NuFace : Administrator manual

This documentation is distributed under the Free Documentation Licence. Before reading/copying/using this documentation, please make sure you have read and accepted the licence. See http://www.gnu.org/licenses/licenses.html#FDL

Revision History
Revision 0.12005/03/22

Initial release

Revision 0.1.12005/08/10

Documented new "Modified" and "Comment" fields. Various fixes. First complete english translation.

Revision 0.1.22005/12/31

Acl groups now supported and documented

Revision 0.1.32006/02/10

Documented nat rules


Table of Contents

1. General Introduction
2. Interface's elements
Index
Acls
Protocols
Subjects
Ressources
Nat
Changes management and tracking
The Comment field
The Modified field
3. Items used by Nuface
Containers
Definition
How to use containers
Elements
Definition
Examples
Acls
Definition
Groups
4. Details about elements
Element types
The ipv4 type
The nufw type
The proto type
The link type
How to create an element
Copy an existing element
Creating an element from scratch

Chapter 1. General Introduction

Nuface web interface allows you to to configure a nufw based firewall (EdenWall), or a simple Netfilter firewall. With nuface, way of work is to use followings objects

  • subjects: the initiator of a connection : can be an IPv4 object or a NuFW authenticated user, or a combination (and/or) of both.

  • ressources: the source of a connection

  • protocols: used to define technical parameters of a connection: ports, icmp types, protocols, etc.

  • acls: use one element of each class defined above. An acl can lead to generate several firewall rules.

  • floatings: theses are working elements, used to easily manipulate and move objects that are handled by the web interface. The floatting elements are never saved to file, they are to be used within one session only.

Chapter 2. Interface's elements

The firewall configuration interface is built of several sections which are described here.

Index

The Index page lets you manage configuration files built with Nuface, and is an interface for several system tasks :

  • Load an existing configuration file

  • Save configuration to a new file, or by overwritting one

  • Delete a configuration file

  • Clear session : this forgets all current modifications. All current items of the interface are deleted

  • Filter rules: generate a ruleset file. This is to be done before loading the wanted ruleset

  • Reload firewall rules : puts rules generated by the former option into production. Two options are available :

    • nufw : load authenticating rules

    • standard : load backup (non-authenticating) rules

Acls

This is the main page of the interface, as it uses items built from other pages :

  • protocols : protocols definition page

  • subjects : definition page for the entities that are initiators of connections

  • ressources : definition page for the entitites that are protected by the firewall (destinations of connections)

Of course, one single object can be referenced both in Subjects and in Ressources. This page only works if a valid ACLs file was loaded through the index page.

On this page, you can :

  • Change order of acls. The higher an acl is, the higher its priority on others is. In other words, if two acls are mention different decisions for a given connection, the first in list will be applied.

  • Edit acls. You can change :

    • The acl name (this is just a label name)

    • The protocol(s) (group) used by this acl

    • The subject(s) (group) used by this acl

    • The ressource(s) (group) used by this acl

    • The acl's decision. Available decisions are :

      • Accept : accept connections matching given criterias

      • Drop : drop any packet matching given criterias, as if we never received it.

      • Reject : same as Drop, but let the sender know we refused their attempt

      • Ulog : advanced logging (ie, to database)

      • Log : standard logging (to syslog)

      When dealing with an authenticating rule, only one of the two first decisions can be chosen. (The log is actually also provided through other means). Choosing Ulog or Log is not an actual decision. It gets the packet to be logged, but a decision remains to be taken by another acl.

Protocols

The protocols definition page lists all protocols in use by the firewall. As for all items used in Nuface, you can gather items together into containers.

For instance, you could gather protocols HTTP and HTTPS into one Websurf protocol entity, and use this entity to genarate acls which will apply to either HTTP or HTTPS traffic.

This page contains containers, which are, by definition, objects with nothing else than a label. Each container also gathers one or several elementary items, which can define data by themselves, or link to other containers. This way, you can combine items as you please without redefining already existing items.

