pax_global_header00006660000000000000000000000064142275125450014521gustar00rootroot0000000000000052 comment=b41a46bd284dfeb6d602bb375ecec300beb6de60 uif-1.99.0/000077500000000000000000000000001422751254500124045ustar00rootroot00000000000000uif-1.99.0/AUTHORS000066400000000000000000000002221422751254500134500ustar00rootroot00000000000000Alex Owen Cajus Pollmeier klemens Mike Gabriel uif-1.99.0/COPYRIGHT000066400000000000000000000020541422751254500137000ustar00rootroot00000000000000Copyright (C) 2002-2015 Jörg Platte Copyright (C) 2002-2015 Cajus Pollmeier Copyright (C) 2013-2015 Alex Owen Copyright (C) 2013-2022 Mike Gabriel All of uif is licensed under the GPL-2.0+ (GPL-2.0 or newer) license: This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA See the COPYING file for a full text version of the license. uif-1.99.0/ChangeLog000066400000000000000000000323231422751254500141610ustar00rootroot000000000000002022-04-19 Mike Gabriel * release 1.99.0 (HEAD -> master, tag: 1.99.0) * uif.8: Update uif man page (esp. for nft support, but also convert from nroff to groff). (c52a64c) * uif.conf.5: Update uif.conf man page (esp. for nft support, but also convert from nroff to groff). (fa7ba69) * Makefile: Assure presence of new config dirs (for dropping snippets). (574181c) * uif.pl: With nft backend, fix port based rules. (4d74c0b) * Support file globbing and introcuce conf.d directories for dropping config snippets. (96ed4c7) * Update copyright/license information. (bd7fe84) * compare-v(4|6)-iptables+nft-results.sh: Add test scripts that compare iptables-nft and nft results. (f76c2a8) * uif.pl: With nft backend, resolve remaining FIXMEs. This complete the nft backend support. (222559a) * uif.pl: With nft backend, drop 'meta l4proto ipv6-icmp' prefix before type-wise ICMPv6 packet accepts. (945c6e0) * Revert "uif.pl: With nft backend, use proper counter expressions." (f52b023) 2022-04-18 Mike Gabriel * uif.pl: With nft backend, use pre-defined priority keywords instead of hard-coded priority numbers. (7100eb4) * uif.pl: With nft backend, use single ports only if ranges start and end with the same port. (ff27dfe) * uif.pl: Use camel-case key for 'FilterCommand' in $Sysconfig hash. (26b0453) * uif.pl: With nft backend, use proper counter expressions. (123c3c3) 2022-04-17 Mike Gabriel * uif.pl: Introduce line numbering in print mode, add cmdline option '-l'. (97f5523) 2022-04-16 Mike Gabriel * uif.pl: Convert another "-j" iptables option into "counter jump". (8b830a7) 2019-12-07 Mike Gabriel * uif.pl: Fix snat/dnat multiport rules in nft. (6fcfd7a) 2019-12-06 Mike Gabriel * uif.pl: Fix icmpv6 rules for nftables. (7874781) * uif.pl: Resolve one FIXME: snat/dnat rules for native nft command. (c3edde5) * uif.pl: Drop not required (and flawed) (8a85e2e) * mark TODOs with FIXME tags (aae4ab1) * Turn genRuleDump_NFT so that now generates a native nft command set. (a1b95d1) 2019-12-05 Mike Gabriel * uif.pl: Introduce FILTER_COMMAND environment parameter and support nft command sets as well as iptables* command sets. (d598df0) 2019-12-06 Mike Gabriel * Send "Skipping..." messages to STDERR. (98a57ec) 2019-12-05 Mike Gabriel * default: Parameter that shall be perceived by the uif Perl script need to be exported to the environment. (99d6e86) * uif.pl: white lines removed / added (8f2746e) * Prepend targets starting with ${id} by CHAIN_ (so that target names work in nftables, too). (d72d1d7) * The Linux firewall is shifting towards nftables, so let's prepare for that (by using the legacy iptables commands). (55ba357) 2018-08-20 Mike Gabriel * release 1.1.9 (a7ec235) (tag: 1.1.9) * Makefile: Fix flawed usage of DESTDIR and PREFIX. (1448fd3) 2017-01-16 Mike Gabriel * uif.spec: Date fix in changelog. (ee38674) 2017-01-15 Mike Gabriel * release 1.1.8 (1123e0c) (tag: 1.1.8) * validateData: Prevent from using networks with MAC addresses neither for outward bound nor for destination networks. (d913b96) * Better test and fix MAC address based source filtering. (477c55b) * release 1.1.7 (9d20e8e) (tag: 1.1.7) * MAC-source filtering, regression fix: Re-add push of $ip to @netobjects if network object contains a MAC address. (bd85804) * UIF: Allow MAC syntax in network items only with real IP addresses, not with DNS resolvable host names. (36d6d86) * release 1.1.6 (3435812) (tag: 1.1.6) * Makefile: Fix installation of uif.initscript. (0038831) * uif.conf.5: Add some hints and notes about IPv6 support. (9c01c91) * doc files: consistently use UIF in capital letters. (6d01761) * services file: Add some more services (kerberos5 et al., ldaps, swat, openvpn, mysql, munin, cfenging, xmpp-client, xmpp-server, icinga2, webmin and puppet). (868ac44) * COPYRIGHT: Update copyright date for Mike Gabriel. (cfee841) * ChangeLog: Convert to GNU ChangeLog style, generated from Git history. (577cc6b) * INSTALL.md: Typo fix in Perl module name. (d75e0ed) * Drop former uif initscript, replaced by new uif.initscript file. (8766e7b) * Revert "release 1.1.6" (26c5c19) * Rename README.IPv6 -> README.IPv6.md (465c6da) * release 1.1.6 (ed896f4) * Update most documentation files and convert to markdown syntax. (f2f7bf2) * init script: Adopting Debian's init script as an example into upstream code. (13adace) * Add VERSION file (with last released version number). (402d8f5) * Drop debian/ packaging folder, we are an upstream project. (6aae291) * IPv6 name resolution: Work around broken IPv6 name resolution in NetAddr::IP (see: CPAN issue #119858). (91d3907) 2017-01-13 Mike Gabriel * IPv6 support: More locations in the code spotted, where we need to differentiate between IPv4 and IPv6 mode. (2baab0e) 2016-04-18 Mike Gabriel * Merge branch 'ka7-spelling_fix' (91cb12b) 2016-04-16 klemens * spelling fix, as of lintian.debian.org (ae13340) 2015-03-11 Mike Gabriel * release 1.1.5 (01892a9) (tag: 1.1.5) * bump version and dates (45b9141) * Fix severe flaw in IPv4-only/IPv6-only rule setup. Don't open IPv4 wholes when setting up IPv6-only rules and vice versa. (d8c8700) 2014-12-09 Mike Gabriel * Fix another typo in same error message. (3ffeb89) * Fix spelling of Debian in error message. (Closes: Debian bug #772496). (5cb7c81) 2014-07-01 Mike Gabriel * release 1.1.4 (2754565) (tag: 1.1.4) * debian/rules: Update from Debian package. (47e10a2) * debian/copyright: Update from Debian package. (da54e44) * Make sure that masq|snat|dnat|nat rules get ignored in IPv6 mode. (2a5b7ae) 2014-06-13 Mike Gabriel * release 1.1.3 (f6505c5) (tag: 1.1.3) 2014-06-03 Mike Gabriel * uif.conf: Drop the fw+ filter for ICMPv6 rules. (23707ba) * debian/uif.postinst: Provide a DebConf mediated workstation config that also protects from IPv6 attacks. (244cbdd) * IPv6: make neighbor-solicitation (packet type 135) a must for the incoming filter (f888b00) * examples: Provide an IPv4+6 config file example (d318892) 2014-05-20 Mike Gabriel * uif.conf: Allow packet type 136 (neighbor-advertisement). Allow forwarding _and_ inbound ICMP messages. (76474e5) * release 1.1.2 (a62ad68) (tag: 1.1.2) * uif.spec: Update version+release field. (01513a7) * debian/changelog: drop non-sense at EOF (d91cdce) * uif.conf: Enable inclusion of services file by default. (f68c9e4) * services: Use more appropriate icmp packet type names. (2fdbae3) * debian/changelog: Use revison -0 in package version. (4bf5f76) 2014-01-28 Mike Gabriel * Add services "rdp" and "vnc-support" to services file. (3c10099) * Provide new protocol: ipv6-icmp. Rework ICMP types in services file. (5debe50) 2014-01-22 Mike Gabriel * release 1.1.1 (e384b5b) (tag: 1.1.1) * Alioth-canonicalize Vcs-Git: field. (2084ea5) * Install lintian overrides. Override issue false-positive issue maintainer-script-should-not-use-service. (46b887e) * Make sure that hostnames resolve to IPv6 addresses when setting up the IPv6 filtering rules. (3872ce4) * Default log level for iptables: crit (not debug). (9bac303) * debian/uif.init: Leave reporting startup failures to init-functions. Beautify init script when failures occur. (f12a8bb) * Fix typos and mal-used minus signs in uif.conf.5 man page. (25cee2a) * Continue development... debian/rules: Add get-orig-source rule. (a3ce0ba) * release 1.1.0 (1a2ffc9) (tag: 1.1.0) * Calls of update-rc.d are now handled by debhelper. Add #DEBHELPER# macro after the new uif configuration has been created. (43a6cdc) * debian/uif.init: typo fix (cfc350b) * Bump Standards: to 3.9.5. No changes needed. (2afe691) * debian/rules: syntax fix (e99b29f) * debian/uif.init: Provide an LSB compliant init script for Debian. debian/uif.install: Don't install upstream's init script on Debian system. (44f01b3) * cosmetic removals of "/" before debian/ folder name (2e5c2f0) * debian/uif.postinst: Adapt Debianic configuration of workstation profile to IPv6 capabilities. Enable IPv6 by default, as well, on Debian systems. (dc52d1b) * add EOL at EOF (b7650fb) * Enable IPv6 support by default. (2ce5855) * remove Debian specific comment in upstream uif.conf, hint to IPv4-only / IPv6-only network names usage in uif.conf (faf5264) * Support filtering rules that apply to IPv4/IPv6 only. (fff07b9) * Add /me and Alex Owen as copyright holders. (3c31d9d) * uif.spec: update RPM build script (fdeef77) * service: fix author name (convert to UTF-8) (5638602) * README.IPv6: typo fix (96ad6d6) * Keep lines in README below 80 characters. (207e3cd) * Drop deb: rule vom Makefile. (a665b56) * Update upstream download source in INSTALL file. Mark Net::LDAP as optional dependency. (03b3a8f) * Update COPYRIGHT file. Add /me as copyright co-holder and update FSF address. (3645e5e) 2013-10-31 Mike Gabriel * Init script: be more explicit on whether init script actions are IPv4 or IPv6 actions. (2fbf3e6) * debian/rules: run dh_link during (4a7215c) 2013-08-07 Mike Gabriel * debian scripts: whitespace/tab fixes (16186ec) * /debian/uif.config: whitespace/tab fixes (0be6dd8) * Makefile: fix installation of doc files (c7acd0b) * Provide IPv4/IPv6 capable set of default configuration files. Rename example files to denote that they show IPv4-only examples. (019c78e) * fix encoding in copyright file (2b99d66) 2013-08-06 Mike Gabriel * /debian/control: Drop separate package uif-ldap again. Sync in packaging folder from Debian. (9f3554a) 2013-06-11 Mike Gabriel * /debian/rules: Run dh_link during install. (cd1fd5a) * version fix, encoding