root/fwknop/tags/fwknop-1.8.4-pre1/access.conf

Revision 763, 4.8 kB (checked in by mbr, 1 year ago)

updated to move GPG_AGENT_INFO into the comments section

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
Line 
1 #
2 ##############################################################################
3 #
4 # File: access.conf
5 #
6 # Purpose: This file defines how fwknop will modify iptables access controls
7 #          for specific IPs/networks.  It gets installed by default at
8 #          /etc/fwknop/access.conf and is consulted by fwknop when run in
9 #          "access control mode", which is the default (i.e. when fwknop is
10 #          run from the command line without any command line arguments).
11 #          The corresponding file ~/.fwknoprc defines how fwknop will
12 #          send the port knocking sequence for source machines in
13 #          access.conf.  Multiple access controls can be specified for
14 #          the same source machine.
15 #
16 # See the fwknop man page for a comprehensive treatment of the various
17 # access control variables.  See below for a few examples of access control
18 # configurations.
19 #
20 # Access examples:
21 #
22 # 1) Define parameters for accepting single-packet authorization messages
23 #    from any source IP address via libpcap.  Fwknop will reconfigure the
24 #    local iptables policy to allow access to SSHD (TCP port 22) for 30
25 #    seconds from the IP also specified in the packet.  This example probably
26 #    represents the best configuration for most needs:
27 #
28 #   SOURCE: ANY;
29 #   OPEN_PORTS: tcp/22;
30 #   DATA_COLLECT_MODE: PCAP;
31 #   KEY: myencryptkey;
32 #   FW_ACCESS_TIMEOUT: 30;
33 #
34 # 2) If you would like the fwknop client to specify which port is opened by
35 #    fwknopd through the firewall, then replace the OPEN_PORTS variable with
36 #    PERMIT_CLIENT_PORTS as follows:
37 #
38 #   SOURCE: ANY;
39 #   PERMIT_CLIENT_PORTS: Y;
40 #   DATA_COLLECT_MODE: PCAP;
41 #   KEY: myencryptkey;
42 #   FW_ACCESS_TIMEOUT: 30;
43 #
44 # 3) This example is identical to example 1) above, but now we add GPG keys
45 #    as an alternate encryption method.  The original symmetric key will
46 #    still be accepted, but only if an attempted GPG decrypt does not
47 #    succeed.  The GPG_REMOTE_ID is the key ID that the encrypted packet is
48 #    signed with by the fwknop client.  Note that using GPG keys requires
49 #    that the client key has been imported (and signed) into the
50 #    GPG_HOME_DIR key ring on the server side, and the server key has been
51 #    imported (and signed) into the GPG key ring on the client side. Because
52 #    the GPG password for the server key is put within the access.conf, the
53 #    server key should be specifically generated and used only for fwknop
54 #    server functions; it should not a valuable GPG key that is used for
55 #    things like personal email encryption. See the fwknop man page for
56 #    examples of how to use the GPG encryption method from the fwknop
57 #    command line on the client side. To match any GPG key, set
58 #    GPG_REMOTE_ID to ANY.  The GPG_AGENT_INFO variable is included for
59 #    reference if fwknopd is run in gpg-agent mode.
60 #
61 #   SOURCE: ANY;
62 #   OPEN_PORTS: tcp/22;
63 #   DATA_COLLECT_MODE: PCAP;
64 #   KEY: myencryptkey;
65 #   GPG_HOME_DIR: /root/.gnupg;
66 #   GPG_DECRYPT_ID: ABCD1234;
67 #   GPG_DECRYPT_PW: myGpgPassword;
68 #   GPG_REMOTE_ID: 1234ABCD;
69 #   GPG_AGENT_INFO: /tmp/gpg-n7jEPC/S.gpg-agent:18333:1;  ### only for gpg-agent
70 #   FW_ACCESS_TIMEOUT: 30;
71 #
72 # 4) This example is identical to example 1) above, but now we allow a
73 #    remote fwknop client to send a command to the fwknopd server (which it
74 #    will execute as root):
75 #
76 #   SOURCE: ANY;
77 #   OPEN_PORTS: tcp/22;
78 #   DATA_COLLECT_MODE: PCAP;
79 #   ENABLE_CMD_EXEC;
80 #   KEY: myencryptkey;
81 #   FW_ACCESS_TIMEOUT: 30;
82 #
83 # 5) This example is identical to example 4) above, but now we specify a
84 #    regular expression which any remote command must match before being
85 #    executed:
86 #
87 #   SOURCE: ANY;
88 #   OPEN_PORTS: tcp/22;
89 #   DATA_COLLECT_MODE: PCAP;
90 #   ENABLE_CMD_EXEC;
91 #   CMD_REGEX: /sbin/iptables.*ACCEPT;
92 #   KEY: myencryptkey;
93 #   FW_ACCESS_TIMEOUT: 30;
94 #
95 # 6) This example is similar to example 1) above, but this time instruct
96 #    fwknopd to read packets from a file that is written to by a sniffer
97 #    process or by something like the ulogd pcap writer (use ULOG_PCAP for
98 #    this).  The specific file path is defined by the PCAP_FILE keyword in
99 #    /etc/fwknop/fwknop.conf).  We also require that the username on the
100 #    system that generates the authorization packet is "mbr":
101 #
102 #   SOURCE: ANY;
103 #   OPEN_PORTS: tcp/22;
104 #   DATA_COLLECT_MODE: FILE_PCAP;
105 #   KEY: myencryptkey;
106 #   FW_ACCESS_TIMEOUT: 30;
107 #   REQUIRE_USERNAME: mbr;
108 #
109 ##############################################################################
110 #
111 # $Id$
112 #
113
114 ### default Single Packet Authorization (SPA) via libpcap:
115 SOURCE: ANY;
116 OPEN_PORTS: tcp/22;   ### for ssh (change for access to other services)
117 KEY: __CHANGEME__;
118 FW_ACCESS_TIMEOUT: 30;
119 ### if you want to use GnuPG keys (recommended) then define the following
120 ### variables
121 #GPG_HOME_DIR: /root/.gnupg;
122 #GPG_DECRYPT_ID: ABCD1234;
123 #GPG_DECRYPT_PW: myGpgPassword;
124 #GPG_REMOTE_ID: 1234ABCD;
Note: See TracBrowser for help on using the browser.