root/fwknop/tags/fwknop-1.8.2-pre7/access.conf

Revision 686, 4.7 kB (checked in by mbr, 2 years ago)

minor Netfilter -> iptables wording update

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
Line 
1 #
2 ##############################################################################
3 #
4 # File: access.conf
5 #
6 # Purpose: This file defines how fwknop will modify iptables access controls
7 #          for specific IPs/networks.  It gets installed by default at
8 #          /etc/fwknop/access.conf and is consulted by fwknop when run in
9 #          "access control mode", which is the default (i.e. when fwknop is
10 #          run from the command line without any command line arguments).
11 #          The corresponding file ~/.fwknoprc defines how fwknop will
12 #          send the port knocking sequence for source machines in
13 #          access.conf.  Multiple access controls can be specified for
14 #          the same source machine.
15 #
16 # See the fwknop man page for a comprehensive treatment of the various
17 # access control variables.  See below for a few examples of access control
18 # configurations.
19 #
20 # Access examples:
21 #
22 # 1) Define parameters for accepting single-packet authorization messages
23 #    from any source IP address via libpcap.  Fwknop will reconfigure the
24 #    local iptables policy to allow access to SSHD (TCP port 22) for 30
25 #    seconds from the IP also specified in the packet.  This example probably
26 #    represents the best configuration for most needs:
27 #
28 #   SOURCE: ANY;
29 #   OPEN_PORTS: tcp/22;
30 #   DATA_COLLECT_MODE: PCAP;
31 #   KEY: myencryptkey;
32 #   FW_ACCESS_TIMEOUT: 30;
33 #
34 # 2) If you would like the fwknop client to specify which port is opened by
35 #    fwknopd through the firewall, then replace the OPEN_PORTS variable with
36 #    PERMIT_CLIENT_PORTS as follows:
37 #
38 #   SOURCE: ANY;
39 #   PERMIT_CLIENT_PORTS: Y;
40 #   DATA_COLLECT_MODE: PCAP;
41 #   KEY: myencryptkey;
42 #   FW_ACCESS_TIMEOUT: 30;
43 #
44 # 3) This example is identical to example 1) above, but now we add GPG keys
45 #    as an alternate encryption method.  The original symmetric key will
46 #    still be accepted, but only if an attempted GPG decrypt does not
47 #    succeed.  The GPG_REMOTE_ID is the key ID that the encrypted packet is
48 #    signed with by the fwknop client.  Note that using GPG keys requires
49 #    that the client key has been imported (and signed) into the
50 #    GPG_HOME_DIR key ring on the server side, and the server key has been
51 #    imported (and signed) into the GPG key ring on the client side. Because
52 #    the GPG password for the server key is put within the access.conf, the
53 #    server key should be specifically generated and used only for fwknop
54 #    server functions; it should not a valuable GPG key that is used for
55 #    things like personal email encryption. See the fwknop man page for
56 #    examples of how to use the GPG encryption method from the fwknop
57 #    command line on the client side. To match any GPG key, set
58 #    GPG_REMOTE_ID to ANY.
59 #
60 #   SOURCE: ANY;
61 #   OPEN_PORTS: tcp/22;
62 #   DATA_COLLECT_MODE: PCAP;
63 #   KEY: myencryptkey;
64 #   GPG_HOME_DIR: /root/.gnupg;
65 #   GPG_DECRYPT_ID: ABCD1234;
66 #   GPG_DECRYPT_PW: myGpgPassword;
67 #   GPG_REMOTE_ID: 1234ABCD;
68 #   FW_ACCESS_TIMEOUT: 30;
69 #
70 # 4) This example is identical to example 1) above, but now we allow a
71 #    remote fwknop client to send a command to the fwknopd server (which it
72 #    will execute as root):
73 #
74 #   SOURCE: ANY;
75 #   OPEN_PORTS: tcp/22;
76 #   DATA_COLLECT_MODE: PCAP;
77 #   ENABLE_CMD_EXEC;
78 #   KEY: myencryptkey;
79 #   FW_ACCESS_TIMEOUT: 30;
80 #
81 # 5) This example is identical to example 4) above, but now we specify a
82 #    regular expression which any remote command must match before being
83 #    executed:
84 #
85 #   SOURCE: ANY;
86 #   OPEN_PORTS: tcp/22;
87 #   DATA_COLLECT_MODE: PCAP;
88 #   ENABLE_CMD_EXEC;
89 #   CMD_REGEX: /sbin/iptables.*ACCEPT;
90 #   KEY: myencryptkey;
91 #   FW_ACCESS_TIMEOUT: 30;
92 #
93 # 6) This example is similar to example 1) above, but this time instruct
94 #    fwknopd to read packets from a file that is written to by a sniffer
95 #    process or by something like the ulogd pcap writer (use ULOG_PCAP for
96 #    this).  The specific file path is defined by the PCAP_FILE keyword in
97 #    /etc/fwknop/fwknop.conf).  We also require that the username on the
98 #    system that generates the authorization packet is "mbr":
99 #
100 #   SOURCE: ANY;
101 #   OPEN_PORTS: tcp/22;
102 #   DATA_COLLECT_MODE: FILE_PCAP;
103 #   KEY: myencryptkey;
104 #   FW_ACCESS_TIMEOUT: 30;
105 #   REQUIRE_USERNAME: mbr;
106 #
107 ##############################################################################
108 #
109 # $Id$
110 #
111
112 ### default Single Packet Authorization (SPA) via libpcap:
113 SOURCE: ANY;
114 OPEN_PORTS: tcp/22;   ### for ssh (change for access to other services)
115 KEY: _CHANGEME_;
116 FW_ACCESS_TIMEOUT: 30;
117 ### if you want to use GnuPG keys (recommended) then define the following
118 ### variables
119 #GPG_HOME_DIR: /root/.gnupg;
120 #GPG_DECRYPT_ID: ABCD1234;
121 #GPG_DECRYPT_PW: myGpgPassword;
122 #GPG_REMOTE_ID: 1234ABCD;
123 #GPG_AGENT_INFO: /tmp/gpg-n7jEPC/S.gpg-agent:18333:1;  ### only for gpg-agent
Note: See TracBrowser for help on using the browser.