n0emis
/
delos_dlan-1200-ac
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
delos_dlan-1200-ac/etc/fwknop/access.conf

207 lines
7.4 KiB
Plaintext
Raw Permalink Blame History Unescape Escape

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

##############################################################################
#
# File: access.conf
#
# Purpose: This file defines how fwknopd will modify firewall access
# controls for specific IPs/networks. It gets installed in
# the fwknop config directory and is consulted by fwknopd on
# startup or a reconfiguration signal.
#
# Note: This file supports multiple entries (stanzas) for different
# levels of access based on the SOURCE of the incoming SPA packet.
# If multiple stanzas are used, you should make sure they are
# entered in order from most specific to the more general SOURCE
# specifications as the first matching SOURCE wins.
#
# For example, a SOURCE that is a specific IP address should come
# before a SOURCE that specifies multiple IP's or a Subnet. The
# SOURCE: "ANY" (if used) should be the last one.
#
# At least one stanza MUST be defined.
#
##############################################################################
#
### Directives ###
# %include /etc/fwknop/myInlcudeFile.conf
#
# This processes the access.conf stanzas from an additional file.
# Complete stanzas should be contained within each file.
# %include_folder /etc/fwknop/myFolder.d
#
# This processes all the *.conf files in the specified directory.
# %include_keys /home/user/fwknop_keys.conf
#
# This directive loads the encryption and HMAC keys from an external file.
# Any other commands in the stanza must come before the %include_keys
# directive.
### Commands ###
# SOURCE <IP,..,IP/NET,..,NET/ANY>
#
# This defines the source address from which a SPA packet will be accepted.
# Every authorization stanza in this file must start with the SOURCE
# keyword. Networks should be specified in CIDR (e.g. "192.168.10.0/24")
# notation. Individual IP addresses can be specified as well.
#
# Also, multiple IPs and/or networks can be defined as a comma-separated
# list (e.g. "192.168.10.0/24,10.1.1.123").
#
# The string "ANY" is also accepted if a valid authorization packet should
# be honored from any source IP.
#
# DESTINATION <IP,..,IP/NET,..,NET/ANY>
#
# This defines the destination address for which a SPA packet will be accepted.
# Networks should be specified in CIDR (e.g. "192.168.10.0/24") notation.
# Individual IP addresses can be specified as well.
#
# Also, multiple IPs and/or networks can be defined as a comma-separated
# list (e.g. "192.168.10.0/24,10.1.1.123").
#
# The string "ANY" is also accepted if a valid authorization packet should
# be honored to any destination IP.
#
# OPEN_PORTS <proto/port>, ..., <proto/port
#
# Define a set of ports and protocols (tcp or udp) that are allowed to be
# opened if a valid SPA packet is received and its access request matches
# one of the entries here.
#
# If this entry is not set, then fwknopd will attempt to honor the request
# specified in the SPA data.
#
# RESTRICT_PORTS <proto/port>, ..., <proto/port>
#
# Define a set of ports and protocols (tcp or udp) that are *NOT* allowed
# to be opened even if a valid SPA packet is received.
#
# KEY <password>
#
# Define the key used for decrypting an incoming SPA packet that is using
# its built-in encryption (e.g. not GPG). This variable is required for
# all non-GPG-encrypted SPA packets.
#
# FW_ACCESS_TIMEOUT <seconds>
#
# Define the length of time access will be granted by fwknop through the
# firewall after a valid SPA packet is received from the source IP address
# that matches this stanza's SOURCE.
#
# If FW_ACCESS_TIMEOUT is not set then the fwknopd default timeout of 30
# seconds will automatically be set.
#
# ENABLE_CMD_EXEC <Y/N>
#
# This specifies whether or not fwknopd will accept complete commands that
# are contained within a SPA packet. Any such command will be executed as
# user specified using the CMD_EXEC_USER parameter by the fwknopd server.
# If not set here, the default is "N".
#
# CMD_EXEC_USER <username>
#
# This specifies the user that will execute commands contained within a SPA
# packet. If not specified, fwknopd will execute it as the user it is
# running as (most likely root). Setting this to a non-root user is highly
# recommended.
#
# REQUIRE_USERNAME <username>
#
# Require a specific username from the client system as encoded in the SPA
# data. This variable is optional and if not specified, the username data
# in the SPA data is ignored.
#
# REQUIRE_SOURCE_ADDRESS <Y/N>
#
# Force all SPA packets to contain a real IP address within the encrypted
# data. This makes it impossible to use the "-s" command line argument
# on the fwknop client command line, so either "-R" has to be used to
# automatically resolve the external address (if the client is behind a
# NAT) or the client must know the external IP. If not set here, the
# default is "N".
#
# GPG_HOME_DIR <path>
#
# Define the path to the GnuPG directory to be used by fwknopd. If this
# keyword is not specified here, then fwknopd will default to using the
# "/root/.gnupg" directory for the server key(s).
#
# GPG_DECRYPT_ID <keyID>
#
# Define a GnuPG key ID to use for decrypting SPA messages that have been
# encrypted by an fwknop client using GPG. This keyword is required for
# authentication that is based on gpg keys. The gpg key ring on the client
# must have imported and signed the fwknopd server key, and vice versa.
#
# It is ok to use a sensitive personal gpg key on the client, but each
# fwknopd server should have its own gpg key that is generated specifically
# for fwknop communications. The reason for this is that this decryption
# password within this file.
#
# Note that you can use either keyID or its corresponding email address.
#
# For more information on using fwknop with GnuPG keys, see the following
# link: http://www.cipherdyne.org/fwknop/docs/gpghowto.html
#
# GPG DECRYPT_PW <decrypt password>
#
# Specify the decryption password for the gpg key defined by the
# GPG_DECRYPT_ID above. This is a required field for gpg-based
# authentication.
#
# GPG_REQUIRE_SIG <Y/N>
#
# With this setting set to 'Y', fwknopd check all GPG-encrypted SPA
# messages for a signature (signed by the sender's key). If the incoming
# message is not signed, the decryption process will fail. If not set, the
# default is 'N'.
# GPG_IGNORE_SIG_VERIFY_ERROR <Y/N>
#
# Setting this will allow fwknopd to accept incoming GPG-encrypted packets
# that are signed, but the signature did not pass verification (i.e. the
# signer key was expired, etc.). This setting only applies if the
# GPG_REQUIRE_SIG is also set to 'Y'.
# GPG_REMOTE_ID <keyID,...,keyID>
#
# Define a list of gpg key IDs that are required to have signed any
# incoming SPA messages that have been encrypted with the fwknopd server
# key. This ensures that the verification of the remote user is accomplished
# via a strong cryptographic mechanism. This setting only applies if the
# GPG_REQUIRE_SIG is set to 'Y'.
#
#### fwknopd access.conf stanzas ###
SOURCE ANY
KEY_BASE64 __CHANGEME__
HMAC_KEY_BASE64 __CHANGEME__
# If you want to use GnuPG keys then define the following variables
#
#GPG_HOME_DIR /homedir/path/.gnupg
#GPG_DECRYPT_ID ABCD1234
#GPG_DECRYPT_PW __CHANGEME__
# If you want to require GPG signatures:
#GPG_REQUIRE_SIG Y
#GPG_IGNORE_SIG_VERIFY_ERROR N
#GPG_REMOTE_ID 1234ABCD
Reference in New Issue View Git Blame Copy Permalink