fwknop.conf

Revision 1027, 12.1 kB (checked in by mbr, 8 months ago)
- Added more granular source IP and allowed IP tests so that access to particular internal IP addresses can be excluded in --Forward-access mode. A new keyword "INTERNAL_NET_ACCESS" is now parsed from the access.conf file in order to implemented these restrictions. - (SPAPICT Group) Added BLACKLIST functionality to allow source IP addresses to easily be excluded from the authentication process.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`

Line
1	#
2	#############################################################################
3	#
4	# [+] fwknop - Firewall Knock Operator [+]
5	#
6	# This is the configuration file for fwknop, the Firewall Knock Operator.
7	# The primary authentication and authorization mechanism offered by fwknop
8	# is known as Single Packet Authorization (SPA). More information about
9	# SPA can be found at: http://www.cipherdyne.org/fwknop/docs/SPA.html
10	#
11	# Note there are no access control directives in this file. All access
12	# control directives are located in the file
13	# /etc/fwknop/access.conf. You will need to edit the access.conf file in
14	# order for fwknop to function correctly.
15	#
16	#############################################################################
17	#
18	# $Id$
19	#
20
21	### Supports multiple email addresses (as a comma separated
22	### list).
23	EMAIL_ADDRESSES root@localhost;
24
25	### Machine hostname
26	HOSTNAME _CHANGEME_;
27
28	### Define the firewall type. The default is "iptables" for Linux systems,
29	### but this can be set to "ipfw" for *BSD systems.
30	FIREWALL_TYPE iptables;
31
32	### This defines the general strategy fwknop uses to authenticate remote
33	### clients. Possible values are "PCAP" (authenticate via regular pcap; this
34	### is the default and puts the interface in promiscuous mode unless
35	### ENABLE_PCAP_PROMISC is turned off) FILE_PCAP (authenticate via a pcap file
36	### that is built by a sniffer), ULOG_PCAP (authenticate via the ulogd pcap
37	### writer).
38	AUTH_MODE PCAP;
39
40	### Define the ethernet interface on which we will sniff packets. Note
41	### that this is only used if the AUTH_MODE keyword above is set to
42	### "PCAP"
43	PCAP_INTF eth0;
44
45	### Define whether put the pcap interface in promiscuous mode.
46	ENABLE_PCAP_PROMISC Y;
47
48	### Define the filters used for PCAP and FILE_PCAP modes; we default
49	### to udp port 62201. Note that either of these variables can be
50	### set to NONE in order to look at all packets.
51	PCAP_FILTER udp port 62201;
52
53	### This instructs fwknopd to not honor SPA packets that have an old time
54	### stamp. The value for "old" is defined by the MAX_SPA_PACKET_AGE variable.
55	### If ENABLE_SPA_PACKET_AGING is set to "N", fwknopd will not use the client
56	### time stamp at all.
57	ENABLE_SPA_PACKET_AGING Y;
58
59	### Defines the maximum age (in seconds) that an SPA packet will be accepted.
60	### This requires that the client system is in relatively close time
61	### synchronization with the fwknopd server system (NTP is good). The default
62	### age is two minutes.
63	MAX_SPA_PACKET_AGE 120;
64
65	### Track digest sums associated with previous fwknop process. This allows
66	### digest sums to remain persistent across executions of fwknop.
67	ENABLE_DIGEST_PERSISTENCE Y;
68
69	### Default to using all three of SHA256, SHA1, and MD5 for SPA replay attack
70	### detection. This overkill, but performance is not usually a concern.
71	### Further, the variable can also be set to "SHA1" or "MD5".
72	DIGEST_TYPE ALL;
73
74	### This variable controls whether fwknopd includes the source IP of each SPA
75	### packet in the DIGEST store. If a replayed SPA message is detected, then
76	### having this information can provide information about which networks have
77	### people sniffing your SPA packets.
78	ENABLE_DIGEST_INCLUDE_SRC Y;
79
80	### Allow SPA clients to request access to services through an iptables
81	### firewall instead of just to it (i.e. access through the FWKNOP_FORWARD
82	### chain instead of the INPUT chain). This requires the ENABLE_FORWARD_ACCESS
83	### variable to be set in the access.conf file.
84	ENABLE_IPT_FORWARDING N;
85
86	### Add ACCEPT rules to the FWKNOP_OUTPUT chain. This is usually only useful
