<?xml version='1.0' encoding='iso-8859-1'?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
<book><title>NuFace : Administrator manual</title>
<bookinfo>
<author>
<firstname>Vincent</firstname>
<surname>Deffontaines</surname>
<email>vincent.deffontaines@inl.no_spam.fr</email>
</author>
<copyright>
<year>2005-2007</year>
<holder>INL</holder>
</copyright>
<revhistory>
<revision>
<revnumber>0.1</revnumber>
<date>2005/03/22</date>
<revdescription>
<para>Initial release</para>
</revdescription>
</revision>
<revision>
<revnumber>0.1.1</revnumber>
<date>2005/08/10</date>
<revdescription>
<para>Documented new "Modified" and "Comment" fields. Various fixes.
First complete english translation.</para>
</revdescription>
</revision>
<revision>
<revnumber>0.1.2</revnumber>
<date>2005/12/31</date>
<revdescription>
<para>Acl groups now supported and documented</para>
</revdescription>
</revision>
<revision>
<revnumber>0.1.3</revnumber>
<date>2006/02/10</date>
<revdescription>
<para>Documented nat rules</para>
</revdescription>
</revision>
<revision>
<revnumber>0.2</revnumber>
<date>2006/12/27</date>
<revdescription>
<para>Added informations about nuface 1.2</para>
</revdescription>
</revision>
<revision>
<revnumber>0.2.1</revnumber>
<date>2007/02/15</date>
<revdescription>
<para>L7-filter filtering documentation</para>
</revdescription>
</revision>
</revhistory>
<legalnotice>
<para>
This documentation is distributed under the Free Documentation
Licence. Before reading/copying/using this documentation, please make sure
you have read and accepted the licence. See
<ulink url="http://www.gnu.org/licenses/licenses.html#FDL"><citetitle>http://www.gnu.org/licenses/licenses.html#FDL</citetitle></ulink>
</para>
</legalnotice>
</bookinfo>
<chapter><title>General Introduction</title>
<para>
Nuface web interface allows you to to configure a nufw based firewall (EdenWall), or a simple
Netfilter firewall. With nuface, way of work is to use followings objects
<itemizedlist>
<listitem><para>subjects: the initiator of a connection : can be an IPv4 object or a NuFW
authenticated user, or a combination (and/or) of both. If you don't use a NuFW firewall, you can set the <screen>$show_subjects</screen> variable to false, and the resources will be considered as subjects.</para> </listitem>
<listitem><para>resources: the destination of a connection</para> </listitem>
<listitem><para> protocols: used to define technical parameters of a connection: ports, icmp
types, protocols, etc.</para> </listitem>
<listitem><para>acls: use one element of each class defined above. An acl can lead to generate several firewall rules.</para> </listitem>
<listitem><para>applications : of use only on a NuFW firewall. This lets you filter based on application/OS advertised by the NuFW client.</para></listitem>
<listitem><para>periods : lets you define time ranges in your ACLs. Only can be used with NuFW subjects.</para></listitem>
<listitem><para>l7rules : deals with layer 7 inspection. L7rules can be setup to match protocols, for instance to check that traffic on TCP port 80 is
actually HTTP. These features lay on l7-filter, which is available at <ulink
url="http://l7-filter.sourceforge.net"><citetitle>http://l7-filter.sourceforge.net</citetitle></ulink>.
If your firewall supports l7-filter, set <screen>$l7_firewall=true;</screen>
in nuface config file.</para></listitem>
<listitem><para>floatings: theses are working elements, used to easily manipulate and move
objects that are handled by the web interface. The floatting elements are
never saved to file, they are to be used within one session only.</para> </listitem>
</itemizedlist>
</para>
</chapter>
<chapter><title>Interface's elements</title>
<para>
The firewall configuration interface is built of several sections which are described here.