Protocols elementary items can be assigned the following types of data:

  • name : name of the element (this is just a label)

  • proto : the protocol. Possible values of this field are:

    • tcp

    • udp

    • icmp

  • dport : destination port. (only valid if protocol is either tcp or udp)

  • sport : source port (only valid if protocol is either tcp or udp)

  • icmptype (only valid if protocol is icmp)

  • ID : a nuface-assigned identifier, which you can not modify

"Link" typed elements can also be created on this page

Subjects

The subjects definition page lists all subjects in use by the firewall. A so-called subject is an item that is at source of network traffic : an initiator of connexions. As for all items used in Nuface, you can gather items together into containers. There is one difference on this page, as compared to others : the subjects page is the only one that lets you choose the type of gathering you want to apply to objects. One of these two logical types of gathering must be chosen :

  • and : all elements of the group must match

  • or : if one element of the group matches, match is granted

For instance, lets gather these objects : authenticated administrators and admin_net into a container that we name Admins. We will use this container on the acls page to generate rules that deal with network traffic from authenticated administrators and/or (depending on what we set here) the admins network.

As for protocols, this page contains containers, which are, by definition, objects with nothing else than a label. Each container also gathers one or several elementary items, which can define data by themselves, or link to other containers. This way, you can combine items as you please without redefining already existing items.

Elementary items defined on the Subjects page are attributed the following fields, if their type is ipv4:

  • name : element name (this is just a label)

  • net : network address (can be one single IP address or a network address)

  • mark : this is the same mark as the one set in the VPN configuration file. This mark, which is used by the Kernel, guarantees no spoofing is possible in the VPN tunnel.

  • ID : a nuface-assigned identifier, which you can not modify

Elementary items defined on the Subjects page are attributed the following fields, if their type is nufw: nufw:

  • name : element name (this is just a label)

  • group : the group number, matching a group of users on your Users Directory (LDAP, Active Directory, NT domain, etc.).

  • ID : a nuface-assigned identifier, which you can not modify

"Link" typed elements can also be created on this page

Ressources

The ressources definition page lists all ressources in use by the firewall. A so-called Ressource is always a network object, that receives a connexion launched from a Subject. As for all items used in Nuface, you can gather items together into containers.

For instance, you could gather protocols HTTP and HTTPS into one Websurf protocol entity, and use this entity to genarate acls which will apply to either HTTP or HTTPS traffic.

As for protocols and subjects, this page contains containers, which are, by definition, objects with nothing else than a label. Each container also gathers one or several elementary items, which can define data by themselves, or link to other containers. This way, you can combine items as you please without redefining already existing items.

Elementary items defined on the Ressources page are attributed the following fields :

  • name : element name (this is just a label)

  • net : network address (can be one single IP address or a network address)

  • mark : this is the same mark as the one set in the VPN configuration file. This mark, which is used by the Kernel, guarantees no spoofing is possible in the VPN tunnel.

  • ID : a nuface-assigned identifier, which you can not modify

"Link" typed elements can also be created on this page

Nat

This page deals with Network Addresses Tranlation rules. Nuface allows administrators to create and manage three kinds of nat rules:

  • SNAT: source nat, theses rules are used to rewrite source address of connections.

  • DNAT: used to rewrite destination address and destination port of connections.

  • PNAT: translate only connection port

Rules defined on the nat page are attributed the following fields:

  • name: rule name (this is just a label)

  • Source address: connection source address

  • Dest. Address: connection destination address

  • Protocol: protocol of the connection. Possible values of this field are:

    • tcp

    • udp

    • icmp

  • Sport: connection source port (only valid if protocol is either tcp or udp)

  • Dport: connection destination port (only valid if protocol is either tcp or udp)

  • Type icmp (only activated if protocol is icmp)

Destination and source addresses represent either networks addresses or only one IP address.

With DNAT rules, the Rewrite destination to field is the new destination address and new destination port of the connection.

Rewrite source to field of SNAT rules is the new connection source address.

With PNAT rules, the Rewrite port to field is the new destination port of the connection.

Changes management and tracking

From version 0.9.3 on, all items of the interface, containers and elements, are attributed two more fields : Comment and modified.

The Comment field

This field is for the administrator to set informations to ease life of items of the interface, and their tracking. This field is never used by Nuface's engine, and is only useful to the human users of the interface.

The Modified field

This field is set by Nuface, for each item of the interface. Nuface updates it whenever the item is modified by an administrator. The administrator can never change this field's value.

Chapter 3. Items used by Nuface

Containers

Definition

Subjects, ressources and protocols are organized with containers. Containers are nothing else than a cockle, which contains one or several elements. Containers are used to provide a structure to acls, and never define data by themselves. There are three types of containers :

  • subjects : gathers elements that describe what is at source of connexions.

