| 1 |
# |
|---|
| 2 |
############################################################################## |
|---|
| 3 |
# |
|---|
| 4 |
# File: access.conf |
|---|
| 5 |
# |
|---|
| 6 |
# Purpose: This file defines how fwknop will modify iptables access controls |
|---|
| 7 |
# for specific IPs/networks. It gets installed by default at |
|---|
| 8 |
# /etc/fwknop/access.conf and is consulted by fwknop when run in |
|---|
| 9 |
# "access control mode", which is the default (i.e. when fwknop is |
|---|
| 10 |
# run from the command line without any command line arguments). |
|---|
| 11 |
# The corresponding file ~/.fwknoprc defines how fwknop will |
|---|
| 12 |
# send the port knocking sequence for source machines in |
|---|
| 13 |
# access.conf. Multiple access controls can be specified for |
|---|
| 14 |
# the same source machine. |
|---|
| 15 |
# |
|---|
| 16 |
# See the fwknop man page for a comprehensive treatment of the various |
|---|
| 17 |
# access control variables. See below for a few examples of access control |
|---|
| 18 |
# configurations. |
|---|
| 19 |
# |
|---|
| 20 |
# Access examples: |
|---|
| 21 |
# |
|---|
| 22 |
# 1) Define parameters for accepting single-packet authorization messages |
|---|
| 23 |
# from any source IP address via libpcap. Fwknop will reconfigure the |
|---|
| 24 |
# local Netfilter policy to allow access to SSHD (TCP port 22) for 30 |
|---|
| 25 |
# seconds from the IP also specified in the packet. This example probably |
|---|
| 26 |
# represents the best configuration for most needs: |
|---|
| 27 |
# |
|---|
| 28 |
# SOURCE: ANY; |
|---|
| 29 |
# OPEN_PORTS: tcp/22; |
|---|
| 30 |
# DATA_COLLECT_MODE: PCAP; |
|---|
| 31 |
# KEY: myencryptkey; |
|---|
| 32 |
# FW_ACCESS_TIMEOUT: 30; |
|---|
| 33 |
# |
|---|
| 34 |
# 2) If you would like the fwknop client to specify which port is opened by |
|---|
| 35 |
# fwknopd through the firewall, then replace the OPEN_PORTS variable with |
|---|
| 36 |
# PERMIT_CLIENT_PORTS as follows: |
|---|
| 37 |
# |
|---|
| 38 |
# SOURCE: ANY; |
|---|
| 39 |
# PERMIT_CLIENT_PORTS: Y; |
|---|
| 40 |
# DATA_COLLECT_MODE: PCAP; |
|---|
| 41 |
# KEY: myencryptkey; |
|---|
| 42 |
# FW_ACCESS_TIMEOUT: 30; |
|---|
| 43 |
# |
|---|
| 44 |
# 3) This example is identical to example 1) above, but now we add GPG keys |
|---|
| 45 |
# as an alternate encryption method. The original symmetric key will |
|---|
| 46 |
# still be accepted, but only if an attempted GPG decrypt does not |
|---|
| 47 |
# succeed. The GPG_REMOTE_ID is the key ID that the encrypted packet is |
|---|
| 48 |
# signed with by the fwknop client. Note that using GPG keys requires |
|---|
| 49 |
# that the client key has been imported (and signed) into the |
|---|
| 50 |
# GPG_HOME_DIR key ring on the server side, and the server key has been |
|---|
| 51 |
# imported (and signed) into the GPG key ring on the client side. Because |
|---|
| 52 |
# the GPG password for the server key is put within the access.conf, the |
|---|
| 53 |
# server key should be specifically generated and used only for fwknop |
|---|
| 54 |
# server functions; it should not a valuable GPG key that is used for |
|---|
| 55 |
# things like personal email encryption. See the fwknop man page for |
|---|
| 56 |
# examples of how to use the GPG encryption method from the fwknop |
|---|
| 57 |
# command line on the client side. |
|---|
| 58 |
# |
|---|
| 59 |
# SOURCE: ANY; |
|---|
| 60 |
# OPEN_PORTS: tcp/22; |
|---|
| 61 |
# DATA_COLLECT_MODE: PCAP; |
|---|
| 62 |
# KEY: myencryptkey; |
|---|
| 63 |
# GPG_HOME_DIR: /root/.gnupg; |
|---|
| 64 |
# GPG_DECRYPT_ID: ABCD1234; |
|---|
| 65 |
# GPG_DECRYPT_PW: myGpgPassword; |
|---|
| 66 |
# GPG_REMOTE_ID: 1234ABCD; |
|---|
| 67 |
# FW_ACCESS_TIMEOUT: 30; |
|---|
| 68 |
# |
|---|
| 69 |
# 4) This example is identical to example 1) above, but now we allow a |
|---|
| 70 |
# remote fwknop client to send a command to the fwknopd server (which it |
|---|
| 71 |
# will execute as root): |
|---|
| 72 |
# |
|---|
| 73 |
# SOURCE: ANY; |
|---|
| 74 |
# OPEN_PORTS: tcp/22; |
|---|