</para>
<section><title>Index</title>
<para>The Index page lets you manage configuration files built with
Nuface, and is an interface for several system tasks :
<itemizedlist>
<listitem><para>Load an existing configuration file</para></listitem>
<listitem><para>Save configuration to a new file, or by overwritting
one</para></listitem>
<listitem><para>Delete a configuration file</para></listitem>
<listitem><para>Clear session : this forgets all current
modifications. All current items of the interface are deleted</para></listitem>
<listitem><para>Filter rules: generate a ruleset file. This is to be
done before loading the wanted ruleset</para></listitem>
<listitem><para>Reload firewall rules : puts rules generated by the
former option into production. Two options are available :
<itemizedlist>
<listitem><para>nufw : load authenticating rules</para></listitem>
<listitem><para>standard : load backup (non-authenticating) rules</para></listitem>
</itemizedlist>
</para></listitem>
</itemizedlist>
</para>
</section>
<section><title>Acls</title>
<para>This is the main page of the interface, as it uses items built from
other pages :
<itemizedlist>
<listitem><para>protocols : protocols definition page</para></listitem>
<listitem><para>subjects : definition page for the entities that are
initiators of connections</para></listitem>
<listitem><para>resources : definition page for the entitites that
are protected by the firewall (destinations of connections)</para></listitem>
<listitem><para>applications : for authenticating firewalls only,
and for an ACL with a NuFW subject, lets you filter per application or
per OS.</para></listitem>
<listitem><para>periods : for authenticating firewalls only,
and for an ACL with a NuFW subject, lets you filter according to
time/date/duration criterias.</para></listitem>
</itemizedlist>
Of course, one single object can be referenced both in Subjects and in
Resources.
This page only works if a valid ACLs file was loaded through the index
page.
</para>
<para>On this page, you can :
<itemizedlist>
<listitem><para>Change order of acls. The higher an acl is, the higher
its priority on others is. In other words, if two acls are mention
different decisions for a given connection, the first in list will be
applied.</para></listitem>
<listitem><para>Edit acls. You can change :
<itemizedlist>
<listitem><para>The acl name (this is just a label name)</para></listitem>
<listitem><para>The protocol (group) used by this acl</para></listitem>
<listitem><para>The subject (group) used by this acl</para></listitem>
<listitem><para>The resource (group) used by this acl</para></listitem>
<listitem><para>The acl's decision. Available decisions are :
<itemizedlist>
<listitem><para>Accept : accept connections matching given criterias</para></listitem>
<listitem><para>Drop : drop any packet matching given
criterias, as if we never received it.</para></listitem>
<listitem><para>Reject : same as Drop, but let the sender know we
refused their attempt</para></listitem>
<listitem><para>Ulog : advanced logging (ie, to database)</para></listitem>
<listitem><para>Log : standard logging (to syslog)</para></listitem>
</itemizedlist>
When dealing with an authenticating rule, only one of the two
first decisions can be chosen. (The log is actually also provided through
other means).
Choosing Ulog or Log is not an actual decision. It gets the
packet to be logged, but a decision remains to be taken by
another acl.
</para></listitem>
</itemizedlist>
</para></listitem>
</itemizedlist>
</para>
<para>
Beware of ordering problems on your ACLs. Generally, try to always keep
first the particular ACLs, and keep last the more general ACLs. For
instance, if you want to allow HTTP traffic from IP address 10.2.3.4
(acl 1), and also allow HTTP for authenticated users on the 10.0.0.0/8
network (acl 2), it is important that ACL 1 be ordered before ACL 2,
else ACL 2 will never be applied.
