root/fwknop/tags/fwknop-1.9.3/fwknop.conf

#
#############################################################################
#
#         [+] fwknop - Firewall Knock Operator [+]
#
# This is the configuration file for fwknop, the Firewall Knock Operator.
# The primary authentication and authorization mechanism offered by fwknop
# is known as Single Packet Authorization (SPA).  More information about
# SPA can be found at: http://www.cipherdyne.org/fwknop/docs/SPA.html
#
# Note there are no access control directives in this file.  All access
# control directives are located in the file
# /etc/fwknop/access.conf.  You will need to edit the access.conf file in
# order for fwknop to function correctly.
#
#############################################################################
#
# $Id$
#

### Supports multiple email addresses (as a comma separated
### list).
EMAIL_ADDRESSES             root@localhost;

### Machine hostname
HOSTNAME                    _CHANGEME_;

### Define the firewall type.  The default is "iptables" for Linux systems,
### but this can be set to "ipfw" for *BSD systems.
FIREWALL_TYPE               iptables;

### This defines the general strategy fwknop uses to authenticate remote
### clients.  Possible values are "PCAP" (authenticate via regular pcap; this
### is the default and puts the interface in promiscuous mode unless
### ENABLE_PCAP_PROMISC is turned off) FILE_PCAP (authenticate via a pcap file
### that is built by a sniffer), ULOG_PCAP (authenticate via the ulogd pcap
### writer).
AUTH_MODE                   PCAP;

### Define the ethernet interface on which we will sniff packets.  Note
### that this is only used if the AUTH_MODE keyword above is set to
### "PCAP"
PCAP_INTF                   eth0;

### Define whether put the pcap interface in promiscuous mode.
ENABLE_PCAP_PROMISC         Y;

### Define the filters used for PCAP and FILE_PCAP modes; we default
### to udp port 62201.  Note that either of these variables can be
### set to NONE in order to look at all packets.
PCAP_FILTER                 udp port 62201;

### This instructs fwknopd to not honor SPA packets that have an old time
### stamp.  The value for "old" is defined by the MAX_SPA_PACKET_AGE variable.
### If ENABLE_SPA_PACKET_AGING is set to "N", fwknopd will not use the client
### time stamp at all.
ENABLE_SPA_PACKET_AGING     Y;

### Defines the maximum age (in seconds) that an SPA packet will be accepted.
### This requires that the client system is in relatively close time
### synchronization with the fwknopd server system (NTP is good).  The default
### age is two minutes.
MAX_SPA_PACKET_AGE          120;

### Track digest sums associated with previous fwknop process.  This allows
### digest sums to remain persistent across executions of fwknop.
ENABLE_DIGEST_PERSISTENCE   Y;

### Default to using all three of SHA256, SHA1, and MD5 for SPA replay attack
### detection.  This is overkill, but performance is not usually a concern.
### Further, the variable can also be set to "SHA1" or "MD5".
DIGEST_TYPE                 ALL;

### This variable controls whether fwknopd includes the source IP of each SPA
### packet in the DIGEST store. If a replayed SPA message is detected, then
### having this information can provide information about which networks have
### people sniffing your SPA packets.
ENABLE_DIGEST_INCLUDE_SRC   Y;

### Allow SPA clients to request access to services through an iptables
### firewall instead of just to it (i.e. access through the FWKNOP_FORWARD
### chain instead of the INPUT chain). This also requires the
### ENABLE_FORWARD_ACCESS variable to be set in the access.conf file for the
### specific SOURCE stanzas that should be allowed for forwarding access.
ENABLE_IPT_FORWARDING       N;

### By default, if forwarding access is enabled (see the ENABLE_IPT_FORWARDING
### variable above), then fwknop creates DNAT rules for incoming connections,
### but does not also complement these rules with SNAT rules at the same time.
### In some situations, internal systems may not have a route back out for the
### source address of the incoming connection, so it is necessary to also
### apply SNAT rules so that the internal systems see the IP of the internal
### interface where fwknopd is running.  This functionality is only enabled
### when ENABLE_IPT_SNAT is set to "Y", and by default SNAT rules are built
### with the MASQUERADE target (since then the internal IP does not have to be
### defined here in the fwknop.conf file), but if you want fwknopd to use the
### SNAT target then also defined an IP address with the SNAT_TRANSLATE_IP
### variable.
ENABLE_IPT_SNAT             N;
SNAT_TRANSLATE_IP           _CHANGEME_;

### If ENABLE_IPT_FORWARDING is enabled, but the /proc/sys/net/ipv4/ip_forward
### disables forwarding, then by default enable forwarding
ENABLE_PROC_IP_FORWARD      Y;

### Add ACCEPT rules to the FWKNOP_OUTPUT chain. This is usually only useful
### if there are no state tracking rules to allow connection responses out and
### the OUTPUT chain has a default-drop stance.
ENABLE_IPT_OUTPUT           N;