fix, whitespace fix in Makefile (7fbbaad) * /debian/*.docs: Install README* files into bin:packages. (61a192d) * whitespace cleanup (17225ff) * coherent spelling of IPv4 and IPv6 in man page (9e77348) * coherent spelling of IPv4 and IPv6 in init script (2336ea3) * propely tab'ify init script (9f7f2bb) * Create README.IPv6 as upstream file. (341e532) * /debian/rules: Leaving clean-up to dh_clean. (b51cf05) * Update README, mention issue trackers. (a4fd6bf) * update changelog (6b40a6e) 2013-06-11 Alex Owen * IPv6 patch (0ffa361) 2013-06-11 Mike Gabriel * import packaging from Debian package (a374f15) * now really fix umlaut in uif.pl (48c887d) * Continue development... (d0b9dbf) * release 1.0.8 (44a1201) (tag: 1.0.8) * update ChangeLog (e694cb0) * convert Umlaut to UTF-8, fix FSF address (2ee8df9) * fix hyphens and spelling errors in man pages (bc4d0f9) * import packaging files from Debian package (1cccc49) * Continue development... (1d3bc90) * add Description: keyword to LSB header (327a5ba) 2013-06-10 Mike Gabriel * release 1.0.7 (d1f04b6) * add myself to the list of upstream people (234f4f6) * /debian/control: Add uif-ldap to Suggests: field (f3f6a1a) * split uif into bin:packages uif and uif-ldap (15ef174) * Provide a default (nothing-in/all-out) uif.conf. (c1d0f4d) * ChangeLog: moving credits over to Alex Owen (c7606c1) * abusing /debian/changelog as upstream changelog (2573ad5) * Run dh_clean in clean stanza. (252c79a) * fix mailadress in changelog footer (d86b092) * remove build cruft from /debian folder (3ba49af) * remove stray templates files: templates.de (7775ed3) * upstream projects are easier to handle with source format 3.0 (native) (7b14060) * Make LDAP dependency optional. (5907709) * use my NWT address for this upstream project, set changelog to UNRELEASED (1a74530) * rewrite /debian/changelog, use as upstream changelog from now on (16f44c2) * import all gains from the latest Debian package of uif (debian/1.0.6-3) (369914e) 2011-08-24 Cajus Pollmeier * Fixed mail (78811fa) (tag: 1.0.6) * Fixed encoding (f97ce59) * Initial checkin (d15aeda) uif-1.99.0/INSTALL.md000066400000000000000000000015121422751254500140330ustar00rootroot00000000000000# Installation Guide for UIF 1.99.0 This file contains some quick installation hints for the UIF package. ## Download You can get the newest version at https://github.com/cajus/uif. ## Dependencies In order to use the script, you need iptables, ip6tables, Perl, NetAddr::IP (>=3.0), Socket, Data::Validate::IP and optionally Net::LDAP. ## Build Well - there's nothing to build. Just change the PREFIX on top of the Makefile and do a "make install". If you want to start UIF during bootup you should add the needed links in /etc/rc*. See file "uif.initscript" for a working init script. ## Debian The UIF package is regularly released via Debian. Use APT to retrieve this piece of software directly from the Debian archives: ``` # apt-get install uif ``` ## Documentation Use "man uif" and "man uif.conf" to see what's possible. uif-1.99.0/Makefile000066400000000000000000000060331422751254500140460ustar00rootroot00000000000000# uif-1.1.x Installer Makefile # Copyright (C) 2002-2015, Cajus Pollmeier # Copyright (C) 2002-2015, Jörg Platte # Copyright (C) 2013-2022, Mike Gabriel # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # Change here to install to different location DESTDIR ?= PREFIX ?= /usr/local VERSION = `cat VERSION | head -1` all: install: @echo "Installing uif script..." @# create directories install -o root -g root -m 700 -d $(DESTDIR)/etc/uif install -o root -g root -m 700 -d $(DESTDIR)/etc/uif/uif.conf.d install -o root -g root -m 700 -d $(DESTDIR)/etc/uif/uif-ipv4-networks.inc.d install -o root -g root -m 700 -d $(DESTDIR)/etc/uif/uif-ipv6-networks.inc.d install -o root -g root -m 755 -d $(DESTDIR)/etc/default install -o root -g root -m 755 -d $(DESTDIR)/etc/init.d install -o root -g root -m 755 -d $(DESTDIR)/etc/ldap/schema install -o root -g root -m 755 -d $(DESTDIR)$(PREFIX)/sbin install -o root -g root -m 755 -d $(DESTDIR)$(PREFIX)/share/doc/uif install -o root -g root -m 755 -d $(DESTDIR)$(PREFIX)/share/man/man8 install -o root -g root -m 755 -d $(DESTDIR)$(PREFIX)/share/man/man5 @# install files install -o root -g root -m 700 uif.pl $(DESTDIR)$(PREFIX)/sbin/uif install -o root -g root -m 600 default $(DESTDIR)/etc/default/uif install -o root -g root -m 600 services $(DESTDIR)/etc/uif if [ ! -e $(DESTDIR)/etc/uif/uif.conf ]; then install -o root -g root -m 600 uif.conf $(DESTDIR)/etc/uif; fi if [ ! -e $(DESTDIR)/etc/uif/uif-ipv4-networks.inc ]; then install -o root -g root -m 600 uif-ipv4-networks.inc $(DESTDIR)/etc/uif; fi if [ ! -e $(DESTDIR)/etc/uif/uif-ipv6-networks.inc ]; then install -o root -g root -m 600 uif-ipv6-networks.inc $(DESTDIR)/etc/uif; fi install -o root -g root -m 755 uif.initscript $(DESTDIR)/etc/init.d mv $(DESTDIR)/etc/init.d/uif.initscript $(DESTDIR)/etc/init.d/uif install -o root -g root -m 644 uif.schema $(DESTDIR)/etc/ldap/schema @# install documentation install -o root -g root -m 644 docs/uif.conf.IPv4.tmpl $(DESTDIR)$(PREFIX)/share/doc/uif install -o root -g root -m 644 docs/uif.conf.IPv4+6.tmpl $(DESTDIR)$(PREFIX)/share/doc/uif install -o root -g root -m 644 docs/examples.IPv4.txt $(DESTDIR)$(PREFIX)/share/doc/uif install -o root -g root -m 644 uif.8 $(DESTDIR)$(PREFIX)/share/man/man8 install -o root -g root -m 644 uif.conf.5 $(DESTDIR)$(PREFIX)/share/man/man5 uif-1.99.0/README.IPv6.md000066400000000000000000000035341422751254500144530ustar00rootroot00000000000000# IPv6 support for UIF 1.99.0 Starting with version 1.1.0 UIF is able to handle IPv6 iptables as well as IPv4 iptables. The IPv6 support was originally provided by Alex Owen via a patch sent to the Debian bug tracker. Awesome thanks to Alex for this initial piece of work!!! With IPv6 support added, UIF can now also produce IPv6 firewall rules. The init script can, by setting IPV6MODE=1 in /etc/default/uif, be made to install the IPv4 rules from /etc/uif/uif.conf and the IPv6 rules from /etc/uif/uif6.conf. Judicious use of the include and include4 and include6 sections of the config files can mean that the ipv6 and ipv4 rules can be identical except for including a network section with IPv4 definitions and IPv6 definitions respectivly. ## Configuration Examples The file uif6.conf can be a sym-link to uif.conf or contain: ``` --uif6.conf-- include { "/etc/uif/uif.conf" } ------------- ``` The file uif.conf can then be used for a single set of rules but can include different network definitions as needed: ``` --uif.conf-- #include common services include { "/etc/uif/services" } # in IPv4 mode include IPv4 network definitions include4 { "/etc/uif/networks4" } #In IPv6 mode include IPv6 network defnintions include6 { "/etc/uif/networks6" } #common filter block for both ipv4 and ipv6 filter { #Put your firewall rules here } ------------ ``` As an addition it is possible to append "(4)" or "(6)" to network names in filtering rules (e.g.: "in+ s=trusted(4)"). This limits the application of this rule to the specified IP protocol version only. This can be especially helpful, if some of your network names only exist for one IP protocol version but not for the other. ## AUTHORS * Alex Owen , Sun, 15 Jul 2012 14:41:22 +0100 * Mike Gabriel , Wed, 22 Jan 2014 13:50:01 +0100 uif-1.99.0/README.LDAP.md000066400000000000000000000010361422751254500144020ustar00rootroot00000000000000# README.LDAP for UIF 1.99.0 ## Documentation / LDAP There is some LDAP support built into UIF, with that you can handle a big farm of diskles router configurations. Use uif(8) and information provided in the doc/ directory to configure the firewall fitting your needs. ## Call for help The LDAP support in UIF hasn't been tested for quite a while. Most users of UIF have use cases with local configuration files. If you feel like contributing, please dive into the LDAP functionality of UIF and test it, report bugs, give feedback, etc. uif-1.99.0/README.md000066400000000000000000000021041422751254500136600ustar00rootroot00000000000000# README for UIF 1.99.0 ## Documentation The UIF project has been developed for a diskless router system and provides a mechanism to create and simplify packet filter rules. It forces you to provide names for every value you use in order to make firewalls less confusing. Please have a look at the man pages for uif(8) and uif.conf(5). There are also example configurations in the docs/ directory. There is some LDAP support built-in, with that you can handle a big farm of diskles router configurations. Use uif(8) and information provided in the doc/ directory to configure the firewall fitting your needs. ## Bugs / Wishlist UIF is on Github. If you've found a bug, or have suggestions for future versions please report it via the project's issue tracker: https://github.com/cajus/uif/issues If you have installed UIF on Debian, you can also use the Debian BTS for reporting bugs. As the Debian maintainer of UIF is a member of the UIF upstream development team, the Debian bugs will also reach upstream quickly. Have fun, -Jörg Platte, Cajus Pollmeier, Mike Gabriel, Alex Owen uif-1.99.0/VERSION000066400000000000000000000000071422751254500134510ustar00rootroot000000000000001.99.0 uif-1.99.0/compare-v4-iptables+nft-results.sh000077500000000000000000000023121422751254500210010ustar00rootroot00000000000000#!/bin/bash # Copyright (C) 2022 Mike Gabriel # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # this script requires /etc/uif/ to be in place and configured well tmpresults_nft="$(mktemp)" tmpresults_iptables="$(mktemp)" sudo nft flush ruleset ip sudo FILTER_COMMAND=nft ./uif.pl sudo nft list ruleset ip 1> "${tmpresults_nft}" sudo nft flush ruleset ip sudo FILTER_COMMAND=iptables-nft ./uif.pl sudo nft list ruleset ip 1> "${tmpresults_iptables}" #sudo nft flush ruleset ip diff -wu "${tmpresults_iptables}" "${tmpresults_nft}" uif-1.99.0/compare-v6-iptables+nft-results.sh000077500000000000000000000023321422751254500210050ustar00rootroot00000000000000#!