</para>
</section>
<section><title>Protocols</title>
<para>The protocols definition page lists all protocols in use by the
firewall. As for all items used in Nuface, you can gather items together
into containers.</para>
<para>For instance, you could gather protocols HTTP and HTTPS into one
<computeroutput>Websurf</computeroutput> protocol entity, and use this
entity to genarate acls which will apply to either HTTP or HTTPS
traffic.</para>
<para>This page contains containers, which are, by definition, objects
with nothing else than a label. Each container also gathers one or several
elementary items, which can define data by themselves, or link to other
containers. This way, you can combine items as you please without
redefining already existing items.</para>
<para>Protocols elementary items can be assigned the following types of
data:
<itemizedlist>
<listitem><para>name : name of the element (this is just a label)</para></listitem>
<listitem><para>proto : the protocol. Possible values of this field
are:
<itemizedlist>
<listitem><para>tcp</para></listitem>
<listitem><para>udp</para></listitem>
<listitem><para>icmp</para></listitem>
</itemizedlist> </para></listitem>
<listitem><para>dport : destination port. (only valid if protocol is either
<computeroutput>tcp</computeroutput> or
<computeroutput>udp</computeroutput>)</para></listitem>
<listitem><para>sport : source port (only valid if protocol is either
<computeroutput>tcp</computeroutput> or
<computeroutput>udp</computeroutput>)</para></listitem>
<listitem><para>icmptype (only valid if protocol is
<computeroutput>icmp</computeroutput>)</para></listitem>
<listitem><para>l7rule : a layer7 rule to match the protocol, if
needed. This item is only available if you have
<computeroutput>$l7_firewall=true;</computeroutput> in nuface config
file.</para></listitem>
<listitem><para>ID : a nuface-assigned identifier, which you can not
modify</para></listitem>
</itemizedlist>
</para>
<para>"Link" typed elements can also be created on this page</para>
</section>
<section><title>Subjects</title>
<para>The subjects definition page lists all subjects in use by the
firewall. A so-called <emphasis>subject</emphasis> is an item that is at
source of network traffic : an initiator of connexions. As for all items
used in Nuface, you can gather items together into containers. There is
one difference on this page, as compared to others : the
<emphasis>subjects</emphasis> page is the only one that lets you choose
the type of gathering you want to apply to objects. One of these two
logical types of gathering must be chosen :
<itemizedlist>
<listitem><para>and : all elements of the group must match</para></listitem>
<listitem><para>or : if one element of the group matches, match is granted</para></listitem>
</itemizedlist>
</para>
<para>For instance, lets gather these objects :
<computeroutput>authenticated administrators</computeroutput> and
<computeroutput>admin_net</computeroutput> into a container that we name
<computeroutput>Admins</computeroutput>. We will use this container on the
acls page to generate rules that deal with network traffic from
authenticated administrators and/or (depending on what we set here) the
admins network.</para>
<para>As for protocols, this page contains containers, which are, by definition, objects
with nothing else than a label. Each container also gathers one or several
elementary items, which can define data by themselves, or link to other
containers. This way, you can combine items as you please without
redefining already existing items.</para>
<para>Elementary items defined on the Subjects page are attributed the
following fields, if their type is <computeroutput>ipv4</computeroutput>:
<itemizedlist>
<listitem><para>name : element name (this is just a label)</para></listitem>
<listitem><para>net : network address (can be one single IP address or
a network address)</para></listitem>
<listitem><para>mark : this is the same mark as the one set in the VPN
configuration file. This mark, which is used by the Kernel, guarantees
no spoofing is possible in the VPN tunnel.</para></listitem>
<listitem><para>ID : a nuface-assigned identifier, which you can not
modify</para></listitem>
</itemizedlist>
</para>
<para>Elementary items defined on the Subjects page are attributed the
following fields, if their type is <computeroutput>nufw</computeroutput>:
<computeroutput>nufw</computeroutput>:
<itemizedlist>
<listitem><para>name : element name (this is just a label)</para></listitem>
<listitem><para>group : the group number, matching a group of
users on your Users Directory (LDAP, Active Directory, NT domain,
etc.).</para></listitem>
<listitem><para>ID : a nuface-assigned identifier, which you can not
modify</para></listitem>
</itemizedlist>
</para>
<para>"Link" typed elements can also be created on this page</para>
<para>If you do not use an authenticating NuFW firewall, you can choose to merge your subjects and resources. This means you only set up resources, no subjects, and ACLs will accept any resource object as subject. You can set this in the include/config.php file by setting the <screen>$show_subjects</screen> parameter to false.</para>
</section>
<section><title>Resources</title>
<para>The resources definition page lists all resources in use by the
firewall. A so-called <emphasis>Resource</emphasis> is always a network
object, that receives a connexion launched from a
<emphasis>Subject</emphasis>. As for all items used in Nuface, you can gather items together
into containers.</para>
<para>For instance, you could gather protocols HTTP and HTTPS into one