87	### if there are no state tracking rules to allow connection responses out and
88	### the OUTPUT chain has a default-drop stance.
89	ENABLE_IPT_OUTPUT N;
90
91	### Force all SPA packets to contain a real IP address within the encrypted
92	### data. This makes it impossible to use the -s command line argument on
93	### the fwknop client command line, so either -R has to be used to
94	### automatically resolve the external address (if the client behind a NAT) or
95	### the client must know the external IP.
96	REQUIRE_SOURCE_ADDRESS N;
97
98	### This pair of variables controls whether fwknopd voluntarily exits and over
99	### what time interval. When fwknopd exits, knopwatchd will restart it.
100	### Because fwknop controls the accessibility of services, this feature can be
101	### used to make sure that the fwknop rules are flushed (see the
102	### FLUSH_IPT_AT_INIT variable), and the effects of any potential logic (or
103	### other) bugs are minimized since fwknopd will start "fresh" when knopwatchd
104	### kicks it off. NOTE: This feature is almost never required since fwknopd is
105	### generally quite stable, and is mostly offered for the the extra paranoid.
106	ENABLE_VOLUNTARY_EXITS N;
107	EXIT_INTERVAL 1440; ### minutes (1 day)
108
109	### Flush all existing rules in the fwknop chains at fwknop start time.
110	FLUSH_IPT_AT_INIT Y;
111
112	### If running on ipfw firewalls, this variable defines the rule number that
113	### fwknopd uses to insert an ipfw pass rule.
114	IPFW_RULE_NUM 1;
115
116	### Define the timeout for running a command
117	PCAP_CMD_TIMEOUT 10;
118
119	### If GPG keys are used instead of a Rijndael symmetric key, this is
120	### the default GPG keys directory. Note that each access block in
121	### /etc/fwknop/access.conf can specify its own GPG directory to override
122	### this default.
123	GPG_DEFAULT_HOME_DIR /root/.gnupg;
124
125	### This gets used if AUTH_MODE is set to "FILE_PCAP". This file must
126	### be created by a sniffer process (or something like the ulogd pcap
127	### writer).
128	PCAP_PKT_FILE /var/log/sniff.pcap;
129
130	### Define a comma-separated set of IP addresses and/or networks that should
131	### be globally blacklisted. That is, any SPA packet that is from a source
132	### IP (or has an internal --allow-ip) within a blacklisted network will be
133	### ignored.
134	BLACKLIST NONE;
135
136	### Defines interval fwknop will use to check for more iptables
137	### messages (this is only used in the legacy port knocking mode).
138	SLEEP_INTERVAL 2; ### seconds
139
140	### TTL values are decremented depending on the number of hops the packet
141	### has taken before it hits the firewall. We will assume packets will not
142	### jump through more than 20 hops on average.
143	MAX_HOPS 20;
144
145	### Note that fwknopd still only gets its data via pcap, so the filter
146	### defined by PCAP_FILTER needs to be updated to include this TCP port.
147	ENABLE_TCP_SERVER N;
148
149	### Set the default port number that the fwknop_serv "dummy" TCP server
150	### listens on. This server is only spawned when ENABLE_TCP_SERVER is set
151	### to "Y".
152	TCPSERV_PORT 62201;
153
154	### Set the type of syslog daemon that is used. The SYSLOG_DAEMON variable
155	### accepts three possible values: syslogd, syslog-ng, or metalog.
156	SYSLOG_DAEMON syslogd;
157
158	### syslog facility and priority (the defaults are usually ok)
159	### The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}, and
160	### SYSLOG_PRIORITY can be set to one of LOG_INFO, LOG_DEBUG, LOG_NOTICE,
161	### LOG_WARNING, LOG_ERR, LOG_CRIT, LOG_ALERT, or LOG_EMERG
162	SYSLOG_IDENTITY fwknopd;
163	SYSLOG_FACILITY LOG_LOCAL7;
164	SYSLOG_PRIORITY LOG_INFO;
165
166	### syslog config for knoptm
167	KNOPTM_SYSLOG_IDENTITY fwknop(knoptm);
168	KNOPTM_SYSLOG_FACILITY LOG_LOCAL7;
169	KNOPTM_SYSLOG_PRIORITY LOG_INFO;
170
171	### Allow reporting methods to be enabled/restricted. This keyword can
172	### accept values of "nosyslog" (don't write any messages to syslog),
173	### "noemail" (don't send any email messages), or "ALL" (to generate both
174	### syslog and email messages). "ALL" is the default. Both "nosyslog"
175	### and "noemail" can be combined with a comma to disable all logging
176	### and alerting.
177	ALERTING_METHODS ALL;
178
179	### The following variables can be modified to look for logging messages
