fwknop.conf

Revision 819, 11.0 kB (checked in by mbr, 1 year ago)

- Major update to start working on forwarding access through an iptables

policy in SPA mode.

- Updated SPA packet format for server_auth and forward_info elements; the

internal MD5 sum is now always the last field in an SPA packet. This makes
extensions of the SPA protocol much easier, and the generation of SPA
packets more elegant.

- Added FORWARD_ACCESS variable to the access.conf file, and added

ENABLE_IPT_FORWARDING to the fwknop.conf file.

- Replaced the IPT_AUTO_CHAIN1 variable with IPT_INPUT_ACCESS and

IPT_FORWARD_ACCESS in fwknop.conf.

- Added --Forward-access argument to the fwknop client.

Property svn:eol-style set to native
Property svn:keywords set to Author Date Id Revision

Line
1	#
2	#############################################################################
3	#
4	# [+] fwknop - Firewall Knock Operator [+]
5	#
6	# This is the configuration file for fwknop, the Firewall Knock Operator.
7	# The primary authentication and authorization mechanism offered by fwknop
8	# is known as Single Packet Authorization (SPA). More information about
9	# SPA can be found at: http://www.cipherdyne.org/fwknop/docs/SPA.html
10	#
11	# Note there are no access control directives in this file. All access
12	# control directives are located in the file
13	# /etc/fwknop/access.conf. You will need to edit the access.conf file in
14	# order for fwknop to function correctly.
15	#
16	#############################################################################
17	#
18	# $Id$
19	#
20
21	### Supports multiple email addresses (as a comma separated
22	### list).
23	EMAIL_ADDRESSES root@localhost;
24
25	### Machine hostname
26	HOSTNAME _CHANGEME_;
27
28	### Define the firewall type. The default is "iptables" for Linux systems,
29	### but this can be set to "ipfw" for *BSD systems.
30	FIREWALL_TYPE iptables;
31
32	### This defines the general strategy fwknop uses to authenticate remote
33	### clients. Possible values are "PCAP" (authenticate via regular pcap; this
34	### is the default and puts the interface in promiscuous mode unless
35	### ENABLE_PCAP_PROMISC is turned off) FILE_PCAP (authenticate via a pcap file
36	### that is built by a sniffer), ULOG_PCAP (authenticate via the ulogd pcap
37	### writer).
38	AUTH_MODE PCAP;
39
40	### Define the ethernet interface on which we will sniff packets. Note
41	### that this is only used if the AUTH_MODE keyword above is set to
42	### "PCAP"
43	PCAP_INTF eth0;
44
45	### Define whether put the pcap interface in promiscuous mode.
46	ENABLE_PCAP_PROMISC Y;
47
48	### Define the filters used for PCAP and FILE_PCAP modes; we default
49	### to udp port 62201. Note that either of these variables can be
50	### set to NONE in order to look at all packets.
51	PCAP_FILTER udp port 62201;
52
53	### This instructs fwknopd to not honor SPA packets that have an old time
54	### stamp. The value for "old" is defined by the MAX_SPA_PACKET_AGE variable.
55	### If ENABLE_SPA_PACKET_AGING is set to "N", fwknopd will not use the client
56	### time stamp at all.
57	ENABLE_SPA_PACKET_AGING Y;
58
59	### Defines the maximum age (in seconds) that an SPA packet will be accepted.
60	### This requires that the client system is in relatively close time
61	### synchronization with the fwknopd server system (NTP is good). The default
62	### age is two minutes.
63	MAX_SPA_PACKET_AGE 120;
64
65	### Track md5 sums associated with previous fwknop process. This allows
66	### md5 sums to remain persistent across executions of fwknop.
67	ENABLE_MD5_PERSISTENCE Y;
68
69	### This variable controls whether fwknopd includes the source IP of each SPA
70	### packet in the MD5 store. If a replayed SPA message is detected, then
71	### having this information can provide information about which networks have
72	### people sniffing your SPA packets.
73	ENABLE_MD5_INCLUDE_SRC Y;
74
75	### Allow SPA clients to request access to services through an iptables
76	### firewall instead of just to it (i.e. access through the FORWARD chain