<computeroutput>Websurf</computeroutput> protocol entity, and use this
entity to genarate acls which will apply to either HTTP or HTTPS
traffic.</para>
<para>As for protocols and subjects, this page contains containers, which are, by definition, objects
with nothing else than a label. Each container also gathers one or several
elementary items, which can define data by themselves, or link to other
containers. This way, you can combine items as you please without
redefining already existing items.</para>
<para>Elementary items defined on the <emphasis>Resources</emphasis> page are attributed the
following fields :
<itemizedlist>
<listitem><para>name : element name (this is just a label)</para></listitem>
<listitem><para>net : network address (can be one single IP address or
a network address)</para></listitem>
<listitem><para>mark : this is the same mark as the one set in the VPN
configuration file. This mark, which is used by the Kernel, guarantees
no spoofing is possible in the VPN tunnel.</para></listitem>
<listitem><para>ID : a nuface-assigned identifier, which you can not
modify</para></listitem>
</itemizedlist>
</para>
<para>"Link" typed elements can also be created on this page</para>
</section>
<section><title>Applications</title>
<para>Applications can be used only in ACLs that deal with NuFW subjects. Applications objects let you setup ACLs based on :
<itemizedlist>
<listitem><para>applicationpath : An application full name, as announced
by the NuFW client. For instance : "C:\Program Files\Firefox\firefox.exe"</para></listitem>
<listitem><para>OSName : the name of the OS advertized by the Nufw client.</para></listitem>
<listitem><para>OSVersion : the version of the OS advertized by the client.</para></listitem>
</itemizedlist>
</para>
<para>This menu is not displayed if you set <screen>$nufw_firewall = false</screen> in nuface config file.</para>
<para>As for protocols and subjects, this page contains containers, which are, by definition, objects
with nothing else than a label. Each container also gathers one or several
elementary items, which can define data by themselves, or link to other
containers. This way, you can combine items as you please without
redefining already existing items.</para>
</section>
<section><title>Periods</title>
<para>Periods can be used only in ACLs that deal with NuFW subjects. Periods objects let you setup ACLs based on periodtypes, which can be :
<itemizedlist>
<listitem><para>dates : by specifying a start and an end in epoch time (number of seconds since 1970, Jan 1st).</para></listitem>
<listitem><para>days : by specifying a start and an end day of week day (numbered from 1 to 7, starting on monday).</para></listitem>
<listitem><para>hours : by specifying a start and end hour (numbered from 0 to 24)</para></listitem>
<listitem><para>duration : by specifying a number of seconds that will be the max duration of the associated connexion.</para></listitem>
</itemizedlist>
</para>
<para>This menu is not displayed if you set <screen>$nufw_firewall = false</screen> in nuface config file.</para>
<para>As for protocols and subjects, this page contains containers, which are, by definition, objects
with nothing else than a label. Each container also gathers one or several
elementary items, which can define data by themselves, or link to other
containers. This way, you can combine items as you please without
redefining already existing items.</para>
</section>
<section><title>l7rules</title>
<para>l7rules can be defined and used if you have :
<itemizedlist>
<listitem><para>a kernel patched with l7-filter. See <ulink
url="http://l7-filter.sourceforge.net"><citetitle>http://l7-filter.sourceforge.net</citetitle></ulink></para></listitem>
<listitem><para>set <screen>$l7_firewall=true;</screen>
in nuface configuration file.</para></listitem>
</itemizedlist>
</para>
<para>L7rules are particular objects, which contain their own default actions :
<itemizedlist>
<listitem><para><computeroutput>accept</computeroutput> : default action of the l7rule is
to let the packet through</para></listitem>
<listitem><para><computeroutput>ulogaccept</computeroutput> : same as accept, but also log the event
into ULOG</para></listitem>
<listitem><para><computeroutput>ulogdrop</computeroutput> : drop the packet, and log it to
ULOG</para></listitem>
<listitem><para><computeroutput>logaccept</computeroutput> : same as accept, but also log the event
to SYSLOG</para></listitem>
<listitem><para><computeroutput>logdrop</computeroutput> : drop the packet, and log it to
SYSLOG</para></listitem>
</itemizedlist>
</para>
<para>
L7Rule objects also have a <computeroutput>logprefix</computeroutput> attribute, which
should contain the text that you want to be logged when the l7rule will
trigger any logging.
</para>
<para>
L7rule objects contain l7proto elements, which should ususally specify
actual protocol matching, and decisions. Ususally, the decision of a
l7proto object should be opposite to the default decision of the l7rule container.
</para>
<para>L7proto elements provide the following attributes :
<itemizedlist>
<listitem><para><computeroutput>name</computeroutput> : a textual name of your choice</para></listitem>
<listitem><para><computeroutput>ID</computeroutput> : a numeric identifier set by nuface, which you cannot change</para></listitem>
<listitem><para><computeroutput>l7proto</computeroutput> : an actual protocol known by
l7-filter. The list of available protocols is available at
<ulink
url="http://l7-filter.sourceforge.net/protocols"><citetitle>http://l7-filter.sourceforge.net/protocols</citetitle></ulink>.