### Force all SPA packets to contain a real IP address within the encrypted
### data.  This makes it impossible to use the -s command line argument on
### the fwknop client command line, so either -R has to be used to
### automatically resolve the external address (if the client behind a NAT) or
### the client must know the external IP.
REQUIRE_SOURCE_ADDRESS      N;

### This pair of variables controls whether fwknopd voluntarily exits and over
### what time interval. When fwknopd exits, knopwatchd will restart it.
### Because fwknop controls the accessibility of services, this feature can be
### used to make sure that the fwknop rules are flushed (see the
### FLUSH_IPT_AT_INIT variable), and the effects of any potential logic (or
### other) bugs are minimized since fwknopd will start "fresh" when knopwatchd
### kicks it off. NOTE: This feature is almost never required since fwknopd is
### generally quite stable, and is mostly offered for the the extra paranoid.
ENABLE_VOLUNTARY_EXITS      N;
EXIT_INTERVAL               1440;  ### minutes (1 day)

### Flush all existing rules in the fwknop chains at fwknop start time.
FLUSH_IPT_AT_INIT           Y;

### If running on ipfw firewalls, this variable defines the rule number that
### fwknopd uses to insert an ipfw pass rule.
IPFW_RULE_NUM               1;

### Define the timeout for running a command
PCAP_CMD_TIMEOUT            10;

### If GPG keys are used instead of a Rijndael symmetric key, this is
### the default GPG keys directory.  Note that each access block in
### /etc/fwknop/access.conf can specify its own GPG directory to override
### this default.
GPG_DEFAULT_HOME_DIR        /root/.gnupg;

### This gets used if AUTH_MODE is set to "FILE_PCAP".  This file must
### be created by a sniffer process (or something like the ulogd pcap
### writer).
PCAP_PKT_FILE               /var/log/sniff.pcap;

### Define a comma-separated set of IP addresses and/or networks that should
### be globally blacklisted.  That is, any SPA packet that is from a source
### IP (or has an internal --allow-ip) within a blacklisted network will be
### ignored.
BLACKLIST                   NONE;

### Defines interval fwknop will use to check for more iptables
### messages (this is only used in the legacy port knocking mode).
SLEEP_INTERVAL              2;  ### seconds

### TTL values are decremented depending on the number of hops the packet
### has taken before it hits the firewall.  We will assume packets will not
### jump through more than 20 hops on average.
MAX_HOPS                    20;

### Note that fwknopd still only gets its data via pcap, so the filter
### defined by PCAP_FILTER needs to be updated to include this TCP port.
ENABLE_TCP_SERVER           N;

### Set the default port number that the fwknop_serv "dummy" TCP server
### listens on. This server is only spawned when ENABLE_TCP_SERVER is set
### to "Y".
TCPSERV_PORT                62201;

### Set the type of syslog daemon that is used.  The SYSLOG_DAEMON variable
### accepts three possible values: syslogd, syslog-ng, or metalog.
SYSLOG_DAEMON               syslogd;

### syslog facility and priority (the defaults are usually ok)
### The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}, and
### SYSLOG_PRIORITY can be set to one of LOG_INFO, LOG_DEBUG, LOG_NOTICE,
### LOG_WARNING, LOG_ERR, LOG_CRIT, LOG_ALERT, or LOG_EMERG
SYSLOG_IDENTITY             fwknopd;
SYSLOG_FACILITY             LOG_LOCAL7;
SYSLOG_PRIORITY             LOG_INFO;

### syslog config for knoptm
KNOPTM_SYSLOG_IDENTITY      fwknop(knoptm);
KNOPTM_SYSLOG_FACILITY      LOG_LOCAL7;
KNOPTM_SYSLOG_PRIORITY      LOG_INFO;

### Allow reporting methods to be enabled/restricted.  This keyword can
### accept values of "nosyslog" (don't write any messages to syslog),
### "noemail" (don't send any email messages), or "ALL" (to generate both
### syslog and email messages).  "ALL" is the default.  Both "nosyslog"
### and "noemail" can be combined with a comma to disable all logging
### and alerting.
ALERTING_METHODS            ALL;

### The following variables can be modified to look for logging messages
### that are specific to your firewall configuration (specified by the
### "--log-prefix" for iptables firewalls).  For example, if your firewall
### uses the string "Audit" for packets that have been blocked, then you
### could set FW_MSG_SEARCH = "Audit";
FW_MSG_SEARCH               DROP;

### For knopwatchd
KNOPWATCHD_CHECK_INTERVAL   5;  ### seconds
KNOPWATCHD_MAX_RETRIES      10;

### Default minimum message size SPA messages encrypted with GnuPG. The
### fwknopd daemon will not attempt to decrypt any packet with gpg that is not
### at least as large as this value.
MIN_GNUPG_MSG_SIZE          400;

