Navigation

← Previous Changeset
Next Changeset →

Changeset 1068

Timestamp:

05/24/08 11:47:58 (6 months ago)

Author:

mbr

Message:

Added ENABLE_IPT_LOCAL_NAT variable to control whether connections to local sockets can be NAT'd

Files:

fwknop/trunk/fwknop (modified) (1 diff)
fwknop/trunk/fwknop.conf (modified) (1 diff)
fwknop/trunk/fwknopd (modified) (3 diffs)
fwknop/trunk/test/conf/blacklist_fwknop.conf (modified) (1 diff)
fwknop/trunk/test/conf/default_fwknop.conf (modified) (1 diff)
fwknop/trunk/test/conf/forward_chain_fwknop.conf (modified) (1 diff)
fwknop/trunk/test/conf/md5_fwknop.conf (modified) (1 diff)
fwknop/trunk/test/conf/no_promisc_fwknop.conf (modified) (1 diff)
fwknop/trunk/test/conf/output_chain_fwknop.conf (modified) (1 diff)
fwknop/trunk/test/conf/pcap_file_fwknop.conf (modified) (1 diff)
fwknop/trunk/test/conf/sha1_fwknop.conf (modified) (1 diff)
fwknop/trunk/test/conf/sha256_fwknop.conf (modified) (1 diff)
fwknop/trunk/test/conf/spa_aging_fwknop.conf (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

fwknop/trunk/fwknop

r1065	r1068
314	314
315	315	if ($verbose) {
316		print "[+] Command line: @args_cp\n";
	316	print "[+] fwknop Command line: @args_cp\n";
317	317	}
318	318

fwknop/trunk/fwknop.conf

r1064	r1068
84	84	### specific SOURCE stanzas that should be allowed for forwarding access.
85	85	ENABLE_IPT_FORWARDING N;
	86
	87	### Allow SPA clients to request access to a local socket via NAT. This still
	88	### puts an ACCEPT rule into the FWKNOP_INPUT chain, but a different port is
	89	### translated via DNAT rules to the real one. So, the user would do
	90	### "ssh -p <port>" to access the local service (see the --NAT-local and
	91	### --NAT-rand-port on the fwknop client command line).
	92	ENABLE_IPT_LOCAL_NAT Y;
86	93
87	94	### By default, if forwarding access is enabled (see the ENABLE_IPT_FORWARDING

fwknop/trunk/fwknopd

r1065	r1068
266	266
267	267	print STDERR localtime() . " [+] Starting fwknopd (debug mode) \n",
268		" Command line: @args_cp\n" if $debug;
	268	" fwknopd Command line: @args_cp\n" if $debug;
269	269
270	270	### setup to run
…	…
4388	4388	}
4389	4389
4390		if ($config{'ENABLE_IPT_FORWARDING'} eq 'Y' or $fw_list or $ipt_flush) {
	4390	if ($config{'ENABLE_IPT_FORWARDING'} eq 'Y'
	4391	or $config{'ENABLE_IPT_LOCAL_NAT'} eq 'Y'
	4392	or $fw_list or $ipt_flush) {
	4393
4391	4394	### for the FWKNOP_FORWARD chain
4392	4395	if (&parse_ipt_var(\%ipt_forward, $config{'IPT_FORWARD_ACCESS'})) {
…	…
4777	4780	IPT_DNAT_ACCESS IPT_SNAT_ACCESS IPT_MASQUERADE_ACCESS BLACKLIST
4778	4781	SNAT_TRANSLATE_IP PROC_IP_FORWARD_FILE ENABLE_PROC_IP_FORWARD
4779		MIN_SPA_PKT_LEN
	4782	MIN_SPA_PKT_LEN ENABLE_IPT_LOCAL_NAT
4780	4783	) {
4781	4784	die "[*] Required variable $var is not defined in $config_file"

fwknop/trunk/test/conf/blacklist_fwknop.conf

r1064	r1068
26	26	DIGEST_TYPE ALL;
27	27	ENABLE_IPT_FORWARDING N;
	28	ENABLE_IPT_LOCAL_NAT Y;
28	29	ENABLE_IPT_OUTPUT N;
29	30	ENABLE_IPT_SNAT N;

fwknop/trunk/test/conf/default_fwknop.conf

r1064	r1068
26	26	DIGEST_TYPE ALL;
27	27	ENABLE_IPT_FORWARDING N;
	28	ENABLE_IPT_LOCAL_NAT Y;
28	29	ENABLE_IPT_OUTPUT N;
29	30	ENABLE_IPT_SNAT N;

fwknop/trunk/test/conf/forward_chain_fwknop.conf

r1064	r1068
25	25	DIGEST_TYPE ALL;
26	26	ENABLE_IPT_FORWARDING Y;
	27	ENABLE_IPT_LOCAL_NAT Y;
27	28	ENABLE_IPT_OUTPUT N;
28	29	ENABLE_IPT_SNAT N;

fwknop/trunk/test/conf/md5_fwknop.conf

r1064	r1068
26	26	DIGEST_TYPE MD5;
27	27	ENABLE_IPT_FORWARDING N;
	28	ENABLE_IPT_LOCAL_NAT Y;
28	29	ENABLE_IPT_OUTPUT N;
29	30	ENABLE_IPT_SNAT N;

fwknop/trunk/test/conf/no_promisc_fwknop.conf

r1064	r1068
26	26	DIGEST_TYPE ALL;
27	27	ENABLE_IPT_FORWARDING N;
	28	ENABLE_IPT_LOCAL_NAT Y;
28	29	ENABLE_IPT_OUTPUT N;
29	30	ENABLE_IPT_SNAT N;

fwknop/trunk/test/conf/output_chain_fwknop.conf

r1064	r1068
26	26	DIGEST_TYPE ALL;
27	27	ENABLE_IPT_FORWARDING N;
	28	ENABLE_IPT_LOCAL_NAT Y;
28	29	ENABLE_IPT_OUTPUT Y;
29	30	ENABLE_IPT_SNAT N;

fwknop/trunk/test/conf/pcap_file_fwknop.conf

r1064	r1068
25	25	DIGEST_TYPE ALL;
26	26	ENABLE_IPT_FORWARDING N;
	27	ENABLE_IPT_LOCAL_NAT Y;
27	28	ENABLE_IPT_OUTPUT N;
28	29	ENABLE_IPT_SNAT N;

fwknop/trunk/test/conf/sha1_fwknop.conf

r1064	r1068
26	26	DIGEST_TYPE SHA1;
27	27	ENABLE_IPT_FORWARDING N;
	28	ENABLE_IPT_LOCAL_NAT Y;
28	29	ENABLE_IPT_OUTPUT N;
29	30	ENABLE_IPT_SNAT N;

fwknop/trunk/test/conf/sha256_fwknop.conf

r1064	r1068
26	26	DIGEST_TYPE SHA256;
27	27	ENABLE_IPT_FORWARDING N;
	28	ENABLE_IPT_LOCAL_NAT Y;
28	29	ENABLE_IPT_OUTPUT N;
29	30	ENABLE_IPT_SNAT N;

fwknop/trunk/test/conf/spa_aging_fwknop.conf

r1064	r1068
26	26	DIGEST_TYPE ALL;
27	27	ENABLE_IPT_FORWARDING N;
	28	ENABLE_IPT_LOCAL_NAT Y;
28	29	ENABLE_IPT_OUTPUT N;
29	30	ENABLE_IPT_SNAT N;

Download in other formats: