############################################################################## # # File: access.conf # # Purpose: This file defines how fwknopd will modify firewall access # controls for specific IPs/networks. It gets installed in # the fwknop config directory and is consulted by fwknopd on # startup or a reconfiguration signal. # # Note: This file supports multiple entries (stanzas) for different # levels of access based on the SOURCE of the incoming SPA packet. # If multiple stanzas are used, you should make sure they are # entered in order from most specific to the more general SOURCE # specifications as the first matching SOURCE wins. # # For example, a SOURCE that is a specific IP address should come # before a SOURCE that specifies multiple IP's or a Subnet. The # SOURCE: "ANY" (if used) should be the last one. # # At least one stanza MUST be defined. # ############################################################################## # ### Directives ### # %include /etc/fwknop/myInlcudeFile.conf # # This processes the access.conf stanzas from an additional file. # Complete stanzas should be contained within each file. # %include_folder /etc/fwknop/myFolder.d # # This processes all the *.conf files in the specified directory. # %include_keys /home/user/fwknop_keys.conf # # This directive loads the encryption and HMAC keys from an external file. # Any other commands in the stanza must come before the %include_keys # directive. ### Commands ### # SOURCE # # This defines the source address from which a SPA packet will be accepted. # Every authorization stanza in this file must start with the SOURCE # keyword. Networks should be specified in CIDR (e.g. "192.168.10.0/24") # notation. Individual IP addresses can be specified as well. # # Also, multiple IP’s and/or networks can be defined as a comma-separated # list (e.g. "192.168.10.0/24,10.1.1.123"). # # The string "ANY" is also accepted if a valid authorization packet should # be honored from any source IP. # # DESTINATION # # This defines the destination address for which a SPA packet will be accepted. # Networks should be specified in CIDR (e.g. "192.168.10.0/24") notation. # Individual IP addresses can be specified as well. # # Also, multiple IP’s and/or networks can be defined as a comma-separated # list (e.g. "192.168.10.0/24,10.1.1.123"). # # The string "ANY" is also accepted if a valid authorization packet should # be honored to any destination IP. # # OPEN_PORTS , ..., , ..., # # Define a set of ports and protocols (tcp or udp) that are *NOT* allowed # to be opened even if a valid SPA packet is received. # # KEY # # Define the key used for decrypting an incoming SPA packet that is using # its built-in encryption (e.g. not GPG). This variable is required for # all non-GPG-encrypted SPA packets. # # FW_ACCESS_TIMEOUT # # Define the length of time access will be granted by fwknop through the # firewall after a valid SPA packet is received from the source IP address # that matches this stanza's SOURCE. # # If FW_ACCESS_TIMEOUT is not set then the fwknopd default timeout of 30 # seconds will automatically be set. # # ENABLE_CMD_EXEC # # This specifies whether or not fwknopd will accept complete commands that # are contained within a SPA packet. Any such command will be executed as # user specified using the CMD_EXEC_USER parameter by the fwknopd server. # If not set here, the default is "N". # # CMD_EXEC_USER # # This specifies the user that will execute commands contained within a SPA # packet. If not specified, fwknopd will execute it as the user it is # running as (most likely root). Setting this to a non-root user is highly # recommended. # # REQUIRE_USERNAME # # Require a specific username from the client system as encoded in the SPA # data. This variable is optional and if not specified, the username data # in the SPA data is ignored. # # REQUIRE_SOURCE_ADDRESS # # Force all SPA packets to contain a real IP address within the encrypted # data. This makes it impossible to use the "-s" command line argument # on the fwknop client command line, so either "-R" has to be used to # automatically resolve the external address (if the client is behind a # NAT) or the client must know the external IP. If not set here, the # default is "N". # # GPG_HOME_DIR # # Define the path to the GnuPG directory to be used by fwknopd. If this # keyword is not specified here, then fwknopd will default to using the # "/root/.gnupg" directory for the server key(s). # # GPG_DECRYPT_ID # # Define a GnuPG key ID to use for decrypting SPA messages that have been # encrypted by an fwknop client using GPG. This keyword is required for # authentication that is based on gpg keys. The gpg key ring on the client # must have imported and signed the fwknopd server key, and vice versa. # # It is ok to use a sensitive personal gpg key on the client, but each # fwknopd server should have its own gpg key that is generated specifically # for fwknop communications. The reason for this is that this decryption # password within this file. # # Note that you can use either keyID or its corresponding email address. # # For more information on using fwknop with GnuPG keys, see the following # link: http://www.cipherdyne.org/fwknop/docs/gpghowto.html # # GPG DECRYPT_PW # # Specify the decryption password for the gpg key defined by the # GPG_DECRYPT_ID above. This is a required field for gpg-based # authentication. # # GPG_REQUIRE_SIG # # With this setting set to 'Y', fwknopd check all GPG-encrypted SPA # messages for a signature (signed by the sender's key). If the incoming # message is not signed, the decryption process will fail. If not set, the # default is 'N'. # GPG_IGNORE_SIG_VERIFY_ERROR # # Setting this will allow fwknopd to accept incoming GPG-encrypted packets # that are signed, but the signature did not pass verification (i.e. the # signer key was expired, etc.). This setting only applies if the # GPG_REQUIRE_SIG is also set to 'Y'. # GPG_REMOTE_ID # # Define a list of gpg key ID’s that are required to have signed any # incoming SPA messages that have been encrypted with the fwknopd server # key. This ensures that the verification of the remote user is accomplished # via a strong cryptographic mechanism. This setting only applies if the # GPG_REQUIRE_SIG is set to 'Y'. # #### fwknopd access.conf stanzas ### SOURCE ANY KEY_BASE64 __CHANGEME__ HMAC_KEY_BASE64 __CHANGEME__ # If you want to use GnuPG keys then define the following variables # #GPG_HOME_DIR /homedir/path/.gnupg #GPG_DECRYPT_ID ABCD1234 #GPG_DECRYPT_PW __CHANGEME__ # If you want to require GPG signatures: #GPG_REQUIRE_SIG Y #GPG_IGNORE_SIG_VERIFY_ERROR N #GPG_REMOTE_ID 1234ABCD