  Firewall state suppliers


  11..  PPrriinncciipplleess

  A suppliers is a server (generally) which can send updates to the file
  /var/run/userfirewall.state. These updates are sent with the utility
  firesendid.

  A supplier is identified by a name and a secret. Suppliers are stored
  in the file /etc/userfirewall/suppliers.conf.


  22..  TThhee ffiirreelliisstteenn uuttiilliittyy iiss ggeenneerraallllyy eexxeeccuutteedd ffrroomm iinneettdd ((oorr
  xxiinneettdd)) IInnssttaalllliinngg tthhee ffiirreelliisstteenn

  22..11..  FFiillee //eettcc//sseerrvviicceess

  Configure the service in /etc/services. Add the following line in that
  file:


               firelisten      999/tcp


  Pick an TCP port number.


  22..22..  xxiinneettdd ccoonnffiigguurraattiioonn

  The package provides a configuration file /etc/xinetd.d/firelisten.
  Edit the file and turn the service on (disable = no).


  22..33..  iinneettdd ccoonnffiigguurraattiioonn

  For the inetd server, edit the file /etc/inetd.conf and add the
  following line:


               firelisten stream tcp nowait root tcpd /usr/lib/linuxconf/lib/firelisten firelisten --updfw /sbin/linuxconf --modulemain firewall --update


  33..  UUssiinngg ffiirreesseennddiidd

  You must install the userfirewall package on the firewall and on the
  various servers contributing to the firewall rules.

  On those server, the firesendid is used to exchange with the firewall.
  Here are the various command lines:


  33..11..  ffiirreesseennddiidd ooppttiioonnss


  +o  --fhost host

     host is either the name or IP number of the firewall.

  +o  --port port

     This specifies the TCP port to use to reach the firelisten service
     (999 by default).


  +o  --id id

     This specifies the supplier ID to use. This ID correspond to an
     entry in /etc/userfirewall/suppliers.conf. The entry is located and
     the secret is used to authenticate with the firewall.


  33..22..  AAddddiinngg iinnffoorrmmaattiioonn aabboouutt aa llooggggeedd uusseerr


               /usr/lib/linuxconf/lib/firesendid options login user IP-number groups ...


  33..33..  RReemmoovviinngg iinnffoorrmmaattiioonn aabboouutt aa llooggggeedd oouutt uusseerr

  The following command remove the entry for user "user" with IP "IP-
  number".


               /usr/lib/linuxconf/lib/firesendid options logout user IP-number


  33..44..  RReemmoovviinngg aallll iinnffoorrmmaattiioonn aabboouutt aa llooggggeedd oouutt uusseerr

  The following command remove all entries for user "user".


               /usr/lib/linuxconf/lib/firesendid options logout user


  33..55..  RReemmoovviinngg aallll iinnffoorrmmaattiioonn oonn tthhee ffiirreewwaallll

  The following command remove all entries (for all users) int
  /var/run/userfirewall.state on the firewall


               /usr/lib/linuxconf/lib/firesendid options reset


  44..  UUsseerrffiirreewwaallll aanndd SSaammbbaa

  The interest of the firesendid utility is limited, unless you hook it
  to a service already providing authentication for users on your
  network. The Samba server does exactly that. Once a user is logged to
  your Samba server, you can retrieve his IP number and you can trust
  the authentication (the user provided a password).

  To hook firesendid, you modify one share configuration (homes for one)
  and place a "root-preexec" directive. Using the %U and %I macro, you
  can update your firewall in real time from your Samba server:


               [homes]
                       .
                       .
                       root-preexec = /usr/lib/linuxconf/lib/firesendid --fhost host \
                               --port 999 --id your_server login %U %I
                       root-postexec = /usr/lib/linuxconf/lib/firesendid --fhost host \
                               --port 999 --id your_server logout %U
                       .
                       .


  55..  SShhaarriinngg ssuupppplliieerrss..ccoonnff

  The firesendid is reading its secret from the file suppliers.conf.
  One can create a suppliers.conf on the firewall and distribute it to
  the contributing servers as needed. The format is straightforward:


               supplierID:secret: