root/fwknop/tags/fwknop-1.8.3/fwknop.conf

#
#############################################################################
#
#         [+] fwknop - Firewall Knock Operator [+]
#
# This is the configuration file for fwknop, the Firewall Knock Operator.
# The primary authentication and authorization mechanism offered by fwknop
# is known as Single Packet Authorization (SPA).  More information about
# SPA can be found at: http://www.cipherdyne.org/fwknop/docs/SPA.html
#
# Note there are no access control directives in this file.  All access
# control directives are located in the file
# /etc/fwknop/access.conf.  You will need to edit the access.conf file in
# order for fwknop to function correctly.
#
#############################################################################
#
# $Id$
#

### Supports multiple email addresses (as a comma separated
### list).
EMAIL_ADDRESSES             root@localhost;

### Machine hostname
HOSTNAME                    _CHANGEME_;

### Define the firewall type.  The default is "iptables" for Linux systems,
### but this can be set to "ipfw" for *BSD systems.
FIREWALL_TYPE               iptables;

### This defines the general strategy fwknop uses to authenticate remote
### clients.  Possible values are "PCAP" (authenticate via regular pcap; this
### is the default and puts the interface in promiscuous mode unless
### ENABLE_PCAP_PROMISC is turned off) FILE_PCAP (authenticate via a pcap file
### that is built by a sniffer), ULOG_PCAP (authenticate via the ulogd pcap
### writer).
AUTH_MODE                   PCAP;

### Define the ethernet interface on which we will sniff packets.  Note
### that this is only used if the AUTH_MODE keyword above is set to
### "PCAP"
PCAP_INTF                   eth0;

### Define whether put the pcap interface in promiscuous mode.
ENABLE_PCAP_PROMISC         Y;

### Define the filters used for PCAP and FILE_PCAP modes; we default
### to udp port 62201.  Note that either of these variables can be
### set to NONE in order to look at all packets.
PCAP_FILTER                 udp port 62201;

### This instructs fwknopd to not honor SPA packets that have an old time
### stamp.  The value for "old" is defined by the MAX_SPA_PACKET_AGE variable.
### If ENABLE_SPA_PACKET_AGING is set to "N", fwknopd will not use the client
### time stamp at all.
ENABLE_SPA_PACKET_AGING     Y;

### Defines the maximum age (in seconds) that an SPA packet will be accepted.
### This requires that the client system is in relatively close time
### synchronization with the fwknopd server system (NTP is good).  The default
### age is two minutes.
MAX_SPA_PACKET_AGE          120;

### Track md5 sums associated with previous fwknop process.  This allows
### md5 sums to remain persistent across executions of fwknop.
ENABLE_MD5_PERSISTENCE      Y;

### This variable controls whether fwknopd includes the source IP of each SPA
### packet in the MD5 store. If a replayed SPA message is detected, then
### having this information can provide information about which networks have
### people sniffing your SPA packets.
ENABLE_MD5_INCLUDE_SRC      Y;

### Force all SPA packets to contain a real IP address within the encrypted
### data.  This makes it impossible to use the -s command line argument on
### the fwknop command line, so either -R has to be used to automatically
### resolve the external address (if the client behind a NAT) or the client
### must know the external IP.
REQUIRE_SOURCE_ADDRESS      N;

### Flush all existing rules in the fwknop chains at fwknop start time.
FLUSH_IPT_AT_INIT           Y;

### If running on ipfw firewalls, this variable defines the rule number
IPFW_RULE_NUM               1;

### Define the timeout for running a command
PCAP_CMD_TIMEOUT            10;

### If GPG keys are used instead of a Rijndael symmetric key, this is
### the default GPG keys directory.  Note that each access block in
### /etc/fwknop/access.conf can specify its own GPG directory to override
### this default.
GPG_DEFAULT_HOME_DIR        /root/.gnupg;

### This gets used if AUTH_MODE is set to "FILE_PCAP".  This file must
### be created by a sniffer process (or something like the ulogd pcap
### writer).
PCAP_PKT_FILE               /var/log/sniff.pcap;

### Defines interval fwknop will use to check for more iptables
### messages (this is only used in the legacy port knocking mode).
SLEEP_INTERVAL              2;  ### seconds

### TTL values are decremented depending on the number of hops the packet
### has taken before it hits the firewall.  We will assume packets will not
### jump through more than 20 hops on average.
MAX_HOPS                    20;

### Note that fwknopd still only gets its data via pcap, so the filter
### defined by PCAP_FILTER needs to be updated to include this TCP port.
ENABLE_TCP_SERVER           N;

### Set the default port number that the fwknop_serv "dummy" TCP server
### listens on. This server is only spawned when ENABLE_TCP_SERVER is set
### to "Y".
TCPSERV_PORT                62201;

### Set the type of syslog daemon that is used.  The SYSLOG_DAEMON variable
### accepts three possible values: syslogd, syslog-ng, or metalog.
SYSLOG_DAEMON               syslogd;

### syslog facility and priority (the defaults are usually ok)
### The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}, and
### SYSLOG_PRIORITY can be set to one of LOG_INFO, LOG_DEBUG, LOG_NOTICE,
### LOG_WARNING, LOG_ERR, LOG_CRIT, LOG_ALERT, or LOG_EMERG
SYSLOG_IDENTITY             fwknopd;
SYSLOG_FACILITY             LOG_LOCAL7;
SYSLOG_PRIORITY             LOG_INFO;

