# ############################################################################## # # [+] fwknopd - Firewall Knock Operator Daemon [+] # # This is the configuration file for fwknopd, the Firewall Knock Operator # daemon. The primary authentication and authorization mechanism offered # by fwknop is known as Single Packet Authorization (SPA). More information # about SPA can be found at: http://www.cipherdyne.org/fwknop/docs/SPA.html # # There are no access control directives in this file. All access # control directives are located in the file "/etc/fwknop/access.conf". # You will need to edit the access.conf file in order for fwknop to function # correctly. # # Most of these can remain commented out unless you need to override the # default setting. # # It is also important to note that there are some subtle (and some not # so subtle) differences between this configuration file, its parameters # and valid values and the configuration file used by the legacy Perl # version of fwknopd. Please pay careful attention to the format and # values used in this file if you are migrating from the legacy Perl # version. # ############################################################################## # # # Define the default verbosity level the fwknop server should use. # A value of "0" is the default verbosity level. Setting it up to "1" or # higher will allow debugging messages to be displayed. # #VERBOSE 0; # Define the ethernet interface on which we will sniff packets. # Default if not set is eth0. The '-i ' command line option overrides # the PCAP_INTF setting. # #PCAP_INTF eth0; # By default fwknopd does not put the pcap interface into promiscuous mode. # Set this to 'Y' to enable promiscuous sniffing. # #ENABLE_PCAP_PROMISC N; # Define the filter used for PCAP modes; we default to udp port 62201. # However, if an fwknop client uses the --rand-port option to send the # SPA packet over a random port, then this variable should be updated to # something like "udp dst portrange 10000-65535;". # Default is "udp port 62201". # #PCAP_FILTER udp port 62201; ### Netfilter Queue (NFQ) Parameters ### # # These settings apply only if fwknopd was compiled with libnetfilter_queue # support (configure with --enable-libnetfilter_queue). If this was not # enabled, leave these commented out. # # Uncomment and set to "Y" to capture via libnetfilter_queue. This is the # only option that must be set in order for NFQ capture. The remaining # options have reasonable default values. # #ENABLE_NFQ_CAPTURE Y; # If you want to limit capture to a specific network interface, specify it # here. If NFQ is enabled and this is left commented out, SPA packets will # be captured on any/all network interfaces (which is the default). # #NFQ_INTERFACE eth0; # Specify the UDP port for incoming SPA packets (default is 62201). # #NFQ_PORT 62201; # Specify the iptable table for NFQ use (should stay the default of "mangle"). # #NFQ_TABLE mangle; # The name for the chain we will use for NFQ (default is "FWKNOP_NFQ"). #NFQ_CHAIN # Specify the NFQ queue number. The default is "1". # #NFQ_QUEUE_NUMBER 1; # ### End of Netfilter Queue (NFQ) Options ### # This instructs fwknopd to not honor SPA packets that have an old time # stamp. The value for "old" is defined by the MAX_SPA_PACKET_AGE variable. # If ENABLE_SPA_PACKET_AGING is set to "N", fwknopd will not use the client # time stamp at all. # #ENABLE_SPA_PACKET_AGING Y; # Defines the maximum age (in seconds) that an SPA packet will be accepted. # This requires that the client system is in relatively close time # synchronization with the fwknopd server system (NTP is good). The default # age is two minutes. # #MAX_SPA_PACKET_AGE 120; # Track digest sums associated with previous fwknop process. This allows # digest sums to remain persistent across executions of fwknop. # #ENABLE_DIGEST_PERSISTENCE Y; # Sets the number of packets that are processed when the pcap_dispatch() # call is made. The default is zero, since this allows fwknopd to process # as many packets as possible in the corresponding callback where the SPA # handling routine is called for packets that pass a set of prerequisite # checks. However, if fwknopd is running on a platform with an old # version of libpcap, it may be necessary to change this value to a positive # non-zero integer. More information can be found in the pcap_dispatch(3) # man page. #PCAP_DISPATCH_COUNT 0; # Sets the number of microseconds to pass as an argument to usleep() in # the pcap loop. The default is 100000 microseconds, or 1/10th of a second. #PCAP_LOOP_SLEEP 