The options are as follows:
-6 Turn on IPv6 mode so as to manipulate IPv6 rules. Default configuration file is changed to
/etc/uif/uif6.conf see -c below. It should be noted that nat rules are silently ignored if -6 is
used.
-b<basedn>
Specify the base DN to act on when using LDAP based firewall configuration. uif will look in the
subtree ou=filter,ou=sysconfig,<basedn> for your rulesets.
-c<configfile>
This option specifies the configuration file to be read by uif. See uif.conf(5) for detailed in‐
formation on the fileformat. It defaults to /etc/uif/uif.conf.
-C<configfile>
When reading configuration data from other sources than specified with -c you may want to convert
this information into a textual configuration file. This options writes the parsed config back to
the file specified by <configfile>.
-d Clears all firewall rules immediately.
-D<bind_dn>
If a special account is needed to bind to the LDAP database, the account's DN can be specified at
this point. Note: you should use this when writing an existing configuration to the LDAP. Reading
the configuration may be done with an anonymous bind.
-p Prints rules specified in the configuration to stdout. This option is mainly used for debugging
the rule simplifier.
-l If printing rules (see -p) prepend line numbers to the print-out.
-r<ruleset>
Specifies the name of the ruleset to load from the LDAP database. Remember to use the -b option
to set the base. Rulesets are stored using the following dn: cn=<ruleset>,ou=rulesets,ou=filter,ou=sysconfig,basedn, where <ruleset> will be replaced by the ruleset specified.
-R<ruleset>
Specifies the name of the ruleset to write to the LDAP database. This option can be used to con‐
vert i.e. a textual configuration to an LDAP based ruleset. Like with using -r you've to specify
the LDAP base to use. Target is cn=<ruleset>,ou=rulesets,ou=filter,ou=sysconfig,<basedn>,
where <ruleset> will be replaced by the ruleset specified.
-s<server>
This option specifies the LDAP server to be used.
-t This option is used to validate the packetfilter configuration without applying any rules. Mainly
used for debugging.
-T<time>
When changing your packetfiltering rules remotely, it is useful to have a test option. Specify
this one to apply your rules for a period of <time> (in seconds). After that the original rules
will be restored.
-w<password>
When connecting to an LDAP server, you may need to authenticate via a password. If you really
need to specify a password on the command line (discouraged!), use this option, otherwise use -W
and enter it interactively.
-W Activate interactive password query for LDAP authentication.
uif is meant to leave the packetfilter rules in a defined state, so if something went wrong during the
initialisation, or uif is aborted by the user, the rules that were active before starting will be re‐
stored.
Normally you will not need to call this binary directly. Use the init script instead, since it does the
most common steps for you.