### Allow reporting methods to be enabled/restricted.  This keyword can
### accept values of "nosyslog" (don't write any messages to syslog),
### "noemail" (don't send any email messages), or "ALL" (to generate both
### syslog and email messages).  "ALL" is the default.  Both "nosyslog"
### and "noemail" can be combined with a comma to disable all logging
### and alerting.
ALERTING_METHODS            ALL;

### The following variables can be modified to look for logging messages
### that are specific to your firewall configuration (specified by the
### "--log-prefix" for iptables firewalls).  For example, if your firewall
### uses the string "Audit" for packets that have been blocked, then you
### could set FW_MSG_SEARCH = "Audit";
FW_MSG_SEARCH               DROP;

### For knopwatchd
KNOPWATCHD_CHECK_INTERVAL   5;  ### seconds
KNOPWATCHD_MAX_RETRIES      10;

### Default minimum message size SPA messages encrypted with GnuPG. The
### fwknopd daemon will not attempt to decrypt any packet with gpg that is not
### at least as large as this value.
MIN_GNUPG_MSG_SIZE          400;

### Fwknop uses the IPTables::ChainMgr module to add allow rules to a
### custom iptables chain "FWKNOP_INPUT".  This chain is called from
### the INPUT chain, and by default no other iptables chains are used.
### However, additional chains can be added (say, if access needs to
### be allowed through the local system via the FORWARD chain) by
### altering the "IPT_AUTO_CHAIN" keywords below.  For a discussion of
### the format followed by these keywords, read on:
###     Specify chain names to which iptables blocking rules will be
### added with the IPT_AUTO_CHAIN{n} keyword.  There is no limit on the
### number of IPT_AUTO_CHAIN{n} keywords; just increment the {n} number
### to add an additional IPT_AUTO_CHAIN requirement. The format for this
### variable is: <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \
###              <To_chain>,<Rule_position>.
### "Target": Can be any legitimate iptables target, but should usually
###           just be "DROP".
### "Direction": Can be "src", "dst", or "both", which correspond to the
###              INPUT, OUTPUT, and FORWARD chains.
### "Table": Can be any iptables table, but the default is "filter".
### "From_chain": Is the chain from which packets will be jumped.
### "Jump_rule_position": Defines the position within the From_chain where
###                       the jump rule is added.
### "To_chain": Is the chain to which packets will be jumped. This is the
###             main chain where fwknop rules are added.
### "Rule_position": Defines the position where rule are added within the
###                  To_chain.
IPT_AUTO_CHAIN1             ACCEPT, src, filter, INPUT, 1, FWKNOP_INPUT, 1;

### Directories
FWKNOP_DIR                  /var/log/fwknop;
FWKNOP_RUN_DIR              /var/run/fwknop;
FWKNOP_LIB_DIR              /var/lib/fwknop; # for legacy port knocking mode
FWKNOP_MOD_DIR              /usr/lib/fwknop;
FWKNOP_CONF_DIR             /etc/fwknop;
FWKNOP_ERR_DIR              $FWKNOP_DIR/errs;

### Files
FW_DATA_FILE                $FWKNOP_DIR/fwdata; # legacy port knocking mode
ACCESS_CONF                 $FWKNOP_CONF_DIR/access.conf;
P0F_FILE                    $FWKNOP_CONF_DIR/pf.os;   ### p0f-based fingerprints
MD5_FILE                    $FWKNOP_DIR/md5sums;
KNOPTM_TIMEOUT_FILE         $FWKNOP_DIR/knoptm.cache;  ### timeout cache
FWKNOP_PID_FILE             $FWKNOP_RUN_DIR/fwknopd.pid;
FWKNOP_CMDLINE_FILE         $FWKNOP_RUN_DIR/fwknopd.cmd;
TCPSERV_PID_FILE            $FWKNOP_RUN_DIR/fwknop_serv.pid;
KNOPWATCHD_PID_FILE         $FWKNOP_RUN_DIR/knopwatchd.pid;
KNOPMD_PID_FILE             $FWKNOP_RUN_DIR/knopmd.pid;
KNOPTM_PID_FILE             $FWKNOP_RUN_DIR/knoptm.pid;
KNOPTM_IP_TIMEOUT_SOCK      $FWKNOP_RUN_DIR/knoptm_ip_timeout.sock;
KNOPMD_FIFO                 $FWKNOP_LIB_DIR/fwknopfifo;

### iptables command output and error collection files; these are
### used by IPTables::ChainMgr
IPT_OUTPUT_FILE             $FWKNOP_DIR/fwknopd.iptout;
IPT_ERROR_FILE              $FWKNOP_DIR/fwknopd.ipterr;
KNOPTM_IPT_OUTPUT_FILE      $FWKNOP_DIR/knoptm.iptout;
KNOPTM_IPT_ERROR_FILE       $FWKNOP_DIR/knoptm.ipterr;

### system binaries
mailCmd          /bin/mail;
shCmd            /bin/sh;
mknodCmd         /bin/mknod;
iptablesCmd      /sbin/iptables;
ipfwCmd          /sbin/ipfw;  ### BSD and Mac OS X only
fwknopdCmd       /usr/sbin/fwknopd;
fwknop_servCmd   /usr/sbin/fwknop_serv;
knopmdCmd        /usr/sbin/knopmd;
knoptmCmd        /usr/sbin/knoptm;
knopwatchdCmd    /usr/sbin/knopwatchd;