100000; # Specify the the maximum number of bytes to sniff per frame - 1500 # is a good default # #MAX_SNIFF_BYTES 1500; # If GPG keys are used instead of a Rijndael symmetric key, this is # the default GPG keys directory. Note that each access stanza in # fwknop access.conf can specify its own GPG directory to override # this default. # #GPG_HOME_DIR /root/.gnupg; # Set the default GPG path when GPG is used for SPA encryption and # authentication. # #GPG_EXE /usr/bin/gpg; # Allow fwknopd to acquire SPA data from HTTP requests (generated with the # fwknop client in --HTTP mode). Note that the PCAP_FILTER variable would # need to be updated when this is enabled to sniff traffic over TCP/80 # connections. # #ENABLE_SPA_OVER_HTTP N; # Allow fwknopd to resolve hostnames in NAT access messages. #ENABLE_NAT_DNS Y; # Allows the use of the X-Forwarded-for header from a captured packet as the # Source IP. This can happen when using SPA through an HTTP proxy. # #ENABLE_X_FORWARDED_FOR N; # Instead of appending new firewall rules to the bottom of the chain, this # option inserts rules at the top of the chain. This causes newly created # rules to have precedence over older ones. # #ENABLE_RULE_PREPEND N; # Enable the fwknopd TCP server. This is a "dummy" TCP server that will # accept TCP connection requests on the specified TCPSERV_PORT. # If set to "Y", fwknopd will fork off a child process to listen for and # accept incoming TCP requests. This server only accepts the # request. It does not otherwise communicate. This is only to allow the # incoming SPA over TCP packet which is detected via PCAP. The connection # is closed after 1 second regardless. # Note that fwknopd still only gets its data via pcap, so the filter # defined by PCAP_FILTER needs to be updated to include this TCP port. # #ENABLE_TCP_SERVER N; #TCPSERV_PORT 62201; # Set/override the locale (via the LC_ALL locale category). Leave this # entry commented out to have fwknopd honor the default system locale. # #LOCALE C; # Override syslog identity and facility (the defaults are usually ok). # The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7} # or LOG_DAEMON (the default). # #SYSLOG_IDENTITY fwknopd; #SYSLOG_FACILITY LOG_DAEMON; # Define this to have fwknopd read pcap data from a file instead of sniffing # a live interface. This is usually only used for debugging purposes, and is # equivalent to the '-r ' command line option. # #PCAP_FILE /some/path/to/file.pcap; # This variable controls whether fwknopd is permitted to sniff SPA packets # regardless of whether they are received on the sniffing interface or sent # from the sniffing interface. In the latter case, this can be useful to have # fwknopd sniff SPA packets that are forwarded through a system and destined # for a different network. If the sniffing interface is the egress interface # for such packets, then this variable will need to be set to "Y" in order for # fwknopd to see them. The default is "N" so that fwknopd only looks for SPA # packets that are received on the sniffing interface (note that this is # independent of promiscuous mode). # # ENABLE_PCAP_ANY_DIRECTION N; # Controls whether fwknopd will set the destination field on the firewall # rule to the destination address specified on the incoming SPA packet. # This is useful for interfaces with multiple IP addresses hosting separate # services. If ENABLE_IPT_OUTPUT is set to "Y", the source field of # the firewall rule is set. FORWARD and SNAT rules are not affected however, # DNAT rules will also have their destination field set. The default is # "N", which sets the destination field to 0.0.0.0/0 (any). # # ENABLE_DESTINATION_RULE Y; ############################################################################## # NOTE: The following EXTERNAL_CMD functionality is not yet implemented. # This is a possible future feature of fwknopd. # # The following four variables control whether a global set of "open" and # "close" commands are executed after receiving a valid SPA packet. These # variables are used only if FIREWALL_TYPE is set to "external_cmd", but # the same variables can also exist within the access.conf file so that # mixed deployments are possible - that is, some SPA packets will operate # as usual and result in firewall commands being executed, but others will # result in the commands defined by these variables (in access.conf) being # executed. # The "open" and "close" commands might be manually supplied firewall # commands, and both support variable substitution of any of the variables # in the access.conf