Prerequisites
=============

 - PHP version 5
 - Apache version 2
 - Apache PHP5 module
 - Python 2.3 or greater
 - gettext (msgfmt program)
 - nuphp 0.1.2, PHP library
   http://software.inl.fr/trac/wiki/nuphp
 - IPy version 0.50+
   Python package: http://software.inl.fr/trac/wiki/IPy
 - LDAP Python library: http://python-ldap.sourceforge.net/
 - sudo program
 - PEAR: take care to append its path to the include_path setting from php.ini
 - CONNTRACK netfilter target. This can be as simple as loading the
   kernel module
 - NuFW 2.2 (optional): NuFW 2.2.12+ is needed to disable log on a specific ACL
 - XML Python library:

   * lxml (Debian: python-lxml)
   * or cElementTree (Debian: python-celementtree)
   * or ElementTree (Debian: python-elementtree)

gendesc requires:

 - /sbin/route program
 - /sbin/ip program

Debian: command to run as root to install all requires: ::

   apt-get install php5 apache2 libapache2-mod-php5 python gettext \
      python-ipy python-ldap sudo php-pear iproute net-tools

For better performances on Netfilter rules generation, you can install
psyco python package (python-psyco).


Optional components
===================

graphdesc program requires:
 - pygraphviz
   https://networkx.lanl.gov/wiki/pygraphviz
 - graphviz-dev (graphviz C headers)
   http://www.graphviz.org/

Unit tests ("make tests" command) requires:
 - SimpleTest : CVS version
   (requires expectException() method of UnitTestCase class)
   http://simpletest.org/
   (Debian package: php-simpletest)


Installation
============

The installation in done in four steps:
   1. Install files
   2. Configure nupyf.conf
   3. Configure Apache
   4. How to configure /etc/sudoers


Install files
-------------

You can edit variables defined at beginning of the Makefile to adapt
configuration. Then use make to install nuface interface, type:
   make install

You can change directories prefix and/or Apache user and group using:
   make install DESTDIR=/usr/local WWW_USER=apache WWW_GROUP=apache

It will install NuFace web files and Python scripts, and create the
following directories:

 - /etc/nuface
 - /etc/network
 - /etc/init.d
 - /usr/share/locale/fr/LC_MESSAGES
 - /usr/share/edenwall-web/nuface
 - /usr/share/man/man8
 - /usr/lib/python2.5/site-packages/nupyf
 - /usr/lib/python2.5/site-packages/checkdesc
 - /usr/lib/python2.5/site-packages/nulayer7
 - /usr/sbin
 - /var/lib/nuface
 - /var/lib/nuface/backups
 - /var/lib/nuface/dyn/nufw
 - /var/lib/nuface/dyn/standard
 - /var/lib/nuface/acls
 - /var/lock


Configure nupyf.conf
--------------------

You have to setup your LDAP configuration in the file nupyf.conf from
directory /etc/network/firewall/desc/.


Configure Apache
----------------

A sample Apache configuration file is provided in doc/nuface_apache.conf. Just
replace /path/to/some/file with the htpasswd file you created with htpasswd
utility.

About PHP safe mode, NuFace should not be used in safe mode. It's not needed
since NuFace is already protected by login/password by Apache. If you want to
use it, you have to add "/usr/share/edenwall-web/nuface" to open_basedir option
(in php.ini) and allow PHP to execute sudo, nupyf, gendesc, checkdesc, (...)
programs.

init-firewall script
--------------------

NuFace does install /etc/init.d/init-firewall script. It's responsible to load
firewall (iptables) rules. If you would like to load the rules on system boot,
you have to register the script in rc.d using your Linux distribution tool
(eg. update-rc.d on Debian).


How to configure /etc/sudoers
-----------------------------

NuFace must be able to run /etc/init.d/init-firewall to load rules.

We use the program sudo for that, and so you have to allow it.
Edit /etc/sudoers file and add the lines:
------------------------8< -----------------------------------
Cmnd_Alias NETWORK_SCRIPTS = /etc/init.d/init-firewall
Defaults:www-data !authenticate
www-data HOSTNAME=NETWORK_SCRIPTS
------------------------8< -----------------------------------

You have to change:
 - HOSTNAME is your hostname, set your real hostname!
 - www-data is the user identifier used to run the web server (Apache)


PHP memory limit
================

If you have troubles (blank page) with a ruleset with more than 50 rules,
try to change the PHP memory limit to 16 MB (or 32 MB).