### fwknop uses the IPTables::ChainMgr module to add allow rules to a
### custom iptables chain "FWKNOP_INPUT".  This chain is called from
### the INPUT chain, and by default no other iptables chains are used.
### However, additional chains can be added (say, if access needs to
### be allowed through the local system via the FORWARD chain) by
### altering the IPT_FORWARD_ACCESS variable below.  For a discussion of
### the format followed by these keywords, read on:
###     Specify chain names to which iptables blocking rules will be
### added with the IPT_INPUT_ACCESS and IPT_FORWARD_ACCESS keyword.
### The format for these variables is:
###     <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \
###              <To_chain>,<Rule_position>.
### "Target": Can be any legitimate iptables target, but should usually
###           just be "DROP".
### "Direction": Can be "src", "dst", or "both", which correspond to the
###              INPUT, OUTPUT, and FORWARD chains.
### "Table": Can be any iptables table, but the default is "filter".
### "From_chain": Is the chain from which packets will be jumped.
### "Jump_rule_position": Defines the position within the From_chain where
###                       the jump rule is added.
### "To_chain": Is the chain to which packets will be jumped. This is the
###             main chain where fwknop rules are added.
### "Rule_position": Defines the position where rule are added within the
###                  To_chain.
IPT_INPUT_ACCESS            ACCEPT, src, filter, INPUT, 1, FWKNOP_INPUT, 1;
### The IPT_OUTPUT_ACCESS variable is only used if ENABLE_IPT_OUTPUT is enabled
IPT_OUTPUT_ACCESS           ACCEPT, dst, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1;
### The IPT_FORWARD_ACCESS variable is only used if ENABLE_IPT_FORWARDING is enabled
IPT_FORWARD_ACCESS          ACCEPT, src, filter, FORWARD, 1, FWKNOP_FORWARD, 1;
IPT_DNAT_ACCESS             DNAT, src, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1;
### The IPT_SNAT_ACCESS variable is not used unless both ENABLE_IPT_SNAT and
### ENABLE_IPT_FORWARDING are enabled.  Also, the external static IP must be
### set with the SNAT_TRANSLATE_IP variable.  The default is to use the
### IPT_MASQUERADE_ACCESS variable.
IPT_SNAT_ACCESS             SNAT, src, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
IPT_MASQUERADE_ACCESS       MASQUERADE, src, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;

### Directories
FWKNOP_DIR                  /var/log/fwknop;
FWKNOP_RUN_DIR              /var/run/fwknop;
FWKNOP_LIB_DIR              /var/lib/fwknop; # for legacy port knocking mode
FWKNOP_MOD_DIR              /usr/lib/fwknop;
FWKNOP_CONF_DIR             /etc/fwknop;
FWKNOP_ERR_DIR              $FWKNOP_DIR/errs;

### Files
FW_DATA_FILE                $FWKNOP_DIR/fwdata; # legacy port knocking mode
ACCESS_CONF                 $FWKNOP_CONF_DIR/access.conf;
P0F_FILE                    $FWKNOP_CONF_DIR/pf.os;   ### p0f-based fingerprints
DIGEST_FILE                 $FWKNOP_DIR/digest.cache;
FWKNOP_PID_FILE             $FWKNOP_RUN_DIR/fwknopd.pid;
FWKNOP_CMDLINE_FILE         $FWKNOP_RUN_DIR/fwknopd.cmd;
TCPSERV_PID_FILE            $FWKNOP_RUN_DIR/fwknop_serv.pid;
KNOPWATCHD_PID_FILE         $FWKNOP_RUN_DIR/knopwatchd.pid;
KNOPMD_PID_FILE             $FWKNOP_RUN_DIR/knopmd.pid;
KNOPTM_PID_FILE             $FWKNOP_RUN_DIR/knoptm.pid;
KNOPTM_IP_TIMEOUT_SOCK      $FWKNOP_RUN_DIR/knoptm_ip_timeout.sock;
KNOPMD_FIFO                 $FWKNOP_LIB_DIR/fwknopfifo;
PROC_IP_FORWARD_FILE        /proc/sys/net/ipv4/ip_forward;

### iptables command output and error collection files; these are
### used by IPTables::ChainMgr
IPT_OUTPUT_FILE             $FWKNOP_DIR/fwknopd.iptout;
IPT_ERROR_FILE              $FWKNOP_DIR/fwknopd.ipterr;
KNOPTM_IPT_OUTPUT_FILE      $FWKNOP_DIR/knoptm.iptout;
KNOPTM_IPT_ERROR_FILE       $FWKNOP_DIR/knoptm.ipterr;

### system binaries
mailCmd          /bin/mail;
shCmd            /bin/sh;
mknodCmd         /bin/mknod;
iptablesCmd      /sbin/iptables;
ipfwCmd          /sbin/ipfw;  ### BSD and Mac OS X only
fwknopdCmd       /usr/sbin/fwknopd;
fwknop_servCmd   /usr/sbin/fwknop_serv;
knopmdCmd        /usr/sbin/knopmd;
knoptmCmd        /usr/sbin/knoptm;
knopwatchdCmd    /usr/sbin/knopwatchd;