Note that the default list available from nuface is only a subset of the online
list : this subset was chosen by the Nuface development team. You can extend it
by modifying the <computeroutput>include/l7-protos</computeroutput> text file, if you know what
you are doing.</para></listitem>
<listitem><para><computeroutput>action</computeroutput> : what to do when the
<computeroutput>l7proto</computeroutput> protocol is detected. Available actions are :
<itemizedlist><listitem><para>accept</para></listitem><listitem><para>ulogaccept</para></listitem><listitem><para>ulogdrop</para></listitem><listitem><para>logaccept</para></listitem><listitem><para>logdrop</para></listitem></itemizedlist>
</para>
</listitem>
<listitem><para><computeroutput>prefix</computeroutput> : if the
<computeroutput>action</computeroutput> mentions logging, what prefix nuface should
add to the log. This is, of course, a field of plain text.</para>
</listitem>
<listitem><para><computeroutput>modified</computeroutput> : date of last modification of
this field ; this is automatically set by nuface</para></listitem>
<listitem><para><computeroutput>comment</computeroutput> : a field you can fill with
any information you fill. Nuface remembers it but doesn't use it for
any technical task.</para></listitem>
</itemizedlist>
</para>
</section>
<section><title>Nat</title>
<para>This page deals with Network Addresses Tranlation rules. Nuface allows administrators to create and manage three kinds of nat rules:
<itemizedlist>
<listitem><para>SNAT: source nat, theses rules are used to rewrite source address of connections.</para></listitem>
<listitem><para>DNAT: used to rewrite destination address and destination port of connections.</para></listitem>
<listitem><para>PNAT: translate only connection port</para></listitem>
</itemizedlist>
Rules defined on the nat page are attributed the following fields:
<itemizedlist>
<listitem><para>name: rule name (this is just a label)</para></listitem>
<listitem><para>Source address: connection source address</para></listitem>
<listitem><para>Dest. Address: connection destination address</para></listitem>
<listitem><para>Protocol: protocol of the connection. Possible values of this field are:
<itemizedlist>
<listitem><para>tcp</para></listitem>
<listitem><para>udp</para></listitem>
<listitem><para>icmp</para></listitem>
</itemizedlist> </para></listitem>
<listitem><para>Sport: connection source port (only valid if protocol is either
<computeroutput>tcp</computeroutput> or
<computeroutput>udp</computeroutput>)</para></listitem>
<listitem><para>Dport: connection destination port (only valid if protocol is either
<computeroutput>tcp</computeroutput> or
<computeroutput>udp</computeroutput>)</para></listitem>
<listitem><para>icmp type (only activated if protocol is
<computeroutput>icmp</computeroutput>)</para></listitem>
</itemizedlist>
Destination and source addresses represent either networks addresses or only one IP address.
</para>
<para>
With DNAT rules, the <emphasis>Rewrite destination to</emphasis> field is the new destination address and new destination port of the connection.</para>
<para><emphasis>Rewrite source to</emphasis> field of SNAT rules is the new connection source address.</para>
<para>With PNAT rules, the <emphasis>Rewrite port to</emphasis> field is the new destination port of the connection.</para>
</section>
<section><title>Changes management and tracking</title>
<para>From version 0.9.3 on, all items of the interface, containers and
elements, are attributed two more fields : <emphasis>Comment</emphasis> and
<emphasis>modified</emphasis>.</para>
<section><title>The Comment field</title>
<para>This field is for the administrator to set informations to ease
life of items of the interface, and their tracking. This field is never
used by Nuface's engine, and is only useful to the human users of the
interface.
</para>
</section>
<section><title>The Modified field</title>
<para>This field is set by Nuface, for each item of the interface.
Nuface updates it whenever the item is modified by an administrator. The
administrator can never change this field's value.