file with "$VAR". Also, three special variables are # supported: $SRC, $PORT, and $PROTO, which are derived from actual values # from within valid SPA packets (as opposed to $SOURCE from access.conf # which may contain a list of networks instead of a single IP address). # Here are some examples: # - Execute a specific iptables command on behalf of the source IP # in a valid SPA packet to add a new ACCEPT rule, and execute # another command (to delete the same rule after a timeout): # EXTERNAL_CMD_OPEN iptables -A INPUT -s $SRC -j ACCEPT # EXTERNAL_CMD_CLOSE iptables -D INPUT -s $SRC -j ACCEPT # - Execute a custom binary with the SOURCE and OPEN_PORTS variables # from the access.conf file as input on the command line, and after # a timeout execute a different program but use the real SPA source # IP: # EXTERNAL_CMD_OPEN /path/someprog $SOURCE $OPEN_PORTS # EXTERNAL_CMD_OPEN /path/otherprog $SRC # #ENABLE_EXTERNAL_CMDS N; #EXTERNAL_CMD_OPEN __NONE__; #EXTERNAL_CMD_CLOSE __NONE__; #EXTERNAL_CMD_ALARM 30; # if EXTERNAL_CMD_OPEN is used above, then the following two variables can # be used to enforce a prefix on variable substitutions - useful if there # are any naming conflicts with the external script and command line # arguments that are named the same as the variables to be substituted. # #ENABLE_EXT_CMD_PREFIX N; #EXT_CMD_PREFIX FWKNOP_; ############################################################################## # Parameters specific to firewalld: # Flush all existing rules in the fwknop chains at fwknop start time and/or # exit time. They default to Y and it is a recommended setting for both. # #FLUSH_FIREWD_AT_INIT Y; #FLUSH_FIREWD_AT_EXIT Y; # # Allow SPA clients to request access to services through a firewalld # firewall instead of just to it (i.e. access through the FWKNOP_FORWARD # chain instead of the INPUT chain). # #ENABLE_FIREWD_FORWARDING N; # Allow SPA clients to request access to a local socket via NAT. This still # puts an ACCEPT rule into the FWKNOP_INPUT chain, but a different port is # translated via DNAT rules to the real one. So, the user would do # "ssh -p " to access the local service (see the --NAT-local and # --NAT-rand-port on the fwknop client command line). # #ENABLE_FIREWD_LOCAL_NAT Y; # By default, if forwarding access is enabled (see the ENABLE_FIREWD_FORWARDING # variable above), then fwknop creates DNAT rules for incoming connections, # but does not also complement these rules with SNAT rules at the same time. # In some situations, internal systems may not have a route back out for the # source address of the incoming connection, so it is necessary to also # apply SNAT rules so that the internal systems see the IP of the internal # interface where fwknopd is running. This functionality is only enabled # when ENABLE_FIREWD_SNAT is set to "Y", and by default SNAT rules are built # with the MASQUERADE target (since then the internal IP does not have to be # defined here in the fwknop.conf file), but if you want fwknopd to use the # SNAT target then also define an IP address with the SNAT_TRANSLATE_IP # variable. # #ENABLE_FIREWD_SNAT N; #SNAT_TRANSLATE_IP __CHANGEME__; # Add ACCEPT rules to the FWKNOP_OUTPUT chain. This is usually only useful # if there are no state tracking rules to allow connection responses out and # the OUTPUT chain has a default-drop stance. # #ENABLE_FIREWD_OUTPUT N; # fwknopd adds allow rules to a custom firewalld chain "FWKNOP_INPUT". # This chain is called from the INPUT chain, and by default no other # firewalld chains are used. However, additional chains can be added # (say, if access needs to be allowed through the local system via the # FORWARD chain) by altering the FIREWD_FORWARD_ACCESS variable below. # For a discussion of the format followed by these keywords, read on: # # Specify chain names to which firewalld blocking rules will be # added with the FIREWD_INPUT_ACCESS and FIREWD_FORWARD_ACCESS keyword. # The format for these variables is: # # ,,,,\ # ,. # # "Target": # Can be any legitimate firewalld target, but should usually just be "DROP". # # "Table": # Can be any firewalld table, but the default is "filter". # # "From_chain": # Is the chain from which packets will be jumped. # # "Jump_rule_position": # Defines the position within the From_chain where the jump rule is added. # # "To_chain": # Is the chain to which packets will be jumped. This is the main chain # where fwknop rules are added. # # "Rule_position": # Defines the position where rules are added within the To_chain. # #FIREWD_INPUT_ACCESS ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1; # The FIREWD_OUTPUT_ACCESS variable is only used if ENABLE_FIREWD_OUTPUT is enabled # #FIREWD_OUTPUT_ACCESS ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1; # The FIREWD_FORWARD_ACCESS variable is only used if ENABLE_FIREWD_FORWARDING is # enabled. # #FIREWD_FORWARD_ACCESS ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1; #FIREWD_DNAT_ACCESS DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1; # The FIREWD_SNAT_ACCESS variable is not used unless both ENABLE_FIREWD_SNAT and # ENABLE_FIREWD_FORWARDING are enabled. Also, the external static IP must be # set with the SNAT_TRANSLATE_IP variable. The default is to use the # FIREWD_MASQUERADE_ACCESS variable. # #FIREWD_SNAT_ACCESS SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1; #FIREWD_MASQUERADE_ACCESS MASQUERADE, nat, POSTROUTING, 1, FWKNOP_MASQUERADE, 1; # The ENABLE_COMMENT_MATCH_CHECK variable instructs fwknopd to check for the # firewalld 'comment' match at start up. If it's not found, then fwknopd will # exit and throw an error. This variable is enabled by default, but can be # disabled if you want fwknopd to run without being sure that the comment match # is available (not recommended, since the comment match enables new SPA rules # to be timed out). # #ENABLE_FIREWD_COMMENT_CHECK Y; ############################################################################## # Parameters specific to iptables: # Flush all existing rules in the fwknop chains at fwknop start time and/or # exit time. They default to Y and it is a recommended setting for both. # #FLUSH_IPT_AT_INIT Y; #FLUSH_IPT_AT_EXIT Y; # # Allow SPA clients to request access to services through an iptables # firewall instead of just to it (i.e. access through the FWKNOP_FORWARD # chain instead of the INPUT chain). # #ENABLE_IPT_FORWARDING N; # Allow SPA clients to request access to a local socket via NAT. This still # puts an ACCEPT rule into the FWKNOP_INPUT chain, but a different port is # translated via DNAT rules to the real one. So, the user would do # "ssh -p " to access the local service (see the --NAT-local and # --NAT-rand-port on the fwknop client command line). # #ENABLE_IPT_LOCAL_NAT Y; # By default, if forwarding access is enabled (see the ENABLE_IPT_FORWARDING # variable above), then fwknop creates DNAT rules for incoming connections, # but does not also complement these rules with SNAT rules at the same time. # In some situations, internal systems may not have a route back out for the # source address of the incoming connection, so it is necessary to also # apply SNAT rules so that the internal systems see the IP of the internal # interface where fwknopd is running. This functionality is only enabled # when ENABLE_IPT_SNAT is set to "Y", and by default SNAT rules are built # with the MASQUERADE target (since then the internal IP does not have to be # defined here in the fwknop.conf file), but if you want fwknopd to use the # SNAT target then also define an IP address with the SNAT_TRANSLATE_IP # variable. # #ENABLE_IPT_SNAT N; #SNAT_TRANSLATE_IP __CHANGEME__; # Add ACCEPT rules to the FWKNOP_OUTPUT chain. This is usually only useful # if there are no state tracking rules to allow connection responses out and # the OUTPUT chain has a default-drop stance. # #ENABLE_IPT_OUTPUT N; # fwknopd adds allow rules to a custom iptables chain "FWKNOP_INPUT". # This chain is called from the INPUT chain, and by default no other # iptables chains are used. However, additional chains can be added # (say, if access needs to be allowed through the local system via the # FORWARD chain) by altering the IPT_FORWARD_ACCESS variable below. # For a discussion of the format followed by these keywords, read on: # # Specify chain names to which iptables blocking rules will be # added with the IPT_INPUT_ACCESS and IPT_FORWARD_ACCESS keyword. # The format for these variables is: # # ,
,,,\ # ,. # # "Target": # Can be any legitimate iptables target, but should usually just be "DROP". # # "Table": # Can be any iptables table, but the default is "filter". # # "From_chain": # Is the chain from which packets will be jumped. # # "Jump_rule_position": # Defines the position within the From_chain where the jump rule is added. # # "To_chain": # Is the chain to which packets will be jumped. This is the main chain # where fwknop rules are added. # # "Rule_position": # Defines the position where rule are added within the To_chain. # #IPT_INPUT_ACCESS ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1; # The IPT_OUTPUT_ACCESS variable is only used if