root/fwknop/tags/fwknop-1.8.2-pre5/fwknop.conf

Revision 686, 9.0 kB (checked in by mbr, 2 years ago)

minor Netfilter -> iptables wording update

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
Line 
1 #
2 #############################################################################
3 #
4 #         [+] fwknop - Firewall Knock Operator [+]
5 #
6 # This is the configuration file for fwknop, the Firewall Knock Operator.
7 # The primary authentication and authorization mechanism offered by fwknop
8 # is known as Single Packet Authorization (SPA).  More information about
9 # SPA can be found at: http://www.cipherdyne.org/fwknop/docs/SPA.html
10 #
11 # Note there are no access control directives in this file.  All access
12 # control directives are located in the file
13 # /etc/fwknop/access.conf.  You will need to edit the access.conf file in
14 # order for fwknop to function correctly.
15 #
16 #############################################################################
17 #
18 # $Id$
19 #
20
21 ### Supports multiple email addresses (as a comma separated
22 ### list).
23 EMAIL_ADDRESSES             root@localhost;
24
25 ### Machine hostname
26 HOSTNAME                    _CHANGEME_;
27
28 ### Define the firewall type.  The default is "iptables" for Linux systems,
29 ### but this can be set to "ipfw" for *BSD systems.
30 FIREWALL_TYPE               iptables;
31
32 ### This defines the general strategy fwknop uses to authenticate remote
33 ### clients.  Possible values are "PCAP" (authenticate via regular pcap; this
34 ### is the default and puts the interface in promiscuous mode unless
35 ### ENABLE_PCAP_PROMISC is turned off) FILE_PCAP (authenticate via a pcap file
36 ### that is built by a sniffer), ULOG_PCAP (authenticate via the ulogd pcap
37 ### writer).
38 AUTH_MODE                   PCAP;
39
40 ### Define the ethernet interface on which we will sniff packets.  Note
41 ### that this is only used if the AUTH_MODE keyword above is set to
42 ### "PCAP"
43 PCAP_INTF                   eth0;
44
45 ### Define whether put the pcap interface in promiscuous mode.
46 ENABLE_PCAP_PROMISC         Y;
47
48 ### Define the filters used for PCAP and FILE_PCAP modes; we default
49 ### to udp port 62201.  Note that either of these variables can be
50 ### set to NONE in order to look at all packets.
51 PCAP_FILTER                 udp port 62201;
52
53 ### This instructs fwknopd to not honor SPA packets that have an old time
54 ### stamp.  The value for "old" is defined by the MAX_SPA_PACKET_AGE variable.
55 ### If ENABLE_SPA_PACKET_AGING is set to "N", fwknopd will not use the client
56 ### time stamp at all.
57 ENABLE_SPA_PACKET_AGING     Y;
58
59 ### Defines the maximum age (in seconds) that an SPA packet will be accepted.
60 ### This requires that the client system is in relatively close time
61 ### synchronization with the fwknopd server system (NTP is good).  The default
62 ### age is two minutes.
63 MAX_SPA_PACKET_AGE          120;
64
65 ### Track md5 sums associated with previous fwknop process.  This allows
66 ### md5 sums to remain persistent across executions of fwknop.
67 ENABLE_MD5_PERSISTENCE      Y;
68
69 ### Force all SPA packets to contain a real IP address within the encrypted
70 ### data.  This makes it impossible to use the -s command line argument on
71 ### the fwknop command line, so either -R has to be used to automatically
72 ### resolve the external address (if the client behind a NAT) or the client
73 ### must know the external IP.
74 REQUIRE_SOURCE_ADDRESS      N;
75
76 ### Flush all existing rules in the fwknop chains at fwknop start time.
77 FLUSH_IPT_AT_INIT           Y;
78
79 ### If running on ipfw firewalls, this variable defines the rule number
80 IPFW_RULE_NUM               1;
81
82 ### Define the timeout for running a command
83 PCAP_CMD_TIMEOUT            10;
84
85 ### If GPG keys are used instead of a Rijndael symmetric key, this is
86 ### the default GPG keys directory.  Note that each access block in
87 ### /etc/fwknop/access.conf can specify its own GPG directory to override
88 ### this default.
89 GPG_DEFAULT_HOME_DIR        /root/.gnupg;
90
91 ### This gets used if AUTH_MODE is set to "FILE_PCAP".  This file must
92 ### be created by a sniffer process (or something like the ulogd pcap
93 ### writer).
94 PCAP_PKT_FILE               /var/log/sniff.pcap;
95
96 ### Defines interval fwknop will use to check for more iptables
97 ### messages (this is only used in the legacy port knocking mode).
98 SLEEP_INTERVAL              2;  ### seconds
99
100 ### TTL values are decremented depending on the number of hops the packet
101 ### has taken before it hits the firewall.  We will assume packets will not
102 ### jump through more than 20 hops on average.
103 MAX_HOPS                    20;
104
105 ### Note that fwknopd still only gets its data via pcap, so the filter
106 ### defined by PCAP_FILTER needs to be updated to include this TCP port.
107 ENABLE_TCP_SERVER           N;
108
109 ### Set the default port number that the fwknop_serv "dummy" TCP server
