Ubuntu Manpage: uif — Tool for generating optimized packetfilter rules

NAME

       uif — Tool for generating optimized packetfilter rules

SYNOPSIS

       uif  [-6]  [-dptW]  [-b  base]  [-c  config_file] [-C config_file] [-D bind_dn] [-r ruleset] [-R ruleset]
           [-s server] [-T time] [-w password]

DESCRIPTION

       This manual page documents  the uif command. It is used to generate  optimized  iptables(8)  packetfilter
       rules,  using  a  simple  description  file  specified  by  the  user.  Generated  rules  are provided in
       iptables-save(8) style.  uif can be used to read or write rulesets  from  or  to  LDAP  servers  in  your
       network, which provides a global storing mechanism. (LDAP support is currently broken, note that you need
       to include the uif.schema to your slapd configuration in order to use it.)

       uif.conf(5)  provides  an  easy  way to specify rules, without exact knowledge of the iptables syntax. It
       provides groups and aliases to make your packetfilter human readable.

       Keep in mind that uif is intended to assist you when designing firewalls, but will not tell you  what  to
       filter.

Options

The options are as follows:

-6 Turn on IPv6 mode so as to manipulate ip6tables rules. Default configuration file is changed to
/etc/uif/uif6.conf see -c below. It should be noted that nat rules are silently ignored if -6 is
used.

-b base
Specify the base to act on when using LDAP based firewall configuration. uif will look in the
subtree ou=filter, ou=sysconfig, base for your rulesets.

-c config_file
This option specifies the configuration file to be read by uif. See uif.conf(5) for detailed
information on the fileformat. It defaults to /etc/uif/uif.conf.

-C config_file
When reading configuration data from other sources than specified with -c you may want to convert
this information into a textual configuration file. This options writes the parsed config back to
the file specified by config_file.

-d Clears all firewall rules immediately.

-D bind_dn
If a special account is needed to bind to the LDAP database, the account dn can be specified at
this point. Note: you should use this when writing an existing configuration to the LDAP. Reading
the configuration may be done with an anonymous bind.

-p Prints rules specified in the configuration to stdout. This option is mainly used for debugging
the rule simplifier.

-r ruleset
Specifies the name of the ruleset to load from the LDAP database. Remember to use the -b option
to set the base. Rulesets are stored using the following dn: cn=name, ou=rulesets, ou=filter,
ou=sysconfig, base, where name will be replaced by the ruleset specified.

-R ruleset
Specifies the name of the ruleset to write to the LDAP database. This option can be used to
convert i.e. a textual configuration to a LDAP based ruleset. Like using -r you've to specify
the LDAP base to use. Target is cn=name, ou=rulesets, ou=filter, ou=sysconfig, base, where name
will be replaced by the ruleset specified.

-s server
This option specified the LDAP server to be used.

-t This option is used to validate the packetfilter configuration without applying any rules.
Mainly used for debugging.

-T time
When changing your packetfiltering rules remotely, it is useful to have a test option. Specify
this one to apply your rules for a period of time (in seconds). After that the original rules
will be restored.

-w password
When connecting to the LDAP server, you may need to authenticate via passwords. If you really
need to specify a password, use this option, otherwise use -W and enter it interactivly.

-W Activate interactive password query for LDAP authentication.

uif is meant to leave the packetfilter rules in a defined state, so if something went wrong during the
initialisation, or uif is aborted by the user, the rules that were active before starting will be
restored.

Normally you will not need to call this binary directly. Use the init script instead, since it does the
most common steps for you.

FILES

       Configuration files are located in /etc/uif.

AUTHOR