Provided by: uif_1.99.0-5_all bug

NAME
       uif - Universal Internet Firewall


SYNOPSIS
       uif [-c <configfile>] [-n] [-p [-l]] [-6] uif -d [-6] uif [<ldap-options>]


DESCRIPTION
       This  manual page documents the uif command. It is used to generate optimized nft(8) or iptables(8) pack‐
       etfilter rules, using a simple description file specified by the user. Generated rules  are  provided  in
       nft(8)  (with  option  -f  <filename>) or iptables-save8 style. uif can be used to read or write rulesets
       from or to LDAP servers in your network, which provides a global storing mechanism (LDAP  support  hasn't
       been tested for a long time). Note that you need to include the uif.schema to your slapd configuration in
       order to use it.

       uif.conf(5)  provides an easy way to specify rules, without exact knowledge of the nft / iptables syntax.
       It provides groups and aliases to make your packetfilter human readable.

       Keep in mind that uif uif is intended to assist you when designing firewalls, but will not tell you  what
       to filter.


OPTIONS
       The options are as follows:

       -6     Turn  on  IPv6  mode  so  as  to  manipulate IPv6 rules.  Default configuration file is changed to
              /etc/uif/uif6.conf see -c below. It should be noted that nat rules are silently ignored if  -6  is
              used.

       -b <basedn>
              Specify  the  base DN to act on when using LDAP based firewall configuration. uif will look in the
              subtree ou=filter,ou=sysconfig,<basedn> for your rulesets.

       -c <configfile>
              This option specifies the configuration file to be read by uif.  See uif.conf(5) for detailed  in‐
              formation on the fileformat. It defaults to /etc/uif/uif.conf.

       -C <configfile>
              When reading configuration data from other sources than specified with -c  you may want to convert
              this  information into a textual configuration file. This options writes the parsed config back to
              the file specified by <configfile>.

       -d     Clears all firewall rules immediately.

       -D <bind_dn>
              If a special account is needed to bind to the LDAP database, the account's DN can be specified  at
              this  point. Note: you should use this when writing an existing configuration to the LDAP. Reading
              the configuration may be done with an anonymous bind.

       -p     Prints rules specified in the configuration to stdout. This option is mainly  used  for  debugging
              the rule simplifier.

       -l     If printing rules (see -p) prepend line numbers to the print-out.

       -r <ruleset>
              Specifies  the  name of the ruleset to load from the LDAP database.  Remember to use the -b option
              to set the base. Rulesets are stored using the following dn: cn=<ruleset>, ou=rulesets, ou=filter,
              ou=sysconfig, basedn, where <ruleset> will be replaced by the ruleset specified.

       -R <ruleset>
              Specifies the name of the ruleset to write to the LDAP database. This option can be used  to  con‐
              vert  i.e.  a textual configuration to an LDAP based ruleset. Like with using -r you've to specify
              the LDAP base to use. Target is  cn=<ruleset>,  ou=rulesets,  ou=filter,  ou=sysconfig,  <basedn>,
              where <ruleset> will be replaced by the ruleset specified.

       -s <server>
              This option specifies the LDAP server to be used.

       -t     This  option is used to validate the packetfilter configuration without applying any rules. Mainly
              used for debugging.

       -T <time>
              When changing your packetfiltering rules remotely, it is useful to have  a  test  option.  Specify
              this  one  to  apply your rules for a period of <time> (in seconds). After that the original rules
              will be restored.

       -w <password>
              When connecting to an LDAP server, you may need to  authenticate via a  password.  If  you  really
              need  to  specify a password on the command line (discouraged!), use this option, otherwise use -W
              and enter it interactively.

       -W     Activate interactive password query for LDAP authentication.

       uif is meant to leave the packetfilter rules in a defined state, so if something went  wrong  during  the
       initialisation,  or  uif  is  aborted by the user, the rules that were active before starting will be re‐
       stored.

       Normally you will not need to call this binary directly. Use the init script instead, since it  does  the
       most common steps for you.


FILES
       Configuration files are located in /etc/uif.


SEE ALSO
       uif.conf(5) nft(8) iptables(8)


AUTHOR
       This  manual  page  was  written  by  Cajus Pollmeier <pollmeier@gonicus.de> and Jörg Platte <joerg.plat‐
       te@gmx.de> and adjusted to nft support by Mike Gabriel <mike.gabriel@das-netzwerkteam.de>.

Version 1.99.0                                   Apr 19th, 2022                                           uif(8)