77	### instead of the INPUT chain). This requires the FORWARD_ACCESS variable to
78	### be set in the access.conf file.
79	ENABLE_IPT_FORWARDING N;
80
81	### Force all SPA packets to contain a real IP address within the encrypted
82	### data. This makes it impossible to use the -s command line argument on
83	### the fwknop client command line, so either -R has to be used to
84	### automatically resolve the external address (if the client behind a NAT) or
85	### the client must know the external IP.
86	REQUIRE_SOURCE_ADDRESS N;
87
88	### This pair of variables controls whether fwknopd voluntarily exits and over
89	### what time interval. When fwknopd exits, knopwatchd will restart it.
90	### Because fwknop controls the accessibility of services, this feature can be
91	### used to make sure that the fwknop rules are flushed (see the
92	### FLUSH_IPT_AT_INIT variable), and the effects of any potential logic (or
93	### other) bugs are minimized since fwknopd will start "fresh" when knopwatchd
94	### kicks it off. NOTE: This feature is almost never required since fwknopd is
95	### generally quite stable, and is mostly offered for the the extra paranoid.
96	ENABLE_VOLUNTARY_EXITS N;
97	EXIT_INTERVAL 1440; ### minutes
98
99	### Flush all existing rules in the fwknop chains at fwknop start time.
100	FLUSH_IPT_AT_INIT Y;
101
102	### If running on ipfw firewalls, this variable defines the rule number that
103	### fwknopd uses to insert an ipfw pass rule.
104	IPFW_RULE_NUM 1;
105
106	### Define the timeout for running a command
107	PCAP_CMD_TIMEOUT 10;
108
109	### If GPG keys are used instead of a Rijndael symmetric key, this is
110	### the default GPG keys directory. Note that each access block in
111	### /etc/fwknop/access.conf can specify its own GPG directory to override
112	### this default.
113	GPG_DEFAULT_HOME_DIR /root/.gnupg;
114
115	### This gets used if AUTH_MODE is set to "FILE_PCAP". This file must
116	### be created by a sniffer process (or something like the ulogd pcap
117	### writer).
118	PCAP_PKT_FILE /var/log/sniff.pcap;
119
120	### Defines interval fwknop will use to check for more iptables
121	### messages (this is only used in the legacy port knocking mode).
122	SLEEP_INTERVAL 2; ### seconds
123
124	### TTL values are decremented depending on the number of hops the packet
125	### has taken before it hits the firewall. We will assume packets will not
126	### jump through more than 20 hops on average.
127	MAX_HOPS 20;
128
129	### Note that fwknopd still only gets its data via pcap, so the filter
130	### defined by PCAP_FILTER needs to be updated to include this TCP port.
131	ENABLE_TCP_SERVER N;
132
133	### Set the default port number that the fwknop_serv "dummy" TCP server
134	### listens on. This server is only spawned when ENABLE_TCP_SERVER is set
135	### to "Y".
136	TCPSERV_PORT 62201;
137
138	### Set the type of syslog daemon that is used. The SYSLOG_DAEMON variable
139	### accepts three possible values: syslogd, syslog-ng, or metalog.
140	SYSLOG_DAEMON syslogd;
141
142	### syslog facility and priority (the defaults are usually ok)
143	### The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}, and
144	### SYSLOG_PRIORITY can be set to one of LOG_INFO, LOG_DEBUG, LOG_NOTICE,
145	### LOG_WARNING, LOG_ERR, LOG_CRIT, LOG_ALERT, or LOG_EMERG
146	SYSLOG_IDENTITY fwknopd;
147	SYSLOG_FACILITY LOG_LOCAL7;
148	SYSLOG_PRIORITY LOG_INFO;
149
150	### syslog config for knoptm
151	KNOPTM_SYSLOG_IDENTITY fwknop(knoptm);
152	KNOPTM_SYSLOG_FACILITY LOG_LOCAL7;
153	KNOPTM_SYSLOG_PRIORITY LOG_INFO;
154
155	### Allow reporting methods to be enabled/restricted. This keyword can
156	### accept values of "nosyslog" (don't write any messages to syslog),
157	### "noemail" (don't send any email messages), or "ALL" (to generate both
158	### syslog and email messages). "ALL" is the default. Both "nosyslog"
159	### and "noemail" can be combined with a comma to disable all logging
160	### and alerting.
161	ALERTING_METHODS ALL;
162
