UserFirewall introduction Configuring firewalls is a difficult task. It is sometime impossible to provide accurate rules. Users or services are moving on the net- work. The userfirewall module deals with these problems. 11.. CCoonncceeppttss 11..11.. TThhee ffiirreewwaallll mmoodduullee The userfirewall module works as a companion to the firewall module. Firewall rules are created using information such as the source ip, destination ip, source interface and destination interface and various other information (protocol, ports, etc...). The IP numbers and interface may be specified using logical names. A logical has the form module_id/value. The id of the userfirewall module is "userfw". The value is some string interpreted by the module owning the module_id. The userfirewall module defines to possible value types: user and @group. More on this later. 11..22.. PPeerr uusseerr ffiirreewwaallll The goal is to associate some firewall rules to some users. Those users may use different workstations, potentially at different location. The firewall rules are associated with these users, not the workstation they are using (The IP of the workstation). In the end, the firewall rules need IP numbers. So a given user must be associated with the IP of his workstation. This can be done using different strategies 11..22..11.. UUsseerrss aanndd ggrroouuppss The userfirewall uses the user and group concept in a very broad sense. It defines a user account file /etc/userfirewall/users.conf. This is totally unrelated to the Linux account database /etc/passwd. A user may be a member of several groups. A group is just a name. There is no database defining the various firewall groups. 11..22..22.. TThhee //vvaarr//rruunn//uusseerrffiirreewwaallll..ssttaattee ffiillee The /var/run/userfirewall.state file contain the list of firewall users currently assigned to an IP number. This is the main source of information used by userfirewall to satisfy the firewall module queries. The format of this file is trivial. user ip_or_net group1 group2 ... +o user This is a name. It correspond to one account in the users.conf file. But this is not always the case. The userfirewall module does not care. +o ip_or_net This is either an IP number in quad notation or a network/netmask pair, also in quad notation (192.168.1.2 or 192.168.1.0/255.255.255.0). +o group1 group2 ... These are names usable in userfw/@group query. 11..22..33.. TThhee ffiirreellooggiinn uuttiilliittyy The firelogin utility, part of the userfirewall package, allows user to identify themselves, with a password. Once identify, firelogin pick the source IP. The corresponding firewall rule may be enabled. Once the user end the firelogin session, the firewall rule is disabled. 11..22..44.. TThhee ffiirreelliisstteenn uuttiilliittyy This utility listen on a TCP port and handle connection from firesendid clients. It updates the userfirewall.state file. 11..22..55.. TThhee ffiirreesseennddiidd uuttiilliittyy This utility is generally installed on other servers. It is used to control the content of the /var/run/userfirewall.state file. This is not an interactive utility. It connects to the firelisten service on the firewall, exchanges some authentication and then send various request to add or remove entries from the userfirewall.state file. This utility is generally run on servers providing user authentication such as Samba servers. 22.. uusseerrffiirreewwaallll aanndd ssaammbbaa The module provides a sample sambasendid script. It contains most explanation needed to hook the userfirewall to samba. 33.. UUssiinngg vviirrttuuaall pprriivvaattee nneettwwoorrkkss Note that using VPNs may be an alternative to userfirewall for mobile users.