| 1 |
# |
|---|
| 2 |
########################################################################### |
|---|
| 3 |
# |
|---|
| 4 |
# [+] fwknop - Firewall Knock Operator [+] |
|---|
| 5 |
# |
|---|
| 6 |
# This is the configuration file for fwknop, the Firewall Knock Operator. |
|---|
| 7 |
# Note there are no access control directives in this file (i.e. who can |
|---|
| 8 |
# send knock sequences to the fwknop server, and what those sequences |
|---|
| 9 |
# are). All access control directives are located in the file |
|---|
| 10 |
# /etc/fwknop/access.conf. |
|---|
| 11 |
# |
|---|
| 12 |
########################################################################### |
|---|
| 13 |
# |
|---|
| 14 |
# $Id$ |
|---|
| 15 |
# |
|---|
| 16 |
|
|---|
| 17 |
### Supports multiple email addresses (as a comma separated |
|---|
| 18 |
### list). |
|---|
| 19 |
EMAIL_ADDRESSES root@localhost; |
|---|
| 20 |
|
|---|
| 21 |
### This defines the general strategy fwknop uses to authenticate remote |
|---|
| 22 |
### clients. Possible values are "KNOCK" (authenticate via traditional |
|---|
| 23 |
### port knocking), FILE_PCAP (authenticate via a pcap file that is |
|---|
| 24 |
### built by a sniffer), ULOG_PCAP (authenticate via the ulogd pcap writer), |
|---|
| 25 |
### or PCAP (authenticate via regular pcap; this puts the interface in |
|---|
| 26 |
### promiscuous mode unless ENABLE_PCAP_PROMISC is turned off). |
|---|
| 27 |
AUTH_MODE PCAP; |
|---|
| 28 |
|
|---|
| 29 |
### Define the ethernet interface on which we will sniff packets. Note |
|---|
| 30 |
### that this is only used if the AUTH_MODE keyword above is set to |
|---|
| 31 |
### "PCAP" |
|---|
| 32 |
PCAP_INTF eth0; |
|---|
| 33 |
|
|---|
| 34 |
### Define whether put the pcap interface in promiscuous mode. |
|---|
| 35 |
ENABLE_PCAP_PROMISC Y; |
|---|
| 36 |
|
|---|
| 37 |
### Define the filters used for PCAP and FILE_PCAP modes; we default |
|---|
| 38 |
### to udp port 62201. Note that either of these variables can be |
|---|
| 39 |
### set to NONE in order to look at all packets. |
|---|
| 40 |
PCAP_FILTER udp port 62201; |
|---|
| 41 |
|
|---|
| 42 |
### Track md5 sums associated with previous fwknop process. This allows |
|---|
| 43 |
### md5 sums to remain persistent across executions of fwknop. |
|---|
| 44 |
ENABLE_MD5_PERSISTENCE Y; |
|---|
| 45 |
|
|---|
| 46 |
### Flush all existing rules in the fwknop chains at fwknop start time. |
|---|
| 47 |
FLUSH_IPT_AT_INIT Y; |
|---|
| 48 |
|
|---|
| 49 |
### Define the timeout for running a command |
|---|
| 50 |
PCAP_CMD_TIMEOUT 10; |
|---|
| 51 |
|
|---|
| 52 |
### If GPG keys are used instead of a Rijndael symmetric key, this is |
|---|
| 53 |
### the default GPG keys directory. Note that each access block in |
|---|
| 54 |
### /etc/fwknop/access.conf can specify its own GPG directory to override |
|---|
| 55 |
### this default. |
|---|
| 56 |
GPG_DEFAULT_HOME_DIR /root/.gnupg; |
|---|
| 57 |
|
|---|
| 58 |
### This gets used if AUTH_MODE is set to "FILE_PCAP". This file must |
|---|
| 59 |
### be created by a sniffer process (or something like the ulogd pcap |
|---|
| 60 |
### writer). |
|---|
| 61 |
PCAP_PKT_FILE /var/log/sniff.pcap; |
|---|
| 62 |
|
|---|
| 63 |
### Defines interval fwknop will use to check for more iptables |
|---|
| 64 |
### messages (this is only used in the legacy port knocking mode). |
|---|
| 65 |
SLEEP_INTERVAL 2; ### seconds |
|---|
| 66 |
|
|---|
| 67 |
### Defines the rule number fwknop will use to insert rules at within the |
|---|
| 68 |
### running iptables policy. Usually this should be at rule number 1, but |
|---|
| 69 |
### can be changed if you have rules that absolutely need to be examined |
|---|
| 70 |
### first (e.g. jump rules to custom chains or something). |
|---|
| 71 |
IPTABLES_AUTO_RULENUM 1; |
|---|
| 72 |
|
|---|
| 73 |
### TTL values are decremented depending on the number of hops the packet |
|---|
| 74 |
### has taken before it hits the firewall. We will assume packets will not |
|---|
| 75 |
### jump through more than 20 hops on average. |
|---|
