########################################## # Nuauth Configuration file ########################################## # Nuauth ############################################# # address nuauth listens on for clients # Example : "0.0.0.0:4129 127.0.0.1:8080 192.168.1.2" # will listen on: # * 0.0.0.0 port 4129 # * 127.0.0.1 port 4129 # * 192.168.1.12 port 4129 (port set from default defined by # nuauth_user_packet_port) nuauth_client_listen_addr="0.0.0.0" # address nuauth listens on for nufw packets # It uses the same syntax as nuauth_client_listen_addr. nuauth_nufw_listen_addr="127.0.0.1" # Default port for nufw gw request #nuauth_gw_packet_port=4128 # Default port for user authentification packet #nuauth_user_packet_port=4129 # NuFW ############################################ # address of the nufw gw # in UDP clear mode this is the address nuauth # respond to authentication request # In TLS mode transform this variable in a list # containing all the ips used to connect to the # nuauth server : # nufw_gw_addr="192.168.75.1 192.168.75.254" # nufw_gw_addr="127.0.0.1" ############ # Is nufw using able to use libnetfilter_conntrack # and able to kill a session nufw_has_conntrack=1 ############ # Is nufw using able to use libnetfilter_conntrack # and has fixed timeout patch nufw_has_fixed_timeout=1 ############################################################## # Module configuration : # syntax is the following # list of modules separated by space # syntax of a module : # name[:type[:config file]] # if syntax is : # name : load module "name" with config file included in nuauth.conf # name:type : load module "type" with config file CONFIG_DIR/modules/name.conf # name:type:conf : load module "type" with config file "conf" ############################################################## ## Authentication module for user : # It is used if nuauth_uses_fake_sasl is set to 1 # to be choozen in : # - plaintext : user credentials are stored in a text file # - system : authentication is done against PAM and groups are system groups. This provides # a convenient way to use nss features and/or pam-modules #nuauth_user_check_module="system" # Set up following variables if you want to differenciate user id and # group fetching from authentication: nuauth_get_user_id_module="plaintext" nuauth_get_user_groups_module="plaintext" ## Acl checking module : # to be choozen in : # - ldap # - plaintext nuauth_acl_check_module="ldap" # Cache acl for more performance ? nuauth_acl_cache=1 ## Period handling module: # to be choozen in: # - xml_defs # nuauth_periods_module="xml_defs" ############################################## #Choose user logging method ############################################## #You can log to MySQL, PostgreSQL, syslog or Prelude #Therefore, acceptable values for this parameter are: # : "mysql", "pgsql", "syslog", "nuprelude" nuauth_user_logs_module="syslog" # define with nuauth_user_session_logs_module which method you # want to use for user connection and disconnection # Available modules are : # syslog: log message with syslog # script: run a custom script at user connection (CONFDIR/user-up.sh) and disconnection (CONFDIR/user-down.sh) 1# mysql: log users connection and disconnection in a sql table # nuprelude: log to Prelude IDS # example : nuauth_user_session_logs_module="syslog mysql" nuauth_user_session_logs_module="syslog" # Module to log authentification errors # Available modules: nuprelude, syslog nuauth_auth_error_log_module="syslog" ############################################ # Other nuauth modules ############################################ # Module to modify an user session just its creation nuauth_user_session_modify_module="session_expire" # Module to finalize a packet before sending it back to nufw # Available modules: mark_group, mark_uid, mark_field, mark_flag nuauth_finalize_packet_module="mark_uid" ############################################ # X509 certificate handling ############################################ # nuauth_module_certificate_check : # check certificate and issue verdict on validity # It is recommanded to keep x509_std as first module as it is # usually wanted checks. # Default : nuauth_module_certificate_check="x509_std" nuauth_certificate_check_module="x509_std" # nuauth_module_certificate_to_uid : # get username from his certificate # Default : nuauth_module_certificate_to_uid="x509_std" nuauth_certificate_to_uid_module="x509_std" ############################################## # Comportemental items ############################################## # Use command server? # nuauth_use_command_server=0 # Debug level (0<=debug_level<=9) nuauth_debug_level=0 # Debug area, binary and between # DEBUG_AREA_MAIN = 1 Main domain # DEBUG_AREA_PACKET = 2 Packet domain # DEBUG_AREA_USER = 4 User domain # DEBUG_AREA_GW = 8 Gateway domain # DEBUG_AREA_AUTH = 16 Auth. domain # DEBUG_AREA_PERF = 32 Performance display # default : DEFAULT_DEBUG_AREA = 31 # nuauth_debug_areas=31 # What to do when several acls are found for a match : # - 0: Drop packet if there is a DROP acl matching # - 1: Accept packet if an ACCEPT acl matches # - 2: First decision match # Default nuauth_prio_to_nok=2 nuauth_prio_to_nok=2 # client can work with two modes : # POLL : client check each time interval if it need to send a packet (traffic economy for WAN) # PUSH : nuauth warn client that they may need to send authentication packet (better response time on LAN) nuauth_push_to_client=1 # Set to 1 to use user_check module # Set to 0 to use sasl authentication # # Note: It is a good idea to set nuauth_log_users_without_realm # to 1 it you set nuauth_uses_fake_sasl to 0. # nuauth_uses_fake_sasl=1 # Number of connections a user can run # 0 = unlimited (default) nuauth_single_user_client_limit=0 # Number of connections per IP a user can run # 0 = unlimited (default) nuauth_single_ip_client_limit=0 # Reject (instead drop) when packet is reached # 0: use drop (default) # 1: reject (send icmp unreached message) nuauth_reject_after_timeout=0 # Reject (instead drop) when user is not in any group of a ACCEPT acl # 0: use drop (default) # 1: reject (send icmp unreached message) nuauth_reject_authenticated_drop=0 # Do we use a fallback hello authentication mode for non NuFW supported # protocols ? # This brings authentication for all protocols based on IP # by doing a posteriori IP based authentication. # WARNING : Authentication is FAR less strict than nufw original protocol : # * It authenticates NATed computer (and every computers behind the same firewall) # * It is strictly MONO user # * But, it can authenticate all type of IP flows nuauth_hello_authentication=0 # Do we use fallback mode when no client are found ? # nuauth_push_to_client has to be set to 1 if you choose to enable it nuauth_do_ip_authentication=0 ## ip authentication module # to be chozen in : # ipauth_guest auth_mysql # nuauth_ip_authentication_module="ipauth_guest" #This set the timeout for protocol announce from client. #If some of your client (post 2.0 version) receives a "bad protocol messsage", you may #want to increase this value. This is a workaround against very laggy network. # Default: 2 #nuauth_proto_wait_delay=4 # time in second to keep packet in the nuauth conntrack nuauth_packet_timeout=15 # set a user session duration after this duration is is necessary # to reauthenticate: # User is disconnected from the system after the duration. Disconnect # occurs when a packet arrives. # # Please note that asking the password has to be done if needed on client # side. # # Default is 0 which mean unlimited session # example : # nuauth_session_duration=3600 # acl datas persistance in cache (in second) nuauth_datas_persistance=30 # timeout for authentication negotiation (in second) # You can set it to low value if your system has no load problem and # if the used client ask password before connecting nuauth_auth_nego_timeout=30 # number of threads to work on user request nuauth_number_usercheckers=3 # number of threads to work on acl checking request nuauth_number_aclcheckers=2 # number of threads to work on packet logging nuauth_number_loggers=2 # number of threads to work on session logging nuauth_number_session_loggers=1 # number of threads to work on user authentication nuauth_number_authcheckers=5 # number of ip authentication workers nuauth_number_ipauthcheckers=2 # maximum number of a simultaneously connected # nufw authentication clients # default : 256 # nuauth_tls_max_clients=256 # maximum number of simultaneously connected # nufw servers # default : 16 # nuauth_tls_max_servers=8 ################################################ # TLS parameters ################################################## # WARNING: nuauth need to be restarted if value is changed # in this section # complete name of server private key # default to CONFIGDIR/nuauth.pem # Warning: nuauth need to be restarted if value is changed nuauth_tls_key="/etc/nufw/certs/nuauth-key.pem" # password for private key (if needed) # NOTE : currently unsupported # Warning: nuauth need to be restarted if value is changed # nuauth_tls_key_passwd="passwd" # complete path to server certificate # Warning: nuauth need to be restarted if value is changed nuauth_tls_cert="/etc/nufw/certs/nuauth-cert.pem" # complete path to certificate authority # Warning: nuauth need to be restarted if value is changed #nuauth_tls_cacert="/etc/nufw/NuFW-cacert.pem" # complete filename of server certificate # revocation list # default none # Warning: nuauth need to be restarted if value is changed #nuauth_tls_crl="/etc/nufw/crl.pem" # do we require valid certificates from client # and nufw server ? (verified against certificate # authority) # default : 0 (no) # Warning: nuauth need to be restarted if value is changed # GNUTLS_CERT_IGNORE 0 # GNUTLS_CERT_REQUEST 1 # GNUTLS_CERT_REQUIRE 2 nuauth_tls_request_cert=0 # do we authorize authentication by certificat # default to 0 (no), 1 yes, 2 mandatory # Warning: nuauth need to be restarted if value is changed #nuauth_tls_auth_by_cert=0 ############################################ # Users tracking ############################################# # decide if we're logging user activity # log level is the sum of values : # 0 : no log at all # 1 : log new user (in syslog) # 2 : log rejected packets # 4 : log accepted packets # 8 : do session tracking (log all packets) # complete session tracking need special iptables # rules, described in documentation # nuauth_log_users=9 #Controls whether the users logging is absolutely safe : access is logged before #granted. This is probably necessary if SQL backend is used for SSO. nuauth_log_users_sync=1 # update log entries to avoid accidental double connection # DO NOT DISABLE IT BY CHANGING IT TO 0 if you want strict security # WHEN USING SSO MODULES nuauth_log_users_strict=1 # remove realm from username before logging # this is the recommanded setting as it is easier # to interact with other authorisation modules when SSO # feature are used. nuauth_log_users_without_realm=1 #################################################### # plaintext parameters ##################################################### plaintext_userfile="/etc/nufw/users.nufw" plaintext_aclfile="/etc/nufw/acls.nufw" ################################################### # system parameters ################################################### # add a lock to be able to deal with non thread # safe pam modules. For more safety this is set to 1 by default # NEEDED for winbind. system_pam_module_not_threadsafe=1 # Some glibc (read 2.3.2) have a buggy implementation # of getgrouplist which causes a crash. If this is the case # set the following option to the maximum number of groups # for a single user. #system_glibc_cant_guess_maxgroups=0 # Suppress domain added as prefix during login phase #system_suppress_prefixed_domain=0 ########################################### # Ldap external auth ########################################### # Connection parameters ########################################### # address of the ldap server ldap_server_addr="127.0.0.1" # port of the ldap server ldap_server_port=389 # dn and password to bind ldap connection to ldap_bind_dn="uid=nuauth,ou=Users,dc=inl,dc=fr" ldap_bind_password="admin" # ldap request type # set to 1 : request on DstPort is done with equality # set to 0 : request on DstPort is done with range # equality is faster than range # range can be more simple to administrate ldap_filter_type=0 # set to 1 if your ldap backend store IPV6 address # # ldap_use_ipv4_schema=0 # Timeout of ldap request ldap_request_timeout=4 # Search parameters ########################################### # base dn for search request # default for ldap_acls_base_dn,ldap_users_base_dn # if they are not set ldap_basedn="dc=btsig,dc=fr" # base dn for acl search request ldap_acls_base_dn="ou=Acls,dc=btsig,dc=fr" ############################################### # Database User Logging config ############################################### #MYSql server address mysql_server_addr="localhost" #Mysql server port mysql_server_port=3306 #Mysql User to login as mysql_user="myuser" #Mysql password, associated with username mysql_passwd="secret" #Name of MYsql database to connect to mysql_db_name="nufw" #Name of table to connect to for packets logging. Must belong to the chosen database. Specified #user must have rights on this table mysql_table_name="ulog" #Name of table to connect to for user session logging. Must belong to the chosen database. Specified #user must have rights on this table