NuFW
title: "NuFW" type: doc version: 1 created: 2026-02-28 author: "Wikipedia contributors" status: active scope: public tags: ["free-system-software", "free-security-software", "firewall-software", "linux-only-free-software"] topic_path: "technology/operating-systems" source: "https://en.wikipedia.org/wiki/NuFW" license: "CC BY-SA 4.0" wikipedia_page_id: 0 wikipedia_revision_id: 0
::data[format=table title="Infobox software"]
| Field | Value |
|---|---|
| title | NuFW |
| logo | Nupik.png |
| screenshot | |
| developer | E. Leblond et al. |
| released | |
| latest release version | 2.2.20 |
| latest release date | |
| latest preview date | |
| operating system | Linux kernel |
| language count | |
| genre | Packet filtering |
| license | GNU General Public License |
| website | |
| :: |
| name = | title = NuFW | logo = Nupik.png | logo caption = | logo_size = | logo_alt = | screenshot = | caption = | screenshot_size = | screenshot_alt = | collapsible = | author = | developer = E. Leblond et al. | released = | discontinued = | latest release version = 2.2.20 | latest release date = | latest preview version = | latest preview date = | status = | programming language = | operating system = Linux kernel | platform = | size = | language = | language count = | language footnote = | genre = Packet filtering | license = GNU General Public License | website = NuFW is a software package that extends Netfilter, the Linux kernel-internal packet filtering firewall module. NuFW adds authentication to filtering rules. NuFW is also provided as a hardware firewall, in the EdenWall firewalling appliance. NuFW has been restarted by the FFI and renamed into UFWI.
Introduction
NuFW / UFWI is an extension of Netfilter which brings the notion of user to IP filtering.
NuFW / UFWI can:
- Authenticate any connection that goes through your gateway or only from/to a chosen subset or a specific protocol (iptables is used to select the connections to authenticate).
- Perform accounting, routing and Quality of service (QOS) based on users and not simply on IPs.
- Filter packets with criteria such as application and OS used by distant users.
- Be the key of a secure and simple Single Sign On system.
Principles
NuFW / UFWI refuses the idea of IP == user as an IP address can easily be spoofed. It thus uses its own algorithm to perform authentication. It depends on two subsystems: Nufw which is connected to Netfilter and Nuauth which is connected to clients and Nufw.
The algorithm is the following:
::figure[src="https://upload.wikimedia.org/wikipedia/commons/f/f1/NuFW_Algorythm.png"] ::
- A standard application sends a packet.
- The Nufw client sees that a connection is being initiated and sends a user request packet.
- The Nufw server queues the packet and sends an auth request packet to the Nuauth server.
- The Nuauth server sums the auth request and the user request packet and checks this against an authentication authority.
- The Nuauth server sends answer back to the Nufw server
- The Nufw server transmits the packet following the answer given to its request.
This algorithm realizes an A Posteriori authentication of the connection. As there is no time-based association, this ensures the identity of the user who sent the packet. NuFW is the only real Authentication firewall, as it never associates a user with his machine.
Awards
- 2007: Lutèce d'Or (Paris, France), Best Innovation
- 2005: Les Trophées du Libre (Soissons, France), Security
::callout[type=info title="Wikipedia Source"] This article was imported from Wikipedia and is available under the Creative Commons Attribution-ShareAlike 4.0 License. Content has been adapted to SurfDoc format. Original contributors can be found on the article history page. ::