sysconfig,
<basedn>, where <ruleset> will be replaced by the
ruleset specified.
- -s <server>
- This option specifies the LDAP server to be used.
- -t
- This option is used to validate the packetfilter configuration without
applying any rules. Mainly used for debugging.
- -T <time>
- When changing your packetfiltering rules remotely, it is useful to have a
test option. Specify this one to apply your rules for a period of
<time> (in seconds). After that the original rules will be
restored.
- -w <password>
- When connecting to an LDAP server, you may need to authenticate via a
password. If you really need to specify a password on the command line
(discouraged!), use this option, otherwise use -W and enter it
interactively.
- -W
- Activate interactive password query for LDAP authentication.
uif is meant to leave the packetfilter rules in a defined
state, so if something went wrong during the initialisation, or uif
is aborted by the user, the rules that were active before starting will be
restored.
Normally you will not need to call this binary directly. Use the
init script instead, since it does the most common steps for you.
Configuration files are located in /etc/uif.
This manual page was written by Cajus Pollmeier
<pollmeier@gonicus.de> and Jörg Platte
<joerg.platte@gmx.de> and adjusted to nft support by Mike Gabriel
<mike.gabriel@das-netzwerkteam.de>.