180	### that are specific to your firewall configuration (specified by the
181	### "--log-prefix" for iptables firewalls). For example, if your firewall
182	### uses the string "Audit" for packets that have been blocked, then you
183	### could set FW_MSG_SEARCH = "Audit";
184	FW_MSG_SEARCH DROP;
185
186	### For knopwatchd
187	KNOPWATCHD_CHECK_INTERVAL 5; ### seconds
188	KNOPWATCHD_MAX_RETRIES 10;
189
190	### Default minimum message size SPA messages encrypted with GnuPG. The
191	### fwknopd daemon will not attempt to decrypt any packet with gpg that is not
192	### at least as large as this value.
193	MIN_GNUPG_MSG_SIZE 400;
194
195	### fwknop uses the IPTables::ChainMgr module to add allow rules to a
196	### custom iptables chain "FWKNOP_INPUT". This chain is called from
197	### the INPUT chain, and by default no other iptables chains are used.
198	### However, additional chains can be added (say, if access needs to
199	### be allowed through the local system via the FORWARD chain) by
200	### altering the IPT_FORWARD_ACCESS variable below. For a discussion of
201	### the format followed by these keywords, read on:
202	### Specify chain names to which iptables blocking rules will be
203	### added with the IPT_INPUT_ACCESS and IPT_FORWARD_ACCESS keyword.
204	### The format for these variables is:
205	### <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \
206	### <To_chain>,<Rule_position>.
207	### "Target": Can be any legitimate iptables target, but should usually
208	### just be "DROP".
209	### "Direction": Can be "src", "dst", or "both", which correspond to the
210	### INPUT, OUTPUT, and FORWARD chains.
211	### "Table": Can be any iptables table, but the default is "filter".
212	### "From_chain": Is the chain from which packets will be jumped.
213	### "Jump_rule_position": Defines the position within the From_chain where
214	### the jump rule is added.
215	### "To_chain": Is the chain to which packets will be jumped. This is the
216	### main chain where fwknop rules are added.
217	### "Rule_position": Defines the position where rule are added within the
218	### To_chain.
219	IPT_INPUT_ACCESS ACCEPT, src, filter, INPUT, 1, FWKNOP_INPUT, 1;
220	### The IPT_OUTPUT_ACCESS variable is only used if ENABLE_IPT_OUTPUT is enabled
221	IPT_OUTPUT_ACCESS ACCEPT, dst, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1;
222	### The IPT_FORWARD_ACCESS variable is only used if ENABLE_IPT_FORWARDING is enabled
223	IPT_FORWARD_ACCESS ACCEPT, src, filter, FORWARD, 1, FWKNOP_FORWARD, 1;
224	IPT_DNAT_ACCESS DNAT, src, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1;
225
226	### Directories
227	FWKNOP_DIR /var/log/fwknop;
228	FWKNOP_RUN_DIR /var/run/fwknop;
229	FWKNOP_LIB_DIR /var/lib/fwknop; # for legacy port knocking mode
230	FWKNOP_MOD_DIR /usr/lib/fwknop;
231	FWKNOP_CONF_DIR /etc/fwknop;
232	FWKNOP_ERR_DIR $FWKNOP_DIR/errs;
233
234	### Files
235	FW_DATA_FILE $FWKNOP_DIR/fwdata; # legacy port knocking mode
236	ACCESS_CONF $FWKNOP_CONF_DIR/access.conf;
237	P0F_FILE $FWKNOP_CONF_DIR/pf.os; ### p0f-based fingerprints
238	DIGEST_FILE $FWKNOP_DIR/digest.cache;
239	FWKNOP_PID_FILE $FWKNOP_RUN_DIR/fwknopd.pid;
240	FWKNOP_CMDLINE_FILE $FWKNOP_RUN_DIR/fwknopd.cmd;
241	TCPSERV_PID_FILE $FWKNOP_RUN_DIR/fwknop_serv.pid;
242	KNOPWATCHD_PID_FILE $FWKNOP_RUN_DIR/knopwatchd.pid;
243	KNOPMD_PID_FILE $FWKNOP_RUN_DIR/knopmd.pid;
244	KNOPTM_PID_FILE $FWKNOP_RUN_DIR/knoptm.pid;
245	KNOPTM_IP_TIMEOUT_SOCK $FWKNOP_RUN_DIR/knoptm_ip_timeout.sock;
246	KNOPMD_FIFO $FWKNOP_LIB_DIR/fwknopfifo;
247
248	### iptables command output and error collection files; these are
249	### used by IPTables::ChainMgr
250	IPT_OUTPUT_FILE $FWKNOP_DIR/fwknopd.iptout;
251	IPT_ERROR_FILE $FWKNOP_DIR/fwknopd.ipterr;
252	KNOPTM_IPT_OUTPUT_FILE $FWKNOP_DIR/knoptm.iptout;
253	KNOPTM_IPT_ERROR_FILE $FWKNOP_DIR/knoptm.ipterr;
254
255	### system binaries
256	mailCmd /bin/mail;
257	shCmd /bin/sh;
258	mknodCmd /bin/mknod;
259	iptablesCmd /sbin/iptables;
260	ipfwCmd /sbin/ipfw; ### BSD and Mac OS X only
261	fwknopdCmd /usr/sbin/fwknopd;
262	fwknop_servCmd /usr/sbin/fwknop_serv;
263	knopmdCmd /usr/sbin/knopmd;
264	knoptmCmd /usr/sbin/knoptm;
265	knopwatchdCmd /usr/sbin/knopwatchd;

Note: See TracBrowser for help on using the browser.

Download in other formats:

Original Format