ENABLE_IPT_OUTPUT is enabled # #IPT_OUTPUT_ACCESS ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1; # The IPT_FORWARD_ACCESS variable is only used if ENABLE_IPT_FORWARDING is # enabled. # #IPT_FORWARD_ACCESS ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1; #IPT_DNAT_ACCESS DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1; # The IPT_SNAT_ACCESS variable is not used unless both ENABLE_IPT_SNAT and # ENABLE_IPT_FORWARDING are enabled. Also, the external static IP must be # set with the SNAT_TRANSLATE_IP variable. The default is to use the # IPT_MASQUERADE_ACCESS variable. # #IPT_SNAT_ACCESS SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1; #IPT_MASQUERADE_ACCESS MASQUERADE, nat, POSTROUTING, 1, FWKNOP_MASQUERADE, 1; # The ENABLE_COMMENT_MATCH_CHECK variable instructs fwknopd to check for the # iptables 'comment' match at start up. If it's not found, then fwknopd will # exit and throw an error. This variable is enabled by default, but can be # disabled if you want fwknopd to run without being sure that the comment match # is available (not recommended, since the comment match enables new SPA rules # to be timed out). # #ENABLE_IPT_COMMENT_CHECK Y; ############################################################################## # Parameters specific to ipfw: # # # This variable defines the rule number that fwknopd uses to insert an ipfw # pass rule. You would most likely want to change this parameter to a # number that makes sense in your current ipfw firewall configuration. # #IPFW_START_RULE_NUM 10000; # This variable defines the maximum number of rules fwknopd will create at # a time. This also tells fwknopd where to stop when flushing all rules. # #IPFW_MAX_RULES 1000; # Flush all existing rules in the fwknop ipfw sets at fwknop start time and/or # exit time. They default to Y and it is a recommended setting for both. # #FLUSH_IPFW_AT_INIT Y; #FLUSH_IPFW_AT_EXIT Y; # This variable defines the rule set fwknopd uses for active rules. By # default, it is set 1 and fwknopd assumes that it has full control over this # set. That is, fwknopd routinely creates and deletes rules in this set, and # the entire set itself is also created/deleted during routine operations. # You have some measure of control over whether the entire set is deleted at # init/exit with the FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT, but in general # it is recommended to leave these variables set to the default "Y" setting. # #IPFW_ACTIVE_SET_NUM 1; # This variable defines the rule set that will be used to store expired rules # that still have a dynamic rule associated to them. That set will be disabled # by fwknop and should not be enabled while fwknop is running. Not used when # ipfw isn't using dynamic rules. By default, it is set 2, but can be anything # in the range 1-31 except that it shouldn't be the same as # IPFW_ACTIVE_SET_NUM. Note that fwknopd disables this set through routine # operations according to the FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT # variables. # #IPFW_EXPIRE_SET_NUM 2; # Set the interval (in seconds) over which rules that are expired and # have no remaining dynamic rules associated with them will be removed. # #IPFW_EXPIRE_PURGE_INTERVAL 30; # Set this variable to "Y" if you want fwknopd to create its own "check-state" # rule as the first rule in the set. This would only be needed if there # was not already a check-state rule in the current firewall configuration. # # IPFW_ADD_CHECK_STATE N; ############################################################################## # Parameters specific to the pf firewall: # # # This variable defines the pf anchor name to which fwknopd will add and # delete rules. This anchor must be linked into the pf policy (typically # done by adding it into the /etc/pf.conf file), and fwknopd runs a check at # init time to ensure that the anchor exists. # #PF_ANCHOR_NAME fwknop; # Set the interval (in seconds) over which rules that are expired # #PF_EXPIRE_INTERVAL 30; ############################################################################## # Directories - These can override compile-time defaults. # #FWKNOP_RUN_DIR /var/run/fwknop; #FWKNOP_CONF_DIR /etc/fwknop; # Files # #ACCESS_FILE access.conf; #FWKNOP_PID_FILE $FWKNOP_RUN_DIR/fwknopd.pid; #DIGEST_FILE $FWKNOP_RUN_DIR/digest.cache; ### The DB version is only used if fwknopd was built with gdbm/ndbm ### support (not needed by default). #DIGEST_DB_FILE $FWKNOP_RUN_DIR/digest_db.cache; # System binaries # #FIREWALL_EXE /bin/firewall-cmd; #FIREWALL_EXE /sbin/iptables; ###EOF###