| 76 |
MAX_HOPS 20; |
|---|
| 77 |
|
|---|
| 78 |
### Note that fwknopd still only gets its data via pcap, so the filter |
|---|
| 79 |
### defined by PCAP_FILTER needs to be updated to include this TCP port. |
|---|
| 80 |
ENABLE_TCP_SERVER N; |
|---|
| 81 |
|
|---|
| 82 |
### Set the default port number that the fwknop_serv "dummy" TCP server |
|---|
| 83 |
### listens on. This server is only spawned when ENABLE_TCP_SERVER is set |
|---|
| 84 |
### to "Y". |
|---|
| 85 |
TCPSERV_PORT 62201; |
|---|
| 86 |
|
|---|
| 87 |
### Set the type of syslog daemon that is used. The SYSLOG_DAEMON variable |
|---|
| 88 |
### accepts three possible values: syslogd, syslog-ng, or metalog. |
|---|
| 89 |
SYSLOG_DAEMON syslogd; |
|---|
| 90 |
|
|---|
| 91 |
### Fwknop uses the IPTables::ChainMgr module to add allow rules to a |
|---|
| 92 |
### custom Netfilter chain "FWKNOP_INPUT". This chain is called from |
|---|
| 93 |
### the INPUT chain, and by default no other Netfilter chains are used. |
|---|
| 94 |
### However, additional chains can be added (say, if access needs to |
|---|
| 95 |
### be allowed through the local system via the FORWARD chain) by |
|---|
| 96 |
### altering the "IPT_AUTO_CHAIN" keywords below. For a discussion of |
|---|
| 97 |
### the format followed by these keywords, read on: |
|---|
| 98 |
### Specify chain names to which iptables rules will be |
|---|
| 99 |
### added with the IPT_AUTO_CHAIN{n} keyword. There is no limit on the |
|---|
| 100 |
### number of IPT_AUTO_CHAIN{n} keywords; just increment the {n} number |
|---|
| 101 |
### to add an additional IPT_AUTO_CHAIN requirement. The format for this |
|---|
| 102 |
### variable is: <Target>,<Direction>,<Table>,<From_chain>,<To_chain>. |
|---|
| 103 |
### "Target": can be any legitimate Netfilter target, but should usually |
|---|
| 104 |
### "DROP". |
|---|
| 105 |
### "Direction": can be "src", "dst", or "both", which correspond to |
|---|
| 106 |
### INPUT, OUTPUT, and FORWARD chains. |
|---|
| 107 |
### "Table": can be any Netfilter table, but the default is "filter". |
|---|
| 108 |
### "From_chain": is the chain from which packets will be jumped. |
|---|
| 109 |
### "To_chain": is the chain to which packet will be jumped. |
|---|
| 110 |
### |
|---|
| 111 |
### The following default variable instructs fwknop to add allow rules |
|---|
| 112 |
### to the FWKNOP_INPUT chain, which gets called from the INPUT chain. |
|---|
| 113 |
IPT_AUTO_CHAIN1 ACCEPT, src, filter, INPUT, FWKNOP_INPUT; |
|---|
| 114 |
|
|---|
| 115 |
### Directories |
|---|
| 116 |
FWKNOP_DIR /var/log/fwknop; |
|---|
| 117 |
ERROR_DIR /var/log/fwknop/errs; |
|---|
| 118 |
FWKNOP_RUN_DIR /var/run/fwknop; |
|---|
| 119 |
FWKNOP_LIB_DIR /var/lib/fwknop; # for legacy port knocking mode |
|---|
| 120 |
|
|---|
| 121 |
### Files |
|---|
| 122 |
FW_DATA_FILE /var/log/fwknop/fwdata; |
|---|
| 123 |
ACCESS_CONF /etc/fwknop/access.conf; |
|---|
| 124 |
CONNECT_CONF /etc/fwknop/connect.conf; |
|---|
| 125 |
P0F_FILE /etc/fwknop/pf.os; ### p0f-based fingerprints |
|---|
| 126 |
MD5_FILE /var/log/fwknop/md5sums; |
|---|
| 127 |
KNOPTM_TIMEOUT_FILE /var/log/fwknop/knoptm.cache; ### timeout cache |
|---|
| 128 |
FWKNOPD_PID_FILE /var/run/fwknop/fwknopd.pid; |
|---|
| 129 |
TCPSERV_PID_FILE /var/run/fwknop/fwknop_serv.pid; |
|---|
| 130 |
KNOPWATCHD_PID_FILE /var/run/fwknop/knopwatchd.pid; |
|---|
| 131 |
KNOPMD_PID_FILE /var/run/fwknop/knopmd.pid; |
|---|
| 132 |
KNOPTM_PID_FILE /var/run/fwknop/knoptm.pid; |
|---|
| 133 |
KNOPTM_IP_TIMEOUT_SOCK /var/run/fwknop/knoptm_ip_timeout.sock; |
|---|
| 134 |
CMDLINE_FILE /var/run/fwknop/fwknopd.cmd; |
|---|
| 135 |
|
|---|
| 136 |
### system binaries |
|---|
| 137 |
netstatCmd /bin/netstat; |
|---|
| 138 |
mailCmd /bin/mail; |
|---|
| 139 |
iptablesCmd /sbin/iptables; |
|---|
| 140 |
fwknopdCmd /usr/sbin/fwknopd; |
|---|
| 141 |
fwknop_servCmd /usr/sbin/fwknop_serv; |
|---|
| 142 |
knopmdCmd /usr/sbin/knopmd; |
|---|
| 143 |
knoptmCmd /usr/sbin/knoptm; |
|---|
| 144 |
knopwatchdCmd /usr/sbin/knopwatchd; |
|---|