| 75 |
# DATA_COLLECT_MODE: PCAP; |
|---|
| 76 |
# ENABLE_CMD_EXEC; |
|---|
| 77 |
# KEY: myencryptkey; |
|---|
| 78 |
# FW_ACCESS_TIMEOUT: 30; |
|---|
| 79 |
# |
|---|
| 80 |
# 5) This example is identical to example 4) above, but now we specify a |
|---|
| 81 |
# regular expression which any remote command must match before being |
|---|
| 82 |
# executed: |
|---|
| 83 |
# |
|---|
| 84 |
# SOURCE: ANY; |
|---|
| 85 |
# OPEN_PORTS: tcp/22; |
|---|
| 86 |
# DATA_COLLECT_MODE: PCAP; |
|---|
| 87 |
# ENABLE_CMD_EXEC; |
|---|
| 88 |
# CMD_REGEX: /sbin/iptables.*ACCEPT; |
|---|
| 89 |
# KEY: myencryptkey; |
|---|
| 90 |
# FW_ACCESS_TIMEOUT: 30; |
|---|
| 91 |
# |
|---|
| 92 |
# 6) This example is similar to example 1) above, but this time instruct |
|---|
| 93 |
# fwknopd to read packets from a file that is written to by a sniffer |
|---|
| 94 |
# process or by something like the ulogd pcap writer (use ULOG_PCAP for |
|---|
| 95 |
# this). The specific file path is defined by the PCAP_FILE keyword in |
|---|
| 96 |
# /etc/fwknop/fwknop.conf). We also require that the username on the |
|---|
| 97 |
# system that generates the authorization packet is "mbr": |
|---|
| 98 |
# |
|---|
| 99 |
# SOURCE: ANY; |
|---|
| 100 |
# OPEN_PORTS: tcp/22; |
|---|
| 101 |
# DATA_COLLECT_MODE: FILE_PCAP; |
|---|
| 102 |
# KEY: myencryptkey; |
|---|
| 103 |
# FW_ACCESS_TIMEOUT: 30; |
|---|
| 104 |
# REQUIRE_USERNAME: mbr; |
|---|
| 105 |
# |
|---|
| 106 |
# 6) OLD STRATEGY: define parameters for accepting an encrypted knock |
|---|
| 107 |
# sequence from any source IP address. Note that the specific port that |
|---|
| 108 |
# will be opened is sent within the encrypted sequence (see the -p and -P |
|---|
| 109 |
# options when running fwknop in client mode) since the OPEN_PORTS |
|---|
| 110 |
# variable is not defined. |
|---|
| 111 |
# |
|---|
| 112 |
# SOURCE: ANY; |
|---|
| 113 |
# DATA_COLLECT_MODE: ENCRYPT_SEQUENCE; |
|---|
| 114 |
# KEY myencryptkey; |
|---|
| 115 |
# |
|---|
| 116 |
# 7) OLD STRATEGY: Define parameters for an encrypted sequence that requires |
|---|
| 117 |
# the operating system from which the encrypted sequence originates be |
|---|
| 118 |
# identified as a Linux system (any kernel version). In addition, define |
|---|
| 119 |
# the firewall access timeout to be 10 minutes instead of the default of |
|---|
| 120 |
# 5 minutes, and restrict access for only those source IP addresses that |
|---|
| 121 |
# are within a specific subnet: |
|---|
| 122 |
# |
|---|
| 123 |
# SOURCE: 192.168.10.0/24; |
|---|
| 124 |
# DATA_COLLECT_MODE: ENCRYPT_SEQUENCE; |
|---|
| 125 |
# KEY myencryptkey; |
|---|
| 126 |
# FW_ACCESS_TIMEOUT: 600; |
|---|
| 127 |
# REQUIRE_OS_REGEX: linux; |
|---|
| 128 |
# |
|---|
| 129 |
# 8) OLD STRATEGY: Define parameters for a shared knock sequence originating |
|---|
| 130 |
# from any source IP address, and use the tcp, udp, and icmp protocols in |
|---|
| 131 |
# the knock sequence. The sequence consists of a total of four ports: |
|---|
| 132 |
# |
|---|
| 133 |
# SOURCE: ANY; |
|---|
| 134 |
# SHARED_SEQUENCE: tcp/65531, udp/65533, tcp/65532, udp/65530; |
|---|
| 135 |
# |
|---|
| 136 |
# 9) OLD STRATEGY: Define parameters for a shared knock sequence identical |
|---|
| 137 |
# to 7) above, but require the operating system from which the sequence |
|---|
| 138 |
# originates to be exactly "OpenBSD:3.0-3.5::OpenBSD 3.0-3.5" (see the |
|---|
| 139 |
# file /etc/fwknop/pf.os): |
|---|
| 140 |
# |
|---|
| 141 |
# SOURCE: ANY; |
|---|
| 142 |
# SHARED_SEQUENCE: tcp/65531, udp/65533, tcp/65532, udp/65530; |
|---|
| 143 |
# REQUIRE_OS: OpenBSD:3.0-3.5::OpenBSD 3.0-3.5; |
|---|
| 144 |
# |
|---|
| 145 |
############################################################################## |
|---|
| 146 |
# |
|---|
| 147 |
# $Id$ |
|---|
| 148 |
# |
|---|
| 149 |
|
|---|
| 150 |
### default Single Packet Authorization (SPA) via libpcap: |
|---|
| 151 |
SOURCE: ANY; |
|---|
| 152 |
DATA_COLLECT_MODE: PCAP; |
|---|
| 153 |
KEY: _CHANGEME_; |
|---|
| 154 |
FW_ACCESS_TIMEOUT: 30; |
|---|
