fwknop.conf

Revision 745, 9.4 kB (checked in by mbr, 1 year ago)
Made syslog identity, facility, and priority configurable (applied code from the psad project).
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`

Line
1	#
2	#############################################################################
3	#
4	# [+] fwknop - Firewall Knock Operator [+]
5	#
6	# This is the configuration file for fwknop, the Firewall Knock Operator.
7	# The primary authentication and authorization mechanism offered by fwknop
8	# is known as Single Packet Authorization (SPA). More information about
9	# SPA can be found at: http://www.cipherdyne.org/fwknop/docs/SPA.html
10	#
11	# Note there are no access control directives in this file. All access
12	# control directives are located in the file
13	# /etc/fwknop/access.conf. You will need to edit the access.conf file in
14	# order for fwknop to function correctly.
15	#
16	#############################################################################
17	#
18	# $Id$
19	#
20
21	### Supports multiple email addresses (as a comma separated
22	### list).
23	EMAIL_ADDRESSES root@localhost;
24
25	### Machine hostname
26	HOSTNAME _CHANGEME_;
27
28	### Define the firewall type. The default is "iptables" for Linux systems,
29	### but this can be set to "ipfw" for *BSD systems.
30	FIREWALL_TYPE iptables;
31
32	### This defines the general strategy fwknop uses to authenticate remote
33	### clients. Possible values are "PCAP" (authenticate via regular pcap; this
34	### is the default and puts the interface in promiscuous mode unless
35	### ENABLE_PCAP_PROMISC is turned off) FILE_PCAP (authenticate via a pcap file
36	### that is built by a sniffer), ULOG_PCAP (authenticate via the ulogd pcap
37	### writer).
38	AUTH_MODE PCAP;
39
40	### Define the ethernet interface on which we will sniff packets. Note
41	### that this is only used if the AUTH_MODE keyword above is set to
42	### "PCAP"
43	PCAP_INTF eth0;
44
45	### Define whether put the pcap interface in promiscuous mode.
46	ENABLE_PCAP_PROMISC Y;
47
48	### Define the filters used for PCAP and FILE_PCAP modes; we default
49	### to udp port 62201. Note that either of these variables can be
50	### set to NONE in order to look at all packets.
51	PCAP_FILTER udp port 62201;
52
53	### This instructs fwknopd to not honor SPA packets that have an old time
54	### stamp. The value for "old" is defined by the MAX_SPA_PACKET_AGE variable.
55	### If ENABLE_SPA_PACKET_AGING is set to "N", fwknopd will not use the client
56	### time stamp at all.
57	ENABLE_SPA_PACKET_AGING Y;
58
59	### Defines the maximum age (in seconds) that an SPA packet will be accepted.
60	### This requires that the client system is in relatively close time
61	### synchronization with the fwknopd server system (NTP is good). The default
62	### age is two minutes.
63	MAX_SPA_PACKET_AGE 120;
64
65	### Track md5 sums associated with previous fwknop process. This allows
66	### md5 sums to remain persistent across executions of fwknop.
67	ENABLE_MD5_PERSISTENCE Y;
68
69	### Force all SPA packets to contain a real IP address within the encrypted
70	### data. This makes it impossible to use the -s command line argument on
71	### the fwknop command line, so either -R has to be used to automatically
72	### resolve the external address (if the client behind a NAT) or the client
73	### must know the external IP.
74	REQUIRE_SOURCE_ADDRESS N;
75
76	### Flush all existing rules in the fwknop chains at fwknop start time.
77	FLUSH_IPT_AT_INIT Y;
78
79	### If running on ipfw firewalls, this variable defines the rule number
80	IPFW_RULE_NUM 1;
81
82	### Define the timeout for running a command
83	PCAP_CMD_TIMEOUT 10;
84
85	### If GPG keys are used instead of a Rijndael symmetric key, this is
86	### the default GPG keys directory. Note that each access block in
87	### /etc/fwknop/access.conf can specify its own GPG directory to override
88	### this default.
89	GPG_DEFAULT_HOME_DIR /root/.gnupg;
90
91	### This gets used if AUTH_MODE is set to "FILE_PCAP". This file must
92	### be created by a sniffer process (or something like the ulogd pcap
93	### writer).
94	PCAP_PKT_FILE /var/log/sniff.pcap;
95
96	### Defines interval fwknop will use to check for more iptables
97	### messages (this is only used in the legacy port knocking mode).
98	SLEEP_INTERVAL 2; ### seconds
99
100	### TTL values are decremented depending on the number of hops the packet
101	### has taken before it hits the firewall. We will assume packets will not
102	### jump through more than 20 hops on average.
103	MAX_HOPS 20;
104
105	### Note that fwknopd still only gets its data via pcap, so the filter
106	### defined by PCAP_FILTER needs to be updated to include this TCP port.
107	ENABLE_TCP_SERVER N;
108
109	### Set the default port number that the fwknop_serv "dummy" TCP server
110	### listens on. This server is only spawned when ENABLE_TCP_SERVER is set
