Frequently Asked Questions
Installation Issues
Question:
What is the recommanded version of linux kernel ?
Answer:
Recommanded kernel is over 2.6.14 to benefits of NFQUEUE and conntrack manipulation but NuFW will work with any kernel after 2.4.
As NuFW developpment team participates to Netfilter, you should be able to use the latest kernel and take advantage of it.
Debugging NuFW
Question:
How do I debug NuFW ?
Answer:
A packet authentication has numerous steps which have to be check in order:
- First check that Netilter send packet to NFQUEUE:
- You can use watch iptables -Lv to see if packets counter increase
- nufw send packet to nuauth:
- It is the first packet you should have:
Sending request for 1 Not connected, trying TLS connection [+] TLS connection to nuauth restored
- For other packet you should only see Sending request for X because TLS message are relative to a successful connection to nuauth which is only done once at start.
- It is the first packet you should have:
- nuauth receive the packet, decode it:
NuFW Packet: src=::ffff:192.168.33.139 dst=::ffff:72.14.221.104 proto=6 sport=51162 dport=25, packet_id=1
- nuauth sends a refresh message to client
- user send packet authentication message (launch nutcpc with-d option to see this messages):
[+] Client is asked to send new connections. [+] Send 1 new connection(s) to nuauth
- nuauth check if user has the access right
- Check which module is used for ACLs
- Verify nuauth log to check if request to modules is done
- nuauth send response message to nufw (ACCEPT or DROP)
Answ Packet: src=::ffff:192.168.33.139 dst=::ffff:72.14.221.104 proto=6 sport=55104 dport=25, decision=DROP, packet_id=4, OS=Linux 2.6.18-5-amd64 #1 SMP Tue Oct 2 20:37:02 UTC 2007, app=/usr/bin/telnet.netkit
- nufw apply decision
Treatment time for connection: 39.4 ms
Question:
What's wrong when i get the message:
Can not get physindev information Get outdev information: wlan0 Can not get physoutdev information.
when I try to use nufw ?
Answer:
Nothing, this is only a verbose debugging message link to the lack of bridge support in the kernel. You can or ignore the message, or compile a new kernel with CONFIG_BRIDGE_NETFILTER option set to yes.
Question:
I'm testing NuFW with an OUTPUT iptables rule and NuFW authenticate any packet. What's wrong ?
Answer:
The first thing to check is that you have not run something like
nutcpc -H localhost
If this is the case then NuFW will not authenticate your packet to the outside world because the source address of the connection to nuauth has to be the same as the one used by the network connection you try to authenticate.
To fix the issue, simply use :
nutcpc -H IPNUAUTH
with IPNUAUTH equal to the outside world IP of the server.
Known problems
Question:
Why are Microsoft Windows system clients not able to authenticate packets although Linux clients are working well ?
Answer:
Check that your firewall is not running a 2.6.24.X kernel. NFQUEUE is buggy in 2.6.24 kernel for at least all release prior to 2.6.24.4. A fix has been posted by INL on netfilter-devel mailing list. You can use this patch to fix your kernel if you have to run a 2.6.24.X kernel.
