You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
564 lines
23 KiB
Plaintext
564 lines
23 KiB
Plaintext
#
|
|
##############################################################################
|
|
#
|
|
# [+] fwknopd - Firewall Knock Operator Daemon [+]
|
|
#
|
|
# This is the configuration file for fwknopd, the Firewall Knock Operator
|
|
# daemon. The primary authentication and authorization mechanism offered
|
|
# by fwknop is known as Single Packet Authorization (SPA). More information
|
|
# about SPA can be found at: http://www.cipherdyne.org/fwknop/docs/SPA.html
|
|
#
|
|
# There are no access control directives in this file. All access
|
|
# control directives are located in the file "/etc/fwknop/access.conf".
|
|
# You will need to edit the access.conf file in order for fwknop to function
|
|
# correctly.
|
|
#
|
|
# Most of these can remain commented out unless you need to override the
|
|
# default setting.
|
|
#
|
|
# It is also important to note that there are some subtle (and some not
|
|
# so subtle) differences between this configuration file, its parameters
|
|
# and valid values and the configuration file used by the legacy Perl
|
|
# version of fwknopd. Please pay careful attention to the format and
|
|
# values used in this file if you are migrating from the legacy Perl
|
|
# version.
|
|
#
|
|
##############################################################################
|
|
#
|
|
|
|
#
|
|
# Define the default verbosity level the fwknop server should use.
|
|
# A value of "0" is the default verbosity level. Setting it up to "1" or
|
|
# higher will allow debugging messages to be displayed.
|
|
#
|
|
#VERBOSE 0;
|
|
|
|
# Define the ethernet interface on which we will sniff packets.
|
|
# Default if not set is eth0. The '-i <intf>' command line option overrides
|
|
# the PCAP_INTF setting.
|
|
#
|
|
#PCAP_INTF eth0;
|
|
|
|
# By default fwknopd does not put the pcap interface into promiscuous mode.
|
|
# Set this to 'Y' to enable promiscuous sniffing.
|
|
#
|
|
#ENABLE_PCAP_PROMISC N;
|
|
|
|
# Define the filter used for PCAP modes; we default to udp port 62201.
|
|
# However, if an fwknop client uses the --rand-port option to send the
|
|
# SPA packet over a random port, then this variable should be updated to
|
|
# something like "udp dst portrange 10000-65535;".
|
|
# Default is "udp port 62201".
|
|
#
|
|
#PCAP_FILTER udp port 62201;
|
|
|
|
### Netfilter Queue (NFQ) Parameters ###
|
|
#
|
|
# These settings apply only if fwknopd was compiled with libnetfilter_queue
|
|
# support (configure with --enable-libnetfilter_queue). If this was not
|
|
# enabled, leave these commented out.
|
|
#
|
|
# Uncomment and set to "Y" to capture via libnetfilter_queue. This is the
|
|
# only option that must be set in order for NFQ capture. The remaining
|
|
# options have reasonable default values.
|
|
#
|
|
#ENABLE_NFQ_CAPTURE Y;
|
|
|
|
# If you want to limit capture to a specific network interface, specify it
|
|
# here. If NFQ is enabled and this is left commented out, SPA packets will
|
|
# be captured on any/all network interfaces (which is the default).
|
|
#
|
|
#NFQ_INTERFACE eth0;
|
|
|
|
# Specify the UDP port for incoming SPA packets (default is 62201).
|
|
#
|
|
#NFQ_PORT 62201;
|
|
|
|
# Specify the iptable table for NFQ use (should stay the default of "mangle").
|
|
#
|
|
#NFQ_TABLE mangle;
