Download NuFW 2.0 beta 2

The NuFW program is an extensive firewall that can filter each connection based on the user’s rights and the operating system used. It uses an ldap server to check the granted permissions and Netfilter to apply the set filtering technique. For more information about NuFW, please refer to this page. The developers have started work on version 2.0 and the second beta version has recently been released. The announcement with the list of changes looks like this:

Version 2.0 beta 2:

NuFW 2.0 beta2 is ready. A couple of notable bug fixes:

• nuauth : fixed period handling on reload
• nuauth : fixed incorrect logging of established packets (they were marked as UNAUTHENTICATED DROP)
• nuauth: fixed a bug in policy test
• fixes in the Makefile.am files, that were reluctant to some configuration

Version 2.0 beta 1:

The NuFW Core Team is proud to announce the availability of NuFW 2.0-beta1. This new release adds a bunch of new exiting functions:

• Support of ICMP Reject message : user can now be warned when a packet has been blocked by NuFW.
• Expiration of connections and TRUE time based acls : one can now define a 8am-6pm time period and link it with an acl. Connections can start during this interval and are automatically killed at 6pm.
• Better X509 support thanks to Eole sponsorship.
• Support of multiple iterations of a module, each iteration with a specific config file : nuauth can log in two different MySQL databases for example, or get auth from two distinct LDAP directories…
• Better libnuclient : It now has an error handling structure.
• More endian friendly protocol between client and nuauth
• Massive code cleaning and documentation (written by and for developers but existing anyway 😉

Extensive changelog is as follows:

• nuauth : bugfix on the PostGreSQL log module thanks to Julian Reich
• nuauth :fix bug in max client number test
• nuauth|nufw : really close socket in all cases now
• nuauth : certificate checking improvement
• nuauth : separate sasl and tls code
• nufw: cleaning of tls end of session
• libnuclient : introduce nu_client_global_init to avoid multiple global initialization of gnutls and sasl
• define protocol version 3 : protocol version 2 with a fix on endianess
• nuauth : fix crash when multiple logging modules are used (if one of them is mysql)
• libnuclient : free connection table
• libnuclient : fix multithreaded code
• nuauth: store user identifiers in 32 bits (and not 16), but still send user ID in 16 bits to nufw (with a warning)
• new configure option: —with-perf-display, display benchmark or user authentication
• nuauth: fixes about buffer underflow, check that received packet are big enough before casting them to structure
• nufw and nuauth: fix possible buffer overflow : replace strncpy with the new macro SECURE_STRNCPY which always write ‘\0’ on last position, and replace call like sscanf(…, “%10s”, …) with SECURE_STRNCPY
• nufw: whole code is documented using doxygen syntax
• nufw and nuauth: use shorter syntax to display debug messages
• nufw and nuauth: fixes to make them compile in strict ANSI mode with gcc (using -ansi option)
• nufw and nuauth: fix memory leaks, some of them detected with the great tool Valgrind
• nuauth: reorganize source code, split big functions in small sub-functions and move some functions in new files
• nufw and nuauth: remove dead code and unused variables/macros
• nufw and nuauth: use more explicit names for variables and structures, rename for example ‘c’ to ‘socket’
• nuauth, module script: fix a security bug, quote script arguments
• small changes to make flawfinder and rats tools happy
• replace obsolete usleep() with nanosleep()
• Introduce lock in tls code because gnuTLS is NOT really threadsafe (does NOT support thread sending on the same TLS session)
• stronger security in mysql and postgresql modules: use secure_sprintf() instead of classic sprintf() and quote all user strings
• stronger security in script module: quote all arguments
• fix some minor bugs detected by Valgrind
• check inet_ntop() and inet_addr() errors
• small changes to make nufw and nuauth source code ANSI C compliant
• fix gcc compilation flags: use -O0 in bug mode instead of -02, and detect all warnings with -Wextra (or -W for gcc < 4.0)
• use pointer and not object during logging
• bugfix: nuauth: don’t crash anymore if configuration file doesn’t exist
• nuauth: fix gnutls problem (multithread writing and reading)
• nuauth: multiple modules with separate conf
• nuauth: stop threads (and thread pools) before exiting NuAuth. Use a mutex to ask a thread to stop. Each thread uses timeout of one second, and doesn’t use any blocking function anymore (use function with timeout instead: eg. use g_async_queue_timed_pop() instead of g_async_queue_pop())
• nuauth: port of system_convert_username_to_lowercase option (from 1.0)
• NuFW : ICMP reject via decision 3.
• xml_defs : new module for periods definition
• nuauth : add nuauth_module_certificate_check and nuauth_module_certificate_to_uid configuration variables (work sponsored by EOLE)
• x509_std : new module with standard check and function for nuauth_module_certificate_check and nuauth_module_certificate_to_uid
• nuauth : modify config file parsing to avoid memory leak
• nuauth : add option nuauth_debug_area to be able to specify logging area
• nuauth: add Prelude IDS module which can log packet events and user session.
• nuauth : new nuauth_reject_authenticated_drop option to choose if we drop or reject ACL that match IPV4 header but when user is not in the group.
• nuauth : period checking is now done in main code (not in module anymore) to avoid problem with cache.
• move conffile.h from src/nuauth/include to src/nuauth and suppress src/nuauth/include