Next Previous Contents

1. Concepts

1.1 The firewall module

The userfirewall module works as a companion to the firewall module. Firewall rules are created using information such as the source ip, destination ip, source interface and destination interface and various other information (protocol, ports, etc...). The IP numbers and interface may be specified using logical names. A logical has the form module_id/value. The id of the userfirewall module is "userfw". The value is some string interpreted by the module owning the module_id. The userfirewall module defines to possible value types: user and @group. More on this later.

1.2 Per user firewall

The goal is to associate some firewall rules to some users. Those users may use different workstations, potentially at different location. The firewall rules are associated with these users, not the workstation they are using (The IP of the workstation).

In the end, the firewall rules need IP numbers. So a given user must be associated with the IP of his workstation. This can be done using different strategies

Users and groups

The userfirewall uses the user and group concept in a very broad sense. It defines a user account file /etc/userfirewall/users.conf. This is totally unrelated to the Linux account database /etc/passwd.

A user may be a member of several groups. A group is just a name. There is no database defining the various firewall groups.

The /var/run/userfirewall.state file

The /var/run/userfirewall.state file contain the list of firewall users currently assigned to an IP number. This is the main source of information used by userfirewall to satisfy the firewall module queries. The format of this file is trivial.

        user ip_or_net group1 group2 ...

The firelogin utility

The firelogin utility, part of the userfirewall package, allows user to identify themselves, with a password. Once identify, firelogin pick the source IP. The corresponding firewall rule may be enabled. Once the user end the firelogin session, the firewall rule is disabled.

The firelisten utility

This utility listen on a TCP port and handle connection from firesendid clients. It updates the userfirewall.state file.

The firesendid utility

This utility is generally installed on other servers. It is used to control the content of the /var/run/userfirewall.state file. This is not an interactive utility.

It connects to the firelisten service on the firewall, exchanges some authentication and then send various request to add or remove entries from the userfirewall.state file.

This utility is generally run on servers providing user authentication such as Samba servers.

Next Previous Contents