111	### to "Y".
112	TCPSERV_PORT 62201;
113
114	### Set the type of syslog daemon that is used. The SYSLOG_DAEMON variable
115	### accepts three possible values: syslogd, syslog-ng, or metalog.
116	SYSLOG_DAEMON syslogd;
117
118	### syslog facility and priority (the defaults are usually ok)
119	### The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}, and
120	### SYSLOG_PRIORITY can be set to one of LOG_INFO, LOG_DEBUG, LOG_NOTICE,
121	### LOG_WARNING, LOG_ERR, LOG_CRIT, LOG_ALERT, or LOG_EMERG
122	SYSLOG_IDENTITY fwknopd;
123	SYSLOG_FACILITY LOG_LOCAL7;
124	SYSLOG_PRIORITY LOG_INFO;
125
126	### Allow reporting methods to be enabled/restricted. This keyword can
127	### accept values of "nosyslog" (don't write any messages to syslog),
128	### "noemail" (don't send any email messages), or "ALL" (to generate both
129	### syslog and email messages). "ALL" is the default. Both "nosyslog"
130	### and "noemail" can be combined with a comma to disable all logging
131	### and alerting.
132	ALERTING_METHODS ALL;
133
134	### The following variables can be modified to look for logging messages
135	### that are specific to your firewall configuration (specified by the
136	### "--log-prefix" for iptables firewalls). For example, if your firewall
137	### uses the string "Audit" for packets that have been blocked, then you
138	### could set FW_MSG_SEARCH = "Audit";
139	FW_MSG_SEARCH DROP;
140
141	### For knopwatchd
142	KNOPWATCHD_CHECK_INTERVAL 5; ### seconds
143	KNOPWATCHD_MAX_RETRIES 10;
144
145	### Fwknop uses the IPTables::ChainMgr module to add allow rules to a
146	### custom iptables chain "FWKNOP_INPUT". This chain is called from
147	### the INPUT chain, and by default no other iptables chains are used.
148	### However, additional chains can be added (say, if access needs to
149	### be allowed through the local system via the FORWARD chain) by
150	### altering the "IPT_AUTO_CHAIN" keywords below. For a discussion of
151	### the format followed by these keywords, read on:
152	### Specify chain names to which iptables blocking rules will be
153	### added with the IPT_AUTO_CHAIN{n} keyword. There is no limit on the
154	### number of IPT_AUTO_CHAIN{n} keywords; just increment the {n} number
155	### to add an additional IPT_AUTO_CHAIN requirement. The format for this
156	### variable is: <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \
157	### <To_chain>,<Rule_position>.
158	### "Target": Can be any legitimate iptables target, but should usually
159	### just be "DROP".
160	### "Direction": Can be "src", "dst", or "both", which correspond to the
161	### INPUT, OUTPUT, and FORWARD chains.
162	### "Table": Can be any iptables table, but the default is "filter".
163	### "From_chain": Is the chain from which packets will be jumped.
164	### "Jump_rule_position": Defines the position within the From_chain where
165	### the jump rule is added.
166	### "To_chain": Is the chain to which packets will be jumped. This is the
167	### main chain where fwknop rules are added.
168	### "Rule_position": Defines the position where rule are added within the
169	### To_chain.
170	IPT_AUTO_CHAIN1 ACCEPT, src, filter, INPUT, 1, FWKNOP_INPUT, 1;
171
172	### Directories
173	FWKNOP_DIR /var/log/fwknop;
174	FWKNOP_RUN_DIR /var/run/fwknop;
175	FWKNOP_LIB_DIR /var/lib/fwknop; # for legacy port knocking mode
176	FWKNOP_MOD_DIR /usr/lib/fwknop;
177	FWKNOP_CONF_DIR /etc/fwknop;
178	FWKNOP_ERR_DIR $FWKNOP_DIR/errs;
179
180	### Files
181	FW_DATA_FILE $FWKNOP_DIR/fwdata; # legacy port knocking mode
182	ACCESS_CONF $FWKNOP_CONF_DIR/access.conf;
183	P0F_FILE $FWKNOP_CONF_DIR/pf.os; ### p0f-based fingerprints
184	MD5_FILE $FWKNOP_DIR/md5sums;
185	KNOPTM_TIMEOUT_FILE $FWKNOP_DIR/knoptm.cache; ### timeout cache
186	FWKNOP_PID_FILE $FWKNOP_RUN_DIR/fwknopd.pid;
187	FWKNOP_CMDLINE_FILE $FWKNOP_RUN_DIR/fwknopd.cmd;
188	TCPSERV_PID_FILE $FWKNOP_RUN_DIR/fwknop_serv.pid;
189	KNOPWATCHD_PID_FILE $FWKNOP_RUN_DIR/knopwatchd.pid;
190	KNOPMD_PID_FILE $FWKNOP_RUN_DIR/knopmd.pid;
191	KNOPTM_PID_FILE $FWKNOP_RUN_DIR/knoptm.pid;
192	KNOPTM_IP_TIMEOUT_SOCK $FWKNOP_RUN_DIR/knoptm_ip_timeout.sock;
193	KNOPMD_FIFO $FWKNOP_LIB_DIR/fwknopfifo;
194
195	### iptables command output and error collection files; these are
196	### used by IPTables::ChainMgr
197	IPT_OUTPUT_FILE $FWKNOP_DIR/fwknopd.iptout;
198	IPT_ERROR_FILE $FWKNOP_DIR/fwknopd.ipterr;
199	KNOPTM_IPT_OUTPUT_FILE $FWKNOP_DIR/knoptm.iptout;
200	KNOPTM_IPT_ERROR_FILE $FWKNOP_DIR/knoptm.ipterr;
201
202	### system binaries
203	mailCmd /bin/mail;
204	shCmd /bin/sh;
205	iptablesCmd /sbin/iptables;
206	ipfwCmd /sbin/ipfw; ### BSD and Mac OS X only
207	fwknopdCmd /usr/sbin/fwknopd;
208	fwknop_servCmd /usr/sbin/fwknop_serv;
209	knopmdCmd /usr/sbin/knopmd;
210	knoptmCmd /usr/sbin/knoptm;
211	knopwatchdCmd /usr/sbin/knopwatchd;

Note: See TracBrowser for help on using the browser.

Download in other formats:

Original Format