  • ressources : elements of such containers are used to define network objects that are destinations of some connexions managed by the firewall.

  • protocols : this type of container defines protocols.

How to use containers

Always try to create containers that match a consistent entity. For instance, use a Subject container to gather two network addresses, so the container could be called "All addresses of your intranet". Do the same with protocols, to create protocols "groups" which would match a number of protocols to open so that one application works fine.

Elements

Definition

Elements are the most basic bricks of an acl set. Elements contain actual data, as opposed to containers which define a structure of elements. There exists several types of elements :

  • ipv4 : define network objects ; these can be used in Subjects or Ressources containers.

  • proto : can be used only in Protocols containers.

  • nufw : can be used only in Subjects containers. Elements of this type define user groups authenticated through NuFW.

  • link : can be used in any container. Link elements are used to gather several containers into one, in order to create a more complex or complete group.

Examples

Lets imagine you want to create an acl to allow SMTP access from the Internet to your DMZ mail server. We shall define the following elements :

  • A subject named "Internet", which must define the 0.0.0.0/0 network.

  • A protocol named "SMTP", defining TCP as protocol, destination port 25, source port higher than 1024

  • A ressource, which will here be defined as the IP address of our server.

Each element is stored in a container of its type ; it is the containers that are dealt by the acl, which also has an "accept" decision.

As a more complex example, you might want to allow a network to surf the internet, either on HTTP or HTTPS. Such a case makes links useful. The HTTP and HTTPS protocols are defined by default ; we create a new protocol container, named "websurf", and containing two links elements, pointing to the HTTP and to the HTTPS containers. We will use our "Websurf" protocol to build the Acl we want, so it will match all HTTP and HTTPS connexions.

Acls

Definition

An ACL is the glue that links containers of subjects, ressources, and possibly protocols. Each Acl also contains a decision. Since Acls are built with containers of all types, the acl creation phase is usually the last phase, since other containers must exist to feed the acl. Don't forget order of Acls matters.

Groups

A group is an entity that lets you activate or disable a set of Acls. By default, all created Acls belong to the default group, which is enabled by default. To create a group, go to the Acls page, and use the form at the top of the page. To switch an Acl's group, edit that Acl and pick the desired group from the list. Acls that belong to disabled groups are displayed in grey in the Acls page. Those will not be taken into account next time you generate filtering rules.

All Acls are displayed with a geometric symbol which is a marker of the group they belong to.

Note : One given Acl can only belong to one group at a given moment

Chapter 4. Details about elements

Element types

The ipv4 type

This type is to define network elements : simple addresses or network addresses. Elements of this type are to be used in subjects or in ressources containers, and lets you target an acl to an IP address or to a network address. Ce type sert à définir des éléments de réseaux : adresses simples ou adresses de réseaux. Utilisé aussi bien dans les conteneurs sujets que ressources, il permet de cibler les acls sur une machine ou un réseau.

The nufw type

This type of element can only be used in subjects containers, and is used to define a group of NuFW users. Acls using this container will then match only users belonging to the chosen group.

The proto type

This type of element can only be used in protocols containers. It defines a protocol, and is set the following fields : proto which is tcp, udpor icmp. Depending on the chosen proto, the dport (destination port), sport (source port) and icmptype (icmp type) fields can also be set. Concerning port numbering, ranges can of course be specified, such as 1024:65535, which means "all ports from 1024 to 65535".

The link type

This type of element can be used in any container, and lets you create a link to another container of the same type. Using such a link is equivalent as using the pointed container, which allows for easy aggregating of data into one container.

How to create an element

Copy an existing element

It is easy to copy an element from a container to another, or from a page to another (for instance, copy an ipv4 element from the ressources page to the subjects page). Select the element to copy, and use the Copy to Floating button. Then, move to the target container, and use the Add button on top right to complete the copy.

Floating elements are just temporary elements, which disapear when you close a Nuface session. They are to be used for copying and creating elementary items used by Nuface.

Creating an element from scratch

Choose the floatings page, select the element type you want, and use the New element button. Note that the type of a given element can never be changed. Each element is attributed its type forever.

A good habbit is to create in the floatings page one empty element of each type, and use them when needed, by copying them into the protocols, subjects or ressources pages.