kernun — signpost to Kernun firewall manual pages
Kernun is a flexible toolkit that makes it possible to build secure network firewalls combining application-specific proxy gateways with stateful packet filtering and address translation (NAT), virtual private networks, network IDS and detailed log analysis.
Individual application proxies, important aspects of the configuration, as well as internal interfaces implemented in Kernun support libraries are documented in their respective manual pages.
The best way to start using the Kernun firewall is to read the
Kernun Firewall Handbook, especially the tutorial.
After learning Kernun firewall basics, detailed information can be found
in these manual pages, which are available also as the reference part of the
Handbook.
The most important administrative tasks are covered by the following manual pages:
kat(8),
cml(8), and
kernun.cml(5). It may be also helpful to
examine the initial configuration in /usr/local/kernun/conf/kernun.cml,
which is generated after the installation, and configuration samples that can be found in
/usr/local/kernun/conf/samples.
The Kernun firewall consists of:
The underlying FreeBSD operating system, see also intro(1).
A high-level configuration interface that integrates the configuration of most components of the Kernun firewall host in a single file, see also cml(8), kernun.cml(5) and configuration(7).
A graphical user interface (GUI) for remote configuring and monitoring of the Kernun firewall. The GUI is available at least for FreeBSD and Microsoft Windows. It is an open source application so it can be ported to other platforms supported by the Qt toolkit (most notably Linux). The GUI is described in the Kernun Firewall Handbook.
The command line administration tool for easy configuring and monitoring the firewall, see also kat(8).
A set of protocol-specific and generic proxies for traffic inspection on the application layer, each with its own configuration mechanism, see also dns-proxy(8), ftp-proxy(8), gk-proxy(8), h323-proxy(8), http-proxy(8), imap4-proxy(8), pop3-proxy(8), sip-proxy(8), smtp-proxy(8), sqlnet-proxy(8), tcp-proxy(8), udp-proxy(8), dns-proxy.cfg(5), ftp-proxy.cfg(5), gk-proxy.cfg(5), h323-proxy.cfg(5), http-proxy.cfg(5), imap4-proxy.cfg(5), pop3-proxy.cfg(5), smtp-proxy.cfg(5), tcp-proxy.cfg(5), udp-proxy.cfg(5), and configuration(7).
A PF (packet filter) package for traffic inspection on the network and transport layers, network address translation (NAT), and traffic shaping. These functions are controlled by a component pf-control, see also pf-control(8), pfctl(8), pf.conf(5).
Log processing and runtime monitoring tools that provide statistics and online alert messages, see also sum-stats(1), switchlog(1), logsurfer(1), monitor(1), and rrd(1). The GUI also provides a wide range of log processing and monitoring features.
User authentication based on various methods including password files, RADIUS, LDAP, and out-of-band authentication (with user login via a Web form or via a Samba server) see also auth(7).
A virtual private network module, see also openvpn(8).
NTP, DHCP, DNS, ICAP, and SNMP servers, see also ntpd(8), dhcpd(8), and named(8), and icap-server(8), and snmpd(8).
An intrusion detection and prevention module, see also adaptive-firewall(5).
The SpamAssassin antispam module, see also spamassassin(1).
Web filtration functionality based on the interface to an external Proventia Web Filter.
The Adaptive Traffic Routing for dynamic loadbalancing, see also atrmon(8).
Components of the Kernun firewall have the following common features:
It covers key system components and all proxies. See kat(8), cml(8), kernun.cml(5).
See cluster(7).
See ips(7).
See resolving(7).
See logging(7).
See auth(7).
See access-control(7), host-matching(7), data-matching(7), time-matching(7).
See antivirus(7).
See monitoring(7).
See netio(7), traffic-shaping(7).
The administrator accounts have privileges equivalent to the root user. The auditor accounts are allowed to view the configuration and logs, but do not have privileges to manipulate the state of the firewall (change configuration, start or stop proxies, etc.). See system(5).
Kernun: monitor(1), rrd(1), sum-stats(1), switchlog(1), dns-proxy.cfg(5), ftp-proxy.cfg(5), gk-proxy.cfg(5), h323-proxy.cfg(5), http-proxy.cfg(5), imap4-proxy.cfg(5), kernun.cml(5), listen-on(5), pop3-proxy.cfg(5), application(5), smtp-proxy.cfg(5), sqlnet-proxy.cfg(5), system(5), tcp-proxy.cfg(5), udp-proxy.cfg(5), access-control(7), antivirus(7), auth(7), cluster(7), configuration(7), data-matching(7), doctype-identification(7), host-matching(7), ips(7), logging(7), monitoring(7), netio(7), port-range-listen(7), resolving(7), tcpserver(7), time-matching(7), traffic-shaping(7), transparency(7), udpserver(7), atrmon(8), cml(8), dns-proxy(8), ftp-proxy(8), gk-proxy(8), h323-proxy(8), http-proxy(8), icap-server(8), imap4-proxy(8), kat(8), pf-control(8), pop3-proxy(8), smtp-proxy(8), sqlnet-proxy(8), tcp-proxy(8), udp-proxy(8)
FreeBSD: intro(1), logsurfer(1), spamassassin(1), suricata(1) pf.conf(5), openvpn(8), dhcpd(8), named(8), ntpd(8), pfctl(8), snmpd(8),