mysql_users_table_name="users" # Uncomment and set to 0 if your MySQL database # uses the IPV6 schema provided with NuFW 2.2 #mysql_use_ipv4_schema=0 # mysql_admin_bofh: # Close all user connection when user session # finish. Set to 1 to ativate. # Warning: you need to set login policy to one login per user # and you can only have one nufw server # mysql_admin_bofh=1 # mysql_bofh_victim_group: # Uses mysql_admin_bofh feature only if user belongs # to the given guid. # mysql_bofh_victim_group=512 #Time in seconds we consider connection to the database to be lost if we have no #answer mysql_request_timeout=5 #Mysql SSL options #Set mysql_use_ssl=1 to use SSL, else other ssl options will be ignored mysql_use_ssl=0 #Set mysql_ssl_keyfile to the full path of the file containing your PRIVATE key. #This must be set if you want to use ssl, as default value is NULL #mysql_ssl_keyfile="/etc/nufw/ssl/mysql.key" #Set mysql_ssl_certfile to the full path of the file containing your PUBLIC certificate #This must be set if you want to use ssl, as default value is NULL #mysql_ssl_certfile="/etc/nufw/ssl/mysql.cert" #Set mysql_ssl_ca to the full path of the file containing your CA (Certificate Authority) file #UNSET THIS FIELD IF YOU DON'T WANT TO USE a CA #mysql_ssl_ca="/etc/nufw/ssl/mysql.ca" #Set mysql_ssl_capath to the full path of a DIRECTORY containing your CA #Certificate Authority) files, in PEM format #UNSET THIS FIELD IF YOU DON'T WANT TO USE CAs #mysql_ssl_capath="/etc/nufw/ssl/mysql.cas/" #Set mysql_ssl_cipher to the list of ciphers you wish to use for Mysql #connections. A complete cipher list on your system should be available if you #issue "openssl ciphers" #The default value here is "ALL:!ADH:+RC4:@STRENGTH", which is OpenSSL default, #and means "Use any but give RC4 the lowest priority" #For more info see : http://www.mkssoftware.com/docs/man1/openssl_ciphers.1.asp #mysql_ssl_cipher="ALL:!ADH:+RC4:@STRENGTH" #PGSql server address pgsql_server_addr="127.0.0.1" #PGsql server port pgsql_server_port=5432 #PGsql User to login as pgsql_user="myuser" #PGsql password, associated with username pgsql_passwd="secret" #Whether to use SSL or not (THIS PARAMETER IS IGNORED FOR NOW) pgsql_ssl="prefer" #Name of PGsql database to connect to pgsql_db_name="nufw" #Name of table name to connect to. Must belong to the chosen database. Specified #user must have rights on this table pgsql_table_name="ulog" #Name of table name for user sessions. pgsql_users_table_name="users" #Time in seconds we consider connection to the database to be lost if we have no #answer pgsql_request_timeout=5 ########################### # # X509 modules ###################### # For x509_std : nuauth_tls_trusted_issuer_dn #This option is used to match issuer of a certificate against this string. #It there is a match, then we trust the give certificate. # nuauth_tls_trusted_issuer_dn=DN ####################### # Mark group module ####################### # File of group list with mark #mark_group_group_file = /etc/nufw/mark_group.conf # Position of the mark (in bits) in the packet mark mark_group_shift = 0 # Number of bits to store the mark mark_group_nbits = 32 # Default mark if no group does match mark_group_default_mark = 0 ############################ # Mark field module ################################# # File with mark pattern association # mark_field_file = /etc/nufw/mark_field.conf # Position of the mark (in bits) in the packet mark # mark_field_shift = 0 # Mark type # match on appname: 0 # match on osname: 1 # mark_field_type = 0 # Number of bits to store the mark # mark_field_nbits = 32 # Default mark if no group does match # mark_field_default_mark = 0 ############################### # xml_defs module ############################## # Place where periods have to be read #xml_defs_periodfile=/etc/nufw/periods.xml # ########################################### # auth_mysql module ########################################### # for ip authentication # name of the table containing user sessions # mysql_ipauth_table_name="ipauth_sessions" # Is the mysql function check_net active in the MySQL database # mysql_ipauth_check_netmask=1 # # # for userid and groupid check # mysql_userinfo_table_name="userinfo" # mysql_groups_table_name="groups" # mysql_groupinfo_table_name="groupinfo" # # fallback to guest's username, userID and groupID # instead of dropping request. # mysql_auth_fallback_to_guest=1 # mysql_auth_guest_username="guest" # mysql_auth_guest_userid=0 # mysql_auth_guest_groupid=99