110 ### listens on. This server is only spawned when ENABLE_TCP_SERVER is set
111 ### to "Y".
112 TCPSERV_PORT                62201;
113
114 ### Set the type of syslog daemon that is used.  The SYSLOG_DAEMON variable
115 ### accepts three possible values: syslogd, syslog-ng, or metalog.
116 SYSLOG_DAEMON               syslogd;
117
118 ### Allow reporting methods to be enabled/restricted.  This keyword can
119 ### accept values of "nosyslog" (don't write any messages to syslog),
120 ### "noemail" (don't send any email messages), or "ALL" (to generate both
121 ### syslog and email messages).  "ALL" is the default.  Both "nosyslog"
122 ### and "noemail" can be combined with a comma to disable all logging
123 ### and alerting.
124 ALERTING_METHODS            ALL;
125
126 ### The following variables can be modified to look for logging messages
127 ### that are specific to your firewall configuration (specified by the
128 ### "--log-prefix" for iptables firewalls).  For example, if your firewall
129 ### uses the string "Audit" for packets that have been blocked, then you
130 ### could set FW_MSG_SEARCH = "Audit";
131 FW_MSG_SEARCH               DROP;
132
133 ### For knopwatchd
134 KNOPWATCHD_CHECK_INTERVAL   5;  ### seconds
135 KNOPWATCHD_MAX_RETRIES      10;
136
137 ### Fwknop uses the IPTables::ChainMgr module to add allow rules to a
138 ### custom iptables chain "FWKNOP_INPUT".  This chain is called from
139 ### the INPUT chain, and by default no other iptables chains are used.
140 ### However, additional chains can be added (say, if access needs to
141 ### be allowed through the local system via the FORWARD chain) by
142 ### altering the "IPT_AUTO_CHAIN" keywords below.  For a discussion of
143 ### the format followed by these keywords, read on:
144 ###     Specify chain names to which iptables blocking rules will be
145 ### added with the IPT_AUTO_CHAIN{n} keyword.  There is no limit on the
146 ### number of IPT_AUTO_CHAIN{n} keywords; just increment the {n} number
147 ### to add an additional IPT_AUTO_CHAIN requirement. The format for this
148 ### variable is: <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \
149 ###              <To_chain>,<Rule_position>.
150 ### "Target": Can be any legitimate iptables target, but should usually
151 ###           just be "DROP".
152 ### "Direction": Can be "src", "dst", or "both", which correspond to the
153 ###              INPUT, OUTPUT, and FORWARD chains.
154 ### "Table": Can be any iptables table, but the default is "filter".
155 ### "From_chain": Is the chain from which packets will be jumped.
156 ### "Jump_rule_position": Defines the position within the From_chain where
157 ###                       the jump rule is added.
158 ### "To_chain": Is the chain to which packets will be jumped. This is the
159 ###             main chain where fwknop rules are added.
160 ### "Rule_position": Defines the position where rule are added within the
161 ###                  To_chain.
162 IPT_AUTO_CHAIN1             ACCEPT, src, filter, INPUT, 1, FWKNOP_INPUT, 1;
163
164 ### Directories
165 FWKNOP_DIR                  /var/log/fwknop;
166 FWKNOP_RUN_DIR              /var/run/fwknop;
167 FWKNOP_LIB_DIR              /var/lib/fwknop; # for legacy port knocking mode
168 FWKNOP_MOD_DIR              /usr/lib/fwknop;
169 FWKNOP_CONF_DIR             /etc/fwknop;
170 FWKNOP_ERR_DIR              $FWKNOP_DIR/errs;
171
172 ### Files
173 FW_DATA_FILE                $FWKNOP_DIR/fwdata; # legacy port knocking mode
174 ACCESS_CONF                 $FWKNOP_CONF_DIR/access.conf;
175 P0F_FILE                    $FWKNOP_CONF_DIR/pf.os;   ### p0f-based fingerprints
176 MD5_FILE                    $FWKNOP_DIR/md5sums;
177 KNOPTM_TIMEOUT_FILE         $FWKNOP_DIR/knoptm.cache;  ### timeout cache
178 FWKNOP_PID_FILE             $FWKNOP_RUN_DIR/fwknopd.pid;
179 FWKNOP_CMDLINE_FILE         $FWKNOP_RUN_DIR/fwknopd.cmd;
180 TCPSERV_PID_FILE            $FWKNOP_RUN_DIR/fwknop_serv.pid;
181 KNOPWATCHD_PID_FILE         $FWKNOP_RUN_DIR/knopwatchd.pid;
182 KNOPMD_PID_FILE             $FWKNOP_RUN_DIR/knopmd.pid;
183 KNOPTM_PID_FILE             $FWKNOP_RUN_DIR/knoptm.pid;
184 KNOPTM_IP_TIMEOUT_SOCK      $FWKNOP_RUN_DIR/knoptm_ip_timeout.sock;
185 KNOPMD_FIFO                 $FWKNOP_LIB_DIR/fwknopfifo;
186
187 ### iptables command output and error collection files; these are
188 ### used by IPTables::ChainMgr
189 IPT_OUTPUT_FILE             $FWKNOP_DIR/fwknopd.iptout;
190 IPT_ERROR_FILE              $FWKNOP_DIR/fwknopd.ipterr;
191 KNOPTM_IPT_OUTPUT_FILE      $FWKNOP_DIR/knoptm.iptout;
192 KNOPTM_IPT_ERROR_FILE       $FWKNOP_DIR/knoptm.ipterr;
193
194 ### system binaries
195 mailCmd          /bin/mail;
196 shCmd            /bin/sh;
197 iptablesCmd      /sbin/iptables;
198 ipfwCmd          /sbin/ipfw;  ### BSD only
199 fwknopdCmd       /usr/sbin/fwknopd;
200 fwknop_servCmd   /usr/sbin/fwknop_serv;
201 knopmdCmd        /usr/sbin/knopmd;
202 knoptmCmd        /usr/sbin/knoptm;
203 knopwatchdCmd    /usr/sbin/knopwatchd;
Note: See TracBrowser for help on using the browser.