|
|
|
|
# The name for the chain we will use for NFQ (default is "FWKNOP_NFQ").
|
|
#NFQ_CHAIN
|
|
|
|
# Specify the NFQ queue number. The default is "1".
|
|
#
|
|
#NFQ_QUEUE_NUMBER 1;
|
|
#
|
|
### End of Netfilter Queue (NFQ) Options ###
|
|
|
|
# This instructs fwknopd to not honor SPA packets that have an old time
|
|
# stamp. The value for "old" is defined by the MAX_SPA_PACKET_AGE variable.
|
|
# If ENABLE_SPA_PACKET_AGING is set to "N", fwknopd will not use the client
|
|
# time stamp at all.
|
|
#
|
|
#ENABLE_SPA_PACKET_AGING Y;
|
|
|
|
# Defines the maximum age (in seconds) that an SPA packet will be accepted.
|
|
# This requires that the client system is in relatively close time
|
|
# synchronization with the fwknopd server system (NTP is good). The default
|
|
# age is two minutes.
|
|
#
|
|
#MAX_SPA_PACKET_AGE 120;
|
|
|
|
# Track digest sums associated with previous fwknop process. This allows
|
|
# digest sums to remain persistent across executions of fwknop.
|
|
#
|
|
#ENABLE_DIGEST_PERSISTENCE Y;
|
|
|
|
# Sets the number of packets that are processed when the pcap_dispatch()
|
|
# call is made. The default is zero, since this allows fwknopd to process
|
|
# as many packets as possible in the corresponding callback where the SPA
|
|
# handling routine is called for packets that pass a set of prerequisite
|
|
# checks. However, if fwknopd is running on a platform with an old
|
|
# version of libpcap, it may be necessary to change this value to a positive
|
|
# non-zero integer. More information can be found in the pcap_dispatch(3)
|
|
# man page.
|
|
#PCAP_DISPATCH_COUNT 0;
|
|
|
|
# Sets the number of microseconds to pass as an argument to usleep() in
|
|
# the pcap loop. The default is 100000 microseconds, or 1/10th of a second.
|
|
#PCAP_LOOP_SLEEP 100000;
|
|
|
|
# Specify the the maximum number of bytes to sniff per frame - 1500
|
|
# is a good default
|
|
#
|
|
#MAX_SNIFF_BYTES 1500;
|
|
|
|
# If GPG keys are used instead of a Rijndael symmetric key, this is
|
|
# the default GPG keys directory. Note that each access stanza in
|
|
# fwknop access.conf can specify its own GPG directory to override
|
|
# this default.
|
|
#
|
|
#GPG_HOME_DIR /root/.gnupg;
|
|
|
|
# Set the default GPG path when GPG is used for SPA encryption and
|
|
# authentication.
|
|
#
|
|
#GPG_EXE /usr/bin/gpg;
|
|
|
|
# Allow fwknopd to acquire SPA data from HTTP requests (generated with the
|
|
# fwknop client in --HTTP mode). Note that the PCAP_FILTER variable would
|
|
# need to be updated when this is enabled to sniff traffic over TCP/80
|
|
# connections.
|
|
#
|
|
#ENABLE_SPA_OVER_HTTP N;
|
|
|
|
# Allow fwknopd to resolve hostnames in NAT access messages.
|
|
#ENABLE_NAT_DNS Y;
|
|
|
|
# Allows the use of the X-Forwarded-for header from a captured packet as the
|
|
# Source IP. This can happen when using SPA through an HTTP proxy.
|
|
#
|
|
#ENABLE_X_FORWARDED_FOR N;
|
|
|
|
# Instead of appending new firewall rules to the bottom of the chain, this
|
|
# option inserts rules at the top of the chain. This causes newly created
|
|
# rules to have precedence over older ones.
|
|
#
|
|
#ENABLE_RULE_PREPEND N;
