The userfirewall module works as a companion to the firewall module. Firewall rules are created using information such as the source ip, destination ip, source interface and destination interface and various other information (protocol, ports, etc...). The IP numbers and interface may be specified using logical names. A logical has the form module_id/value. The id of the userfirewall module is "userfw". The value is some string interpreted by the module owning the module_id. The userfirewall module defines to possible value types: user and @group. More on this later.
The goal is to associate some firewall rules to some users. Those users may use different workstations, potentially at different location. The firewall rules are associated with these users, not the workstation they are using (The IP of the workstation).
In the end, the firewall rules need IP numbers. So a given user must be associated with the IP of his workstation. This can be done using different strategies
The userfirewall uses the user and group concept in a very broad sense. It defines a user account file /etc/userfirewall/users.conf. This is totally unrelated to the Linux account database /etc/passwd.
A user may be a member of several groups. A group is just a name. There is no database defining the various firewall groups.
The /var/run/userfirewall.state file contain the list
of firewall users currently assigned to an IP number. This is
the main source of information used by userfirewall to satisfy
the firewall module queries. The format of this file is trivial.
user ip_or_net group1 group2 ...
The firelogin utility, part of the userfirewall package, allows user to identify themselves, with a password. Once identify, firelogin pick the source IP. The corresponding firewall rule may be enabled. Once the user end the firelogin session, the firewall rule is disabled.
This utility listen on a TCP port and handle connection from
firesendid clients. It updates the userfirewall.state
file.
This utility is generally installed on other servers. It is
used to control the content of the /var/run/userfirewall.state
file. This is not an interactive utility.
It connects to the firelisten service on the firewall, exchanges some authentication and then send various request to add or remove entries from the userfirewall.state file.
This utility is generally run on servers providing user authentication such as Samba servers.