</para>
</section>
</section>
</chapter>
<chapter><title>Items used by Nuface</title>
<section><title>Containers</title>
<section><title>Definition</title>
<para> Subjects, resources and protocols are organized with
containers. Containers are nothing else than a cockle, which contains
one or several elements. Containers are used to provide a structure to
acls, and never define data by themselves. There are three types of
containers :
<itemizedlist>
<listitem><para>subjects : gathers elements that describe what is at
source of connexions.</para></listitem>
<listitem><para>resources : elements of such containers are used to
define network objects that are destinations of some connexions
managed by the firewall.</para></listitem>
<listitem><para>protocols : this type of container defines protocols.</para></listitem>
</itemizedlist>
</para>
</section>
<section><title>How to use containers</title>
<para>Always try to create containers that match a consistent entity.
For instance, use a Subject container to gather two network addresses,
so the container could be called "All addresses of your intranet". Do
the same with protocols, to create protocols "groups" which would match
a number of protocols to open so that one application works fine.</para>
</section>
</section>
<section><title>Elements</title>
<section><title>Definition</title>
<para>Elements are the most basic bricks of an acl set. Elements contain
actual data, as opposed to containers which define a structure of
elements. There exists several types of elements :
<itemizedlist>
<listitem><para>ipv4 : define network objects ; these can be used in
Subjects or Resources containers.</para></listitem>
<listitem><para>proto : can be used only in Protocols containers.</para></listitem>
<listitem><para>nufw : can be used only in Subjects containers.
Elements of this type define user groups authenticated through NuFW.</para></listitem>
<listitem><para>link : can be used in any container. Link elements
are used to gather several containers into one, in order to create a
more complex or complete group.</para></listitem>
</itemizedlist>
</para>
</section>
<section><title>Examples</title>
<para>Lets imagine you want to create an acl to allow SMTP access from
the Internet to your DMZ mail server. We shall define the following
elements :
<itemizedlist>
<listitem><para>A subject named "Internet", which must define the 0.0.0.0/0 network.</para></listitem>
<listitem><para>A protocol named "SMTP", defining TCP as protocol,
destination port 25, source port higher than 1024</para></listitem>
<listitem><para>A resource, which will here be defined as the IP
address of our server.</para></listitem>
</itemizedlist>
Each element is stored in a container of its type ; it is the
containers that are dealt by the acl, which also has an "accept"
decision.
</para>
<para>As a more complex example, you might want to allow a network to
surf the internet, either on HTTP or HTTPS. Such a case makes links
useful. The HTTP and HTTPS protocols are defined by default ; we create
a new protocol container, named "websurf", and containing two links
elements, pointing to the HTTP and to the HTTPS containers. We will use
our "Websurf" protocol to build the Acl we want, so it will match all
HTTP and HTTPS connexions.
</para>
</section>
</section>
<section><title>Acls</title>
<section><title>Definition</title>
<para>An ACL is the glue that links containers of subjects, resources,
and possibly protocols. Each Acl also contains a decision. Since Acls
are built with containers of all types, the acl creation phase is
usually the last phase, since other containers must exist to feed the
acl. Don't forget order of Acls matters.
</para>
</section>
<section><title>Groups</title>
<para>A group is an entity that lets you activate or disable a set of
Acls. By default, all created Acls belong to the default group, which is
enabled by default. To create a group, go to the Acls page, and use the
form at the top of the page. To switch an Acl's group, edit that Acl and
pick the desired group from the list. Acls that belong to disabled
groups are displayed in grey in the Acls page. Those will not be taken
into account next time you generate filtering rules.</para>
<para>All Acls are displayed with a geometric symbol which is a marker
of the group they belong to.</para>
<para>Note : One given Acl can only belong to one group at a given
moment</para>
</section>
<section><title>Sorting Acls</title>
<para>Things have evolved from nuface 1.0 to nuface 1.2 : this is one of the major evolutions of 1.2.
In Nuface 1.2, the global ACL menu does not allow to change order of ACLs anymore. Indeed, ACLs ordering is still possible and flexible, but only in a network context.
For instance, if you set 2 ACLs, ACL A from network N1 to network N2, and ACL B from network N3 to network N4 (with N1,N2,N3,N4 having no intersection), ordering of ACLs A and B is a non sense. To order ACLs, switch to the concerned context from the ACL page and use drag and drop as usual. This ordering scheme is much more powerful than 1.0 was, and is also more intuitive. It is also easier to use when setting up multiple ACLs.