|
|
|
|
# Enable the fwknopd TCP server. This is a "dummy" TCP server that will
|
|
# accept TCP connection requests on the specified TCPSERV_PORT.
|
|
# If set to "Y", fwknopd will fork off a child process to listen for and
|
|
# accept incoming TCP requests. This server only accepts the
|
|
# request. It does not otherwise communicate. This is only to allow the
|
|
# incoming SPA over TCP packet which is detected via PCAP. The connection
|
|
# is closed after 1 second regardless.
|
|
# Note that fwknopd still only gets its data via pcap, so the filter
|
|
# defined by PCAP_FILTER needs to be updated to include this TCP port.
|
|
#
|
|
#ENABLE_TCP_SERVER N;
|
|
#TCPSERV_PORT 62201;
|
|
|
|
# Set/override the locale (via the LC_ALL locale category). Leave this
|
|
# entry commented out to have fwknopd honor the default system locale.
|
|
#
|
|
#LOCALE C;
|
|
|
|
# Override syslog identity and facility (the defaults are usually ok).
|
|
# The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}
|
|
# or LOG_DAEMON (the default).
|
|
#
|
|
#SYSLOG_IDENTITY fwknopd;
|
|
#SYSLOG_FACILITY LOG_DAEMON;
|
|
|
|
# Define this to have fwknopd read pcap data from a file instead of sniffing
|
|
# a live interface. This is usually only used for debugging purposes, and is
|
|
# equivalent to the '-r <pcap file>' command line option.
|
|
#
|
|
#PCAP_FILE /some/path/to/file.pcap;