/bin/bash # Copyright (C) 2013-2022 Mike Gabriel # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # this script requires /etc/uif/ to be in place and configured well tmpresults_nft="$(mktemp)" tmpresults_iptables="$(mktemp)" sudo nft flush ruleset ip6 sudo FILTER_COMMAND=nft ./uif.pl -6 sudo nft list ruleset ip6 1> "${tmpresults_nft}" sudo nft flush ruleset ip6 sudo FILTER_COMMAND=iptables-nft ./uif.pl -6 sudo nft list ruleset ip6 1> "${tmpresults_iptables}" #sudo nft flush ruleset ip6 diff -wu "${tmpresults_iptables}" "${tmpresults_nft}" uif-1.99.0/default000066400000000000000000000017151422751254500137570ustar00rootroot00000000000000## Debian firewall package standard values # See "man 8 uif" for details. ### UIF settings, these need to be exported to the environment # 'nft', 'iptables', 'iptables-nft' or 'iptables-legacy'? export FILTER_COMMAND="nft" # the iptables loglevel export LOGLEVEL="crit" # prefix for all logged incidents export LOGPREFIX="FW" # iptables log specific options export LOGLIMIT="20/minute" export LOGBURST="5" # iptables limit specific options export LIMIT="20/minute" export BURST="5" # firewall testing timeout export TIMEOUT=30 # prefix for accounting rules export ACCOUNTPREFIX="ACC_" ### UIF init script setting, need not be exported to the environment # specify modules to load before startup MODULES="ip_conntrack_ftp" # who should get the mails when the script fails MAILTO="root" # IPV6MODE can be set to 0 or 1. By default it is 0 # If set to 1 then both an IPv4 and an IPv6 firewall will be started # Uncomment below to enable the IPV6MODE IPV6MODE=1 uif-1.99.0/docs/000077500000000000000000000000001422751254500133345ustar00rootroot00000000000000uif-1.99.0/docs/examples.IPv4.txt000066400000000000000000000075531422751254500165060ustar00rootroot00000000000000EXAMPLES for UIF ================ These sample configurations are fully virtual setups but may contain valid ip addresses. 1) Simple router/proxy setup Imagine the following scenario with one packet filter and masquerading: ppp0 eth0 internet-----------filter-------------proxy---------intranet 193.174.71.23 192.168.0.1 192.168.0.2 192.168.0.0/24 The filter masquerades the proxy address and rejects all other internal traffic to the internet. Don't forget to enable forwarding (sysctl -w net.ipv4.ip_forward=1), respectivly adding it to /etc/sysctl.conf. 8<--------------------------------------------------------------------- include { # include the basic service definitions "/etc/uif/services" } service { # define all valid services from the proxy into the internet proxytraffic http https ntp pop3s imaps smtp ssh ftp } network { # define all networks and hosts proxy 192.168.0.2 intern 192.168.0.0/24 gonicus 21.8.6.9 ds 129.27.18.16 # accept external ssh connections from gonicus and ds sshok ds gonicus } interface { # define all local interfaces loop lo extern ppp0 intern eth0 } input { # permit all loopback traffic in+ i=loop # accept local ssh logins in+ i=intern s=intern p=ssh # accept external ssh connections from gonicus and ds in+ i=extern s=sshok p=ssh # accept pings in+ i=extern p=ping # reject and log all other incoming connentions in- f=log(incoming),reject } output { # permit all loopback traffic out+ o=loop # permit all outgoing traffic to the internal network out+ o=intern # permit outgoing ntp and ssh connections out+ o=extern p=ntp,ssh # reject all and log all other outgoing connentions out- f=log(outgoing),reject } forward { # in case of an pppoe dsl line the following line may be useful # it sets the mss of every forwarded packet to a smaller value fw> o=extern # forward previously defined proxy traffic to external hosts fw+ o=extern s=proxy p=proxytraffic # reject all and log all other outgoing connentions fw- f=log(forwarding),reject } masquerade { # masquerade proxy traffic masq+ o=extern s=proxy } --------------------------------------------------------------------->8 2) Router doing nat and transparent proxys Imagine the following (not really usable) scenario: eth0 eth1 Internet---------filter------------switch 80.67.1.53 10.10.0.1 | +--gatekeeper 10.10.0.15 | +--[intranet] Imagine "filter" is running squid as a transparent proxy and "gatekeeper" is your ssh gateway to the intranet. No other connections to the intranet are allowed. "filter" is acting as nameserver, no additional connections from the inside to the outside are allowed. 8<--------------------------------------------------------------------- include { # include the basic service definitions "/etc/uif/services" } network { # define all networks and hosts proxy 10.10.0.1 intern 10.10.0.0/16 gate 10.10.0.5 } interface { # define all local interfaces loop lo extern eth0 intern eth1 } filter { # permit all loopback traffic in+ i=loop out+ o=loop # permit all outgoing traffic for "filter" out+ o=intern,extern # accept pings in+ i=extern p=ping # accept local ssh logins, dns, http in+ i=intern s=intern p=ssh,dns,http # redirect port 80 to 10.10.0.1:3128 nat+ i=intern s=intern p=http D=proxy P=squid # redirect incomming ssh connections to gatekeeper nat+ i=extern p=ssh D=gatekeeper # reject and log all other connentions in- f=log(incoming),reject out- f=log(outgoing),reject fw- f=log(forward),reject } --------------------------------------------------------------------->8 uif-1.99.0/docs/uif.conf.IPv4+6.tmpl000066400000000000000000000115001422751254500166600ustar00rootroot00000000000000## Debian GNU Linux Firewall Package ## This file has been automatically generated by debconf. It will be overwritten ## the next time you configure firewall without choosing "don't touch". ## Sysconfig definitions # These entries define the global behaviour of the firewall package. Normally # they are preset in /etc/default/uif and may be overwritten by this # section. # # syntax: LogLevel : set the kernel loglevel for iptables rules # LogPrefix: prepend this string to all iptables logs # LogLimit: set packet log limit per time interval (times/interval) # LogBurst: set packet log burst # Limit: set packet limit per time interval (times/interval) # Burst: set packet burst # example: # sysconfig { # LogLevel debug # LogPrefix FW # LogLimit 20/minute # LogBurst 5 # Limit 20/minute # Burst 5 # AccountPrefix ACC_ # } ## Include predefined services # The include section takes a bunch of files and includes them into this # configuration file. # # syntax: "filename" #include { # "/etc/uif/services" #} ## Services needed for workstation setup # The service section provides the protocol definitions you're # using in the rules. You're forced to declare everything you # need for your setup. # # syntax: service_name [tcp([source:range]/[dest:range])] [udp([source:range]/[dest:range])] # [protocol_name([source:range][/][dest:range])] [service_name] ... # examples: http tcp(/80) # dns tcp(/53) udp(/53) # group http dns tcp(/443) # ipsec esp(/) udp(/500) service { traceroute udp(32769:65535/33434:33523) icmp(11) ping icmp(8) } ## Network definitions needed for simple workstation setup # In the network section you're asked to provide informations on all # hosts and/or networks running in your setup. # # syntax: net_name [ip-address[:mac-address]] [network] [net_name] # examples: webserver 192.168.1.5 # intranet 10.1.0.0/16 # dmz 10.5.0.0/255.255.0.0 # some intranet dmz 10.2.1.1 # router 10.1.0.1=0A:32:F2:C7:1A:31 network { localhost 127.0.0.1 all 0.0.0.0/0 trusted4 192.168.1.0/24 trusted6 fd00:1:2:3::/64 } ## Interface definitions # Since all definitions used in the filter section are symbolic, # you've to specify symbolic names for all your interfaces you're # going to use. # # syntax: interface_name [unix network interface] [interface_name] # examples: internal eth0 # external ippp0 ipsec0 # allppp ppp+ # group external allppp eth3 interface { loop lo } ## Filter definitions # The filter section defines the rules for in, out, forward, masquerading # and nat. All rules make use of the symbolic names defined above. This # section can be used multiple times in one config file. This makes more # senese when using one of these alias names: # filter, nat, input, output, forward, masquerade # # syntax: in[-/+] [i=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # out[-/+] [o=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # fw[>/-/+] [i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # masq[-/+][i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # nat[-/+] additionally allows [S=from source] [D=to destination] [P=to port:[range]] # additional: # All keys mentioned in the syntax section (in/out/...) can be prefixed with "sl", which # causes the creation of a stateless rule. # flags: limit([count/time[,burst]]) # reject([reject type]) # log([name]) # account(name) # examples: # masq+ o=extern s=intranet # nat+ s=intranet p=http D=relayintern P=squid # in+ s=trusted p=ssh,ping,traceroute,http # out- s=intranet p=smb f=reject # fw- d=microsoft f=reject,log(ms-alert) # slin+ s=testnet # slout- d=testnet # fw> o=extern # fw+ p=myhttp f=account(HTTP) # Take an attention about the protocol for your accounting rules. If you # want to count user http traffice, you may need a "myhttp tcp(80/)". filter { in+ i=loop s=localhost out+ o=loop d=localhost # allow incoming pings for IPv4 in+ s=all(4) p=ping # these IPv6-ICMP types are a MUST for IPv6 in+ s=all(6) p=ping,pong,noroute,packet-too-big,time-exceeded,parameter-problem,neighbor-advertisement,neighbor-solicitation in+ p=traceroute in+ s=trusted4(4) in+ s=trusted6(6) out+ d=all in- f=log(input),reject out- f=log(output),reject fw- f=log(forward),reject } uif-1.99.0/docs/uif.conf.IPv4.tmpl000066400000000000000000000110271422751254500165230ustar00rootroot00000000000000## Debian GNU Linux Firewall Package ## This file has been automatically generated by debconf. It will be overwritten ## the next time you configure firewall without choosing "don't touch". ## Sysconfig definitions # These entries define the global behaviour of the firewall package. Normally # they are preset in /etc/default/uif and may be overwritten by this # section. # # syntax: LogLevel : set the kernel loglevel for iptables rules # LogPrefix: prepend this string to all iptables logs # LogLimit: set packet log limit per time interval (times/interval) # LogBurst: set packet log burst # Limit: set packet limit per time interval (times/interval) # Burst: set packet burst # example: # sysconfig { # LogLevel debug # LogPrefix FW # LogLimit 20/minute # LogBurst 5 # Limit 20/minute # Burst 5 # AccountPrefix ACC_ # } ## Include predefined services # The include section takes a bunch of files and includes them into this # configuration file. # # syntax: "filename" #include { # "/etc/uif/services" #} ## Services needed for workstation setup # The service section provides the protocol definitions you're # using in the rules. You're forced to declare everything you # need for your setup. # # syntax: service_name [tcp([source:range]/[dest:range])] [udp([source:range]/[dest:range])] # [protocol_name([source:range][/][dest:range])] [service_name] ... # examples: http tcp(/80) # dns tcp(/53) udp(/53) # group http dns tcp(/443) # ipsec esp(/) udp(/500) service { traceroute udp(32769:65535/33434:33523) icmp(11) ping icmp(8) } ## Network definitions needed for simple workstation setup # In the network section you're asked to provide informations on all # hosts and/or networks running in your setup. # # syntax: net_name [ip-address[:mac-address]] [network] [net_name] # examples: webserver 192.168.1.5 # intranet 10.1.0.0/16 # dmz 10.5.0.0/255.255.0.0 # some intranet dmz 10.2.1.1 # router 10.1.0.1=0A:32:F2:C7:1A:31 network { localhost 127.0.0.1 all 0.0.0.0/0 trusted 192.168.1.0/24 } ## Interface definitions # Since all definitions used in the filter section are symbolic, # you've to specify symbolic names for all your interfaces you're # going to use. # # syntax: interface_name [unix network interface] [interface_name] # examples: internal eth0 # external ippp0 ipsec0 # allppp ppp+ # group external allppp eth3 interface { loop lo } ## Filter definitions # The filter section defines the rules for in, out, forward, masquerading # and nat. All rules make use of the symbolic names defined above. This # section can be used multiple times in one config file. This makes more # senese when using one of these alias names: # filter, nat, input, output, forward, masquerade # # syntax: in[-/+] [i=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # out[-/+] [o=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # fw[>/-/+] [i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # masq[-/+][i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # nat[-/+] additionally allows [S=from source] [D=to destination] [P=to port:[range]] # additional: # All keys mentioned in the syntax section (in/out/...) can be prefixed with "sl", which # causes the creation of a stateless rule. # flags: limit([count/time[,burst]]) # reject([reject type]) # log([name]) # account(name) # examples: # masq+ o=extern s=intranet # nat+ s=intranet p=http D=relayintern P=squid # in+ s=trusted p=ssh,ping,traceroute,http # out- s=intranet p=smb f=reject # fw- d=microsoft f=reject,log(ms-alert) # slin+ s=testnet # slout- d=testnet # fw> o=extern # fw+ p=myhttp f=account(HTTP) # Take an attention about the protocol for your accounting rules. If you # want to count user http traffice, you may need a "myhttp tcp(80/)". filter { in+ i=loop s=localhost out+ o=loop d=localhost in+ p=ping,traceroute in+ s=trusted out+ d=all in- f=log(input),reject out- f=log(output),reject fw- f=log(forward),reject } uif-1.99.0/services000066400000000000000000000066271422751254500141650ustar00rootroot00000000000000## UIF 1.0 sample services file # Copyright (C) 2002-2015, Cajus Pollmeier # Copyright (C) 2002-2015, Jörg Platte # Copyright (C) 2013-2015, Alex Owen # Copyright (C) 2013-2022, Mike Gabriel # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA service { # ICMP & Routing traceroute udp(32769:65535/33434:33523) # ICMP protocol: IPv4 and IPv6 ICMP types ping icmp(echo-request) ipv6-icmp(echo-request) pong icmp(echo-reply) ipv6-icmp(echo-reply) noroute icmp(destination-unreachable) ipv6-icmp(destination-unreachable) router-advertisement icmp(router-advertisement) ipv6-icmp(router-advertisement) router-solicitation icmp(router-solicitation) ipv6-icmp(router-solicitation) # ICMP protocol: IPv4-only ICMP types host-unreachable icmp(host-unreachable) ttl-exceeded icmp(ttl-exceeded) source-quench icmp(source-quench) # ICMP protocol: IPv6-only ICMP types packet-too-big ipv6-icmp(packet-too-big) time-exceeded ipv6-icmp(time-exceeded) parameter-problem ipv6-icmp(parameter-problem) neighbor-advertisement ipv6-icmp(neighbor-advertisement) neighbor-solicitation ipv6-icmp(neighbor-solicitation) # Most common services you may want to filter ftp tcp(/21) ssh tcp(/22) telnet tcp(/23) smtp tcp(/25) whois tcp(/43) dns tcp(/53) udp(/53) bootp tcp(68/67) udp(68/67) http tcp(/80) kerberos5 tcp(/88) pop3 tcp(/110) sunrpc udp(/111) tcp(/111) ident tcp(/113) ntp udp(/123) nntp tcp(/119) smb tcp(/137:139) udp(/137:139) tcp(/445) udp(/445) imap tcp(/143) xdmcp udp(/177) ldap tcp(/389) https tcp(/443) ssmtp tcp(/465) syslog udp(/514) route udp(/520) icmp(9) uucp tcp(/540) real tcp(/554) ipp tcp(/631) udp(/631) mount udp(/635) ldaps tcp(/636) kerberos4 tcp(/750) kerberos-master tcp(/751) passwd-server tcp(/752) krb-prop tcp(/754) krbupdate tcp(/760) swat tcp(/901) imaps tcp(/993) pop3s tcp(/995) openvpn udp(/1194) tcp(/1194) nfs udp(/2049) tcp(/2049) cvspserver tcp(/2401) squid tcp(/3128) mysql tcp(/3306) rdp tcp(/3389) munin tcp(/4949) cfengine tcp(/5308) xmpp-client tcp(/5222) udp(/5222) xmpp-server tcp(/5223) udp(/5223) icinga2 tcp(/5665) vnc-support tcp(/5500:5509) x11 tcp(/6000:6063) proxy