</para>
</section>
</section>
</chapter>
<chapter><title>Details about elements</title>
<section><title>Element types</title>
<section><title>The ipv4 type</title>
<para>This type is to define network elements : simple addresses or
network addresses. Elements of this type are to be used in
<computeroutput>subjects</computeroutput> or in
<computeroutput>resources</computeroutput> containers, and let you
target an acl to an IP address or to a network address.
Ce type sert à définir des éléments de réseaux : adresses simples ou adresses de réseaux. Utilisé aussi bien dans les conteneurs <computeroutput>sujets</computeroutput> que <computeroutput>resources</computeroutput>, il permet de cibler les acls sur une machine ou un réseau.
</para>
</section>
<section><title>The nufw type</title>
<para>This type of element contain a net attribute, which must contain a
network object. A network object is either an IP address (192.168.33.1),
or a network address (such as 10.0.0.0/255.0.0.0 or in CIDR format
10.0.0.0/8). The Internet is always defined as 0.0.0.0/0 and is
auto-generated by Nuface if it does not exist when opening the ACLs file.
After you create or modify a network object, Nuface displays the Network
name the new element belongs to, according to your network topology.</para>
</section>
<section><title>The proto type</title>
<para>This type of element can only be used in
<computeroutput>protocols</computeroutput> containers. It defines a
protocol, and is set the following fields :
<computeroutput>proto</computeroutput> which is <computeroutput>tcp</computeroutput>, <computeroutput>udp</computeroutput>or <computeroutput>icmp</computeroutput>.
Depending on the chosen proto, the
<computeroutput>dport</computeroutput> (destination port),
<computeroutput>sport</computeroutput> (source port) and
<computeroutput>icmptype</computeroutput> (icmp type) fields can also be
set. Concerning port numbering, ranges can of course be specified, such
as <computeroutput>1024:65535</computeroutput>, which means "all ports
from 1024 to 65535".
</para>
</section>
<section><title>The period type</title>
<para>This type of element can only be used in
<computeroutput>periods</computeroutput> containers. It defines a
period, and is set the following fields :
<computeroutput>periodtype</computeroutput> which is <computeroutput>dates</computeroutput>, <computeroutput>days</computeroutput>, <computeroutput>hours</computeroutput> or <computeroutput>duration</computeroutput>.
Depending on the chosen periodtype, the
<computeroutput>start</computeroutput>,
<computeroutput>end</computeroutput> and
<computeroutput>duration</computeroutput> fields can also be
set.
</para>
</section>
<section><title>The app type</title>
<para>This type of element can only be used in
<computeroutput>applications</computeroutput> containers. It defines an
application, and is set the following fields :
<computeroutput>ApplicationPath</computeroutput>, the complete name of the application at source of the IP connection, as advertized by the NuFW client,
<computeroutput>OSName</computeroutput>, the name of the OS at source of the IP connection, as advertized by the NuFW client.
<computeroutput>OSVersion</computeroutput>, the version of the OS at source of the IP connection, as advertized by the NuFW client.
set.
</para>
</section>
<section><title>The link type</title>
<para>This type of element can be used in any container, and lets you
create a link to another container of the same type. Using such a link
is equivalent as using the pointed container, which allows for easy
aggregating of data into one container.
</para>
</section>
</section>
<section><title>How to create an element</title>
<section><title>Copy an existing element</title>
<para>It is easy to copy an element from a container to another, or from
a page to another (for instance, copy an ipv4 element from the
resources page to the subjects page). Select the element to copy, and
use the <computeroutput>Copy to Floating</computeroutput> button.
Then, move to the target container, and use the
<computeroutput>Add</computeroutput> button on top right to complete the
copy.</para>
<para>Floating elements are just temporary elements, which disapear when
you close a Nuface session. They are to be used for copying and creating
elementary items used by Nuface.</para>
</section>
<section><title>Creating an element from scratch</title>
<para>Choose the
<computeroutput>floatings</computeroutput> page, select the element type
you want, and use the
<computeroutput>New element</computeroutput> button. Note that the type
of a given element can never be changed. Each element is attributed its
type forever.</para>
<para>A good habbit is to create in the floatings page one empty element
of each type, and use them when needed, by copying them into the
protocols, subjects or resources pages.</para>
</section>
</section>
</chapter>
</book>
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
dca483b59ba61f3fa092de932ddd570e
>
files
>
126
