Download NuFW 2.1.0

Yesterday, the developers behind NuFW released a so-called development release and gave it version number 2.1.0. NuFW, which stands for Now user Filtering Works, is an extensive firewall for Linux that can filter every connection based on the user’s rights and the operating system used. It uses an ldap server to check the assigned rights and Netfilter to apply the set filtering technique. More information about NuFW can be found on this page. The changelog of this release looks like this:

Changes in NuFW version 2.1.0

• fix period handling (user OR and and AND between period item of a period)
• fix memory leak in ldap module
• IPv6 support:
  • clients, nufw and nuauth are able to communicate using IPv4 or IPv6
  • nuauth store all addresses in IPv6 structure, IPv4 use format “::ffff:[ipv4]”
  • MySQL store IP address in BINARY(16) instead of INTEGER field
  • Prelude, MySQL, PostgreSQL, etc. modules support IPv6 addresses
  • Plaintext module is able to parse IPv4 and IPv6 addresses
  • Rejecting a packet can send ICMP(v4) or ICMPv6 (depending on source IP address type)
  • support ICMPv6 protocol
• new client API, main changes:
  • don’t use callback to get username, password and tls password anymore: directly send the strings
  • don’t delete the session when loose connection: just delete old TLS session (and socket) using a “reset” function
  • keep same Diffie Hellman parameters for the session (don’t regenerate them on each reconnection): that’s good because it looks to use lot of CPU (and maybe /dev/random)
  • the client send username and password in UTF-8
  • don’t make core dump on fatal errors (in nuauth, nutcpc and pam_nufw)
• libnuclient: use gcrypt_malloc_secure() to disallow username and password to be moved to the swap
• protocol v3 compatibility (for client and nufw server)
• Introduce two new modules type:
  • user_session_modify : called when auth is successfull this module can modify all params (usefull to set expire or something else)
  • finalise_packet: modify packet content just before decision (useful to set mark and/or expire according to advanced policy)
• Accounting capabilities: contact is now dumping accounting information

[break]