tcp(/8080) puppet tcp(/8140) webmin tcp(/10000) dhis udp(/58800) # ipsec ipsec esp(/) udp(/500) # some proprietary protocols arkeia tcp(/617) pcanywhere udp(/5632) tcp(/5631) msterminal tcp(/3389) udp(/3389) # some protocols igmp igmp() pim pim() tcp tcp(0:65535/0:65535) udp udp(0:65535/0:65535) # some useful definitions lowports udp(/1:1023) tcp(/1:1023) highports udp(/1024:65535) tcp(/1024:65535) } uif-1.99.0/uif-ipv4-networks.inc000066400000000000000000000010331422751254500164110ustar00rootroot00000000000000## IPv4 network name definitions for UIF # In the network section you're asked to provide informations on all # IPv4 hosts and/or networks running in your setup. # # syntax: net_name [ip-address[=mac-address]] [network] [net_name] # examples: webserver 192.168.1.5 # intranet 10.1.0.0/16 # dmz 10.5.0.0/255.255.0.0 # some intranet dmz 10.2.1.1 # router 10.1.0.1=0A:32:F2:C7:1A:31 network { localhost 127.0.0.1 all 0.0.0.0/0 # trusted 192.168.1.0/24 } uif-1.99.0/uif-ipv6-networks.inc000066400000000000000000000010511422751254500164130ustar00rootroot00000000000000## IPv6 network name definitions for UIF # In the network section you're asked to provide informations on all # IPv6 hosts and/or networks running in your setup. # # syntax: net_name [ip-address[=mac-address]] [network] [net_name] # examples: webserver 2001:610:1908:b000::148:14 # intranet fd00:0:0:1::/64 # dmz fd00:0:0:5::/64 # some intranet dmz fd00:0:2:1::1 # router fd00:0:0:1::1=0A:32:F2:C7:1A:31 network { localhost ::1 all ::/0 # trusted fd00:1:2:3::/64 } uif-1.99.0/uif.8000066400000000000000000000115131422751254500132610ustar00rootroot00000000000000.TH uif 8 "Apr 19th, 2022" "Version 1.99.0" "Universal Internet Firewall" .SH NAME uif \- Universal Internet Firewall .SH SYNOPSIS 'nh .fi .ad l \fBuif\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [-c \fI\fR] [-n] [-p [-l]] [\fI-6\fR] 'in \n(.iu-\nxu \fBuif\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu -d [\fI-6\fR] 'in \n(.iu-\nxu \fBuif\fR \kx .if (\nx>(\n(.l/2)) .nr x (\n(.l/5) 'in \n(.iu+\nxu [] 'in \n(.iu-\nxu .ad b 'hy .SH DESCRIPTION .PP This manual page documents the \fBuif\fR command. It is used to generate optimized .BR nft (8) or .BR iptables (8) packetfilter rules, using a simple description file specified by the user. Generated rules are provided in .BR nft (8) (with option \fI-f \fR) or .BR iptables\-save 8 style. \fBuif\fR can be used to read or write rulesets from or to LDAP servers in your network, which provides a global storing mechanism (LDAP support hasn't been tested for a long time). Note that you need to include the \fIuif.schema\fR to your slapd configuration in order to use it. .PP .BR uif.conf (5) provides an easy way to specify rules, without exact knowledge of the nft / iptables syntax. It provides groups and aliases to make your packetfilter human readable. .PP Keep in mind that \fBuif\fR uif is intended to assist you when designing firewalls, but will not tell you what to filter. .SH OPTIONS The options are as follows: .TP \fI\-6\fR Turn on IPv6 mode so as to manipulate IPv6 rules. Default configuration file is changed to /etc/uif/uif6.conf see \-c below. It should be noted that nat rules are silently ignored if \-6 is used. .TP \fI\-b \fR Specify the base DN to act on when using LDAP based firewall configuration. \fBuif\fR will look in the subtree ou=filter,ou=sysconfig, for your rulesets. .TP \fI\-c \fR This option specifies the configuration file to be read by \fBuif\fR\. See .BR uif.conf (5) for detailed information on the fileformat. It defaults to /etc/uif/uif.conf. .TP \fI\-C \fR When reading configuration data from other sources than specified with \-c you may want to convert this information into a textual configuration file. This options writes the parsed config back to the file specified by . .TP \fI\-d\fR Clears all firewall rules immediately. .TP \fI\-D \fR If a special account is needed to bind to the LDAP database, the account's DN can be specified at this point. Note: you should use this when writing an existing configuration to the LDAP. Reading the configuration may be done with an anonymous bind. .TP \fI\-p\fR Prints rules specified in the configuration to stdout. This option is mainly used for debugging the rule simplifier. .TP \fI\-l\fR If printing rules (see \-p) prepend line numbers to the print-out. .TP \fI\-r \fR Specifies the name of the ruleset to load from the LDAP database. Remember to use the \-b option to set the base. Rulesets are stored using the following dn: \fIcn=, ou=rulesets, ou=filter, ou=sysconfig, basedn\fR, where will be replaced by the ruleset specified. .TP \fI\-R \fR Specifies the name of the ruleset to write to the LDAP database. This option can be used to convert i.e. a textual configuration to an LDAP based ruleset. Like with using \-r you've to specify the LDAP base to use. Target is \fIcn=, ou=rulesets, ou=filter, ou=sysconfig, \fR, where will be replaced by the ruleset specified. .TP \fI\-s \fR This option specifies the LDAP server to be used. .TP \fI\-t\fR This option is used to validate the packetfilter configuration without applying any rules. Mainly used for debugging. .TP \fI\-T