163	### The following variables can be modified to look for logging messages
164	### that are specific to your firewall configuration (specified by the
165	### "--log-prefix" for iptables firewalls). For example, if your firewall
166	### uses the string "Audit" for packets that have been blocked, then you
167	### could set FW_MSG_SEARCH = "Audit";
168	FW_MSG_SEARCH DROP;
169
170	### For knopwatchd
171	KNOPWATCHD_CHECK_INTERVAL 5; ### seconds
172	KNOPWATCHD_MAX_RETRIES 10;
173
174	### Default minimum message size SPA messages encrypted with GnuPG. The
175	### fwknopd daemon will not attempt to decrypt any packet with gpg that is not
176	### at least as large as this value.
177	MIN_GNUPG_MSG_SIZE 400;
178
179	### fwknop uses the IPTables::ChainMgr module to add allow rules to a
180	### custom iptables chain "FWKNOP_INPUT". This chain is called from
181	### the INPUT chain, and by default no other iptables chains are used.
182	### However, additional chains can be added (say, if access needs to
183	### be allowed through the local system via the FORWARD chain) by
184	### altering the IPT_FORWARD_ACCESS variable below. For a discussion of
185	### the format followed by these keywords, read on:
186	### Specify chain names to which iptables blocking rules will be
187	### added with the IPT_INPUT_ACCESS and IPT_FORWARD_ACCESS keyword.
188	### The format for these variables is:
189	### <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \
190	### <To_chain>,<Rule_position>.
191	### "Target": Can be any legitimate iptables target, but should usually
192	### just be "DROP".
193	### "Direction": Can be "src", "dst", or "both", which correspond to the
194	### INPUT, OUTPUT, and FORWARD chains.
195	### "Table": Can be any iptables table, but the default is "filter".
196	### "From_chain": Is the chain from which packets will be jumped.
197	### "Jump_rule_position": Defines the position within the From_chain where
198	### the jump rule is added.
199	### "To_chain": Is the chain to which packets will be jumped. This is the
200	### main chain where fwknop rules are added.
201	### "Rule_position": Defines the position where rule are added within the
202	### To_chain.
203	IPT_INPUT_ACCESS ACCEPT, src, filter, INPUT, 1, FWKNOP_INPUT, 1;
204	IPT_FORWARD_ACCESS ACCEPT, src, filter, FORWARD, 1, FWKNOP_FORWARD, 1;
205
206	### Directories
207	FWKNOP_DIR /var/log/fwknop;
208	FWKNOP_RUN_DIR /var/run/fwknop;
209	FWKNOP_LIB_DIR /var/lib/fwknop; # for legacy port knocking mode
210	FWKNOP_MOD_DIR /usr/lib/fwknop;
211	FWKNOP_CONF_DIR /etc/fwknop;
212	FWKNOP_ERR_DIR $FWKNOP_DIR/errs;
213
214	### Files
215	FW_DATA_FILE $FWKNOP_DIR/fwdata; # legacy port knocking mode
216	ACCESS_CONF $FWKNOP_CONF_DIR/access.conf;
217	P0F_FILE $FWKNOP_CONF_DIR/pf.os; ### p0f-based fingerprints
218	MD5_FILE $FWKNOP_DIR/md5sums;
219	KNOPTM_TIMEOUT_FILE $FWKNOP_DIR/knoptm.cache; ### timeout cache
220	FWKNOP_PID_FILE $FWKNOP_RUN_DIR/fwknopd.pid;
221	FWKNOP_CMDLINE_FILE $FWKNOP_RUN_DIR/fwknopd.cmd;
222	TCPSERV_PID_FILE $FWKNOP_RUN_DIR/fwknop_serv.pid;
223	KNOPWATCHD_PID_FILE $FWKNOP_RUN_DIR/knopwatchd.pid;
224	KNOPMD_PID_FILE $FWKNOP_RUN_DIR/knopmd.pid;
225	KNOPTM_PID_FILE $FWKNOP_RUN_DIR/knoptm.pid;
226	KNOPTM_IP_TIMEOUT_SOCK $FWKNOP_RUN_DIR/knoptm_ip_timeout.sock;
227	KNOPMD_FIFO $FWKNOP_LIB_DIR/fwknopfifo;
228
229	### iptables command output and error collection files; these are
230	### used by IPTables::ChainMgr
231	IPT_OUTPUT_FILE $FWKNOP_DIR/fwknopd.iptout;
232	IPT_ERROR_FILE $FWKNOP_DIR/fwknopd.ipterr;
233	KNOPTM_IPT_OUTPUT_FILE $FWKNOP_DIR/knoptm.iptout;
234	KNOPTM_IPT_ERROR_FILE $FWKNOP_DIR/knoptm.ipterr;
235
236	### system binaries
237	mailCmd /bin/mail;
238	shCmd /bin/sh;
239	mknodCmd /bin/mknod;
240	iptablesCmd /sbin/iptables;
241	ipfwCmd /sbin/ipfw; ### BSD and Mac OS X only
242	fwknopdCmd /usr/sbin/fwknopd;
243	fwknop_servCmd /usr/sbin/fwknop_serv;
244	knopmdCmd /usr/sbin/knopmd;
245	knoptmCmd /usr/sbin/knoptm;
246	knopwatchdCmd /usr/sbin/knopwatchd;

Note: See TracBrowser for help on using the browser.

Download in other formats:

Original Format