/etc/nufw/acls.nufw is in nuauth 2.4.3-3.3build2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 | # ACLs file for the plaintext module
#
# Example of ACL
# ==============
#
# [Sample ACL]
# gid=100,101 # which groups are concerned
# gid=103 # several lines can be used
# uid=100,101 # which user ids are concerned
# uid=103 # several lines can be used
# proto=6 # IP protocol: 1=ICMP, 6=TCP (default), 17=UDP
# type=0 # Type, for ICMP protocol only
# SrcIP=10.10.0.1 # Source IP, equivalent to 10.10.0.1/32
# SrcPort=1024-65535 # List of source ports (a single port is ok)
# DstIP=10.10.0.5 # Destination IP address
# DstIP=10.10.0.8, 10.10.1.0/24 # There can be several IP addresses/lines
# DstPort=5150-5153 # List of destination ports
# DstPort=22,25 # There can be several lines
# decision=1 # 0=drop, 1=accept, 3=reject (2 is reserved: "no decide")
#
# Default values:
# - decision: 1 (ACCEPT)
# - protocol: 6 (TCP)
# - SrcIP: any IP address
# - DstIP: any IP address
# - SrcPort: any port
# - DstPort: any port
#
# Application filtering:
# App=/usr/bin/perl
# Several applications can be given:
# App=/usr/bin/ssh
# App=/usr/bin/nc
#
# OS checking:
# OS = Linux
# You can give the kernel release:
# OS = Linux ; 2.6.8
# and the kernel version:
# OS = Linux ; 2.6.8 ; #3 Fri Aug 27 20:37:38 CEST 2004
# (Several OS can be given)
#
# Interface checking:
# [indev|outdev|physindev|physoutdev] = eth0
# You have to specify complete interface name and blob are
# not allowed.
#
# Log prefix:
# log_prefix = ssh
#
# You need to use period defined in your period handling module:
# period = 24x7
#
# ACL flags is an integer coding properties of the ACL:
# flags = 1
#
# Flags value are used by bit comparison. You can combien the following
# value
# * 1: do aysnchronous login on packet accepted by ACL, equivalent
# to don't do Single Sign On on the ACL.
# * 2: Don't log
# * 4: Log synchronously (set it for SSO if not globally set)
# * 8: Log strictly (set it for SSO)
# Flag bits can be used to set a mark on packet. See mark_flag module.
# Authentication quality can be used to limit authorization following the
# type of authentication used
# authquality = LEVEL
# defined levels are: 0 auth by IP fallback method, 1 auth by SASL, 2 auth by certificate
[ssh]
gid=100
DstPort=22
App=/usr/bin/ssh
OS=Linux
[http]
gid=100,102,103
DstPort=80
[https]
gid=100
gid=102
DstPort=443
[full access for group 103]
gid=103
|