kernun
Prev Kernun Firewall Reference (7) Next

Name

kernun — signpost to Kernun firewall manual pages

Description

Kernun is a flexible toolkit that makes it possible to build secure network firewalls combining application-specific proxy gateways with stateful packet filtering and address translation (NAT), virtual private networks, network IDS and detailed log analysis.

Individual application proxies, important aspects of the configuration, as well as internal interfaces implemented in Kernun support libraries are documented in their respective manual pages.

The best way to start using the Kernun firewall is to read the Kernun Firewall Handbook, especially the tutorial. After learning Kernun firewall basics, detailed information can be found in these manual pages, which are available also as the reference part of the Handbook. The most important administrative tasks are covered by the following manual pages: kat(8), cml(8), and kernun.cml(5). It may be also helpful to examine the initial configuration in /usr/local/kernun/conf/kernun.cml, which is generated after the installation, and configuration samples that can be found in /usr/local/kernun/conf/samples.

Components

The Kernun firewall consists of:

  • The underlying FreeBSD operating system, see also intro(1).

  • A high-level configuration interface that integrates the configuration of most components of the Kernun firewall host in a single file, see also cml(8) and kernun.cml(5).

  • A graphical user interface (GUI) for remote configuring and monitoring of the Kernun firewall. The GUI is available at least for FreeBSD and Microsoft Windows. It is an open source application so it can be ported to other platforms supported by the Qt toolkit (most notably Linux). The GUI is described in the Kernun Firewall Handbook.

  • The command line administration tool for easy configuring and monitoring the firewall, see also kat(8).

  • A set of protocol-specific and generic proxies for traffic inspection on the application layer, each with its own configuration mechanism, see also dns-proxy(8), ftp-proxy(8), gk-proxy(8), h323-proxy(8), http-proxy(8), imap4-proxy(8), pop3-proxy(8), sip-proxy(8), smtp-proxy(8), sqlnet-proxy(8), tcp-proxy(8), udp-proxy(8), dns-proxy.cfg(5), ftp-proxy.cfg(5), gk-proxy.cfg(5), h323-proxy.cfg(5), http-proxy.cfg(5), imap4-proxy.cfg(5), pop3-proxy.cfg(5), smtp-proxy.cfg(5), tcp-proxy.cfg(5), udp-proxy.cfg(5), and configuration(7).

  • A PF (packet filter) package for traffic inspection on the network and transport layers, network address translation (NAT), and traffic shaping, see also pfctl(8), pf.conf(5), and pflogd(8).

  • Log processing and runtime monitoring tools that provide statistics and online alert messages, see also sum-stats(1), switchlog(1), logsurfer(1), monitor(1), and rrd(1). The GUI also provides a wide range of log processing and monitoring features.

  • User authentication based on various methods including password files, RADIUS, LDAP, and out-of-band authentication (with user login via a Web form or via a Samba server) see also auth(7).

  • A virtual private network module, see also openvpn(8).

  • NTP, DHCP, and DNS servers, see also ntpd(8), dhcpd(8), and named(8).

  • A high availability module, see also carp(4).

  • An intrusion detection and prevention module based on Snort, see also snort(8).

  • The DrWeb antivirus module, see also /usr/local/share/doc/drweb.

  • The SpamAssassin antispam module, see also spamassassin(1).

  • Web filtration functionality based on the interface to an external Proventia Web Filter.

Features

Components of the Kernun firewall have the following common features:

integrated configuration

It covers key system components and all proxies. See kat(8), cml(8), kernun.cml(5).

name resolving

See resolving(7).

sophisticated logging

See logging(7).

authentication

See auth(7).

fine-grain access-control

See access-control(7), host-matching(7), time-matching(7).

document type recognition

See doctype-identification(7).

runtime monitoring

See monitoring(7).

enhanced network I/O with traffic shaping

See netio(7), traffic-shaping(7).

efficient process management

See proxy(5), tcpserver(7).

network transparency

See transparency(7), listen-on(5).

administrative accounts with two levels of privileges

The administrator accounts have privileges equivalent to the root user. The auditor accounts are allowed to view the configuration and logs, but do not have privileges to manipulate the state of the firewall (change configuration, start or stop proxies, etc.). See system(5).

See Also

Kernun: monitor(1), rrd(1), sum-stats(1), switchlog(1), dns-proxy.cfg(5), ftp-proxy.cfg(5), gk-proxy.cfg(5), h323-proxy.cfg(5), http-proxy.cfg(5), imap4-proxy.cfg(5), kernun.cml(5), listen-on(5), pop3-proxy.cfg(5), proxy(5), smtp-proxy.cfg(5), sqlnet-proxy.cfg(5), system(5), tcp-proxy.cfg(5), udp-proxy.cfg(5), access-control(7), auth(7), configuration(7), doctype-identification(7), host-matching(7), logging(7), monitoring(7), netio(7), resolving(7), tcpserver(7), time-matching(7), traffic-shaping(7), transparency(7), cml(8), dns-proxy(8), ftp-proxy(8), gk-proxy(8), h323-proxy(8), http-proxy(8), imap4-proxy(8), kat(8), pop3-proxy(8), smtp-proxy(8), sqlnet-proxy(8), tcp-proxy(8), udp-proxy(8)

FreeBSD: intro(1), logsurfer(1), spamassassin(1), carp(4), pf.conf(5), openvpn(8), dhcpd(8), named(8), ntpd(8), pfctl(8), pflogd(8), snort(8)

Authors

This man page is a part of Kernun Firewall.
Copyright © 2000–2012 Trusted Network Solutions, a. s.
All rights reserved.

Prev Up Next
ips Home logging