|
|
|
|
# This variable controls whether fwknopd is permitted to sniff SPA packets
|
|
# regardless of whether they are received on the sniffing interface or sent
|
|
# from the sniffing interface. In the latter case, this can be useful to have
|
|
# fwknopd sniff SPA packets that are forwarded through a system and destined
|
|
# for a different network. If the sniffing interface is the egress interface
|
|
# for such packets, then this variable will need to be set to "Y" in order for
|
|
# fwknopd to see them. The default is "N" so that fwknopd only looks for SPA
|
|
# packets that are received on the sniffing interface (note that this is
|
|
# independent of promiscuous mode).
|
|
#
|
|
# ENABLE_PCAP_ANY_DIRECTION N;
|
|
|
|
# Controls whether fwknopd will set the destination field on the firewall
|
|
# rule to the destination address specified on the incoming SPA packet.
|
|
# This is useful for interfaces with multiple IP addresses hosting separate
|
|
# services. If ENABLE_IPT_OUTPUT is set to "Y", the source field of
|
|
# the firewall rule is set. FORWARD and SNAT rules are not affected however,
|
|
# DNAT rules will also have their destination field set. The default is
|
|
# "N", which sets the destination field to 0.0.0.0/0 (any).
|
|
#
|
|
# ENABLE_DESTINATION_RULE Y;
|
|
|
|
##############################################################################
|
|
# NOTE: The following EXTERNAL_CMD functionality is not yet implemented.
|
|
# This is a possible future feature of fwknopd.
|
|
#
|
|
# The following four variables control whether a global set of "open" and
|
|
# "close" commands are executed after receiving a valid SPA packet. These
|
|
# variables are used only if FIREWALL_TYPE is set to "external_cmd", but
|
|
# the same variables can also exist within the access.conf file so that
|
|
# mixed deployments are possible - that is, some SPA packets will operate
|
|
# as usual and result in firewall commands being executed, but others will
|
|
# result in the commands defined by these variables (in access.conf) being
|
|
# executed.
|
|
# The "open" and "close" commands might be manually supplied firewall
|
|
# commands, and both support variable substitution of any of the variables
|
|
# in the access.conf file with "$VAR". Also, three special variables are
|
|
# supported: $SRC, $PORT, and $PROTO, which are derived from actual values
|
|
# from within valid SPA packets (as opposed to $SOURCE from access.conf
|
|
# which may contain a list of networks instead of a single IP address).
|
|
# Here are some examples:
|
|
# - Execute a specific iptables command on behalf of the source IP
|
|
# in a valid SPA packet to add a new ACCEPT rule, and execute
|
|
# another command (to delete the same rule after a timeout):
|
|
# EXTERNAL_CMD_OPEN iptables -A INPUT -s $SRC -j ACCEPT
|
|
# EXTERNAL_CMD_CLOSE iptables -D INPUT -s $SRC -j ACCEPT
|
|
# - Execute a custom binary with the SOURCE and OPEN_PORTS variables
|
|
# from the access.conf file as input on the command line, and after
|
|
# a timeout execute a different program but use the real SPA source
|
|
# IP:
|
|
# EXTERNAL_CMD_OPEN /path/someprog $SOURCE $OPEN_PORTS
|
|
# EXTERNAL_CMD_OPEN /path/otherprog $SRC
|
|
#
|
|
#ENABLE_EXTERNAL_CMDS N;
|
|
#EXTERNAL_CMD_OPEN __NONE__;
|
|
#EXTERNAL_CMD_CLOSE __NONE__;
|
|
#EXTERNAL_CMD_ALARM 30;
|
|
|
|
# if EXTERNAL_CMD_OPEN is used above, then the following two variables can
|
|
# be used to enforce a prefix on variable substitutions - useful if there
|
|
# are any naming conflicts with the external script and command line
|
|
# arguments that are named the same as the variables to be substituted.
|
|
#
|
|
#ENABLE_EXT_CMD_PREFIX N;
|
|
#EXT_CMD_PREFIX FWKNOP_;
|
|
|
|
##############################################################################
|
|
# Parameters specific to firewalld:
|
|
|
|
# Flush all existing rules in the fwknop chains at fwknop start time and/or
|
|
# exit time. They default to Y and it is a recommended setting for both.
|
|
#
|
|
#FLUSH_FIREWD_AT_INIT Y;
|
|
#FLUSH_FIREWD_AT_EXIT Y;
|
|
#
|
|
|
|
# Allow SPA clients to request access to services through a firewalld
|
|
# firewall instead of just to it (i.e. access through the FWKNOP_FORWARD
|
|
# chain instead of the INPUT chain).
|
|
#
|
|
#ENABLE_FIREWD_FORWARDING N;
|
|
|
|
# Allow SPA clients to request access to a local socket via NAT. This still
|
|
# puts an ACCEPT rule into the FWKNOP_INPUT chain, but a different port is
|
|
# translated via DNAT rules to the real one. So, the user would do
|
|
# "ssh -p <port>" to access the local service (see the --NAT-local and
|
|
# --NAT-rand-port on the fwknop client command line).
|
|
#
|
|
#ENABLE_FIREWD_LOCAL_NAT Y;
|
|
|
|
# By default, if forwarding access is enabled (see the ENABLE_FIREWD_FORWARDING
|
|
# variable above), then fwknop creates DNAT rules for incoming connections,
|
|
# but does not also complement these rules with SNAT rules at the same time.
|
|
# In some situations, internal systems may not have a route back out for the
|
|
# source address of the incoming connection, so it is necessary to also
|
|
# apply SNAT rules so that the internal systems see the IP of the internal
|
|
# interface where fwknopd is running. This functionality is only enabled
|
|
# when ENABLE_FIREWD_SNAT is set to "Y", and by default SNAT rules are built
|
|
# with the MASQUERADE target (since then the internal IP does not have to be
|
|
# defined here in the fwknop.conf file), but if you want fwknopd to use the
|
|
# SNAT target then also define an IP address with the SNAT_TRANSLATE_IP
|
|
# variable.
|
|
#
|
|
#ENABLE_FIREWD_SNAT N;
|
|
#SNAT_TRANSLATE_IP __CHANGEME__;
|
|
|
|
# Add ACCEPT rules to the FWKNOP_OUTPUT chain. This is usually only useful
|
|
# if there are no state tracking rules to allow connection responses out and
|
|
# the OUTPUT chain has a default-drop stance.
|
|
#
|
|
#ENABLE_FIREWD_OUTPUT N;
|
|
|
|
# fwknopd adds allow rules to a custom firewalld chain "FWKNOP_INPUT".
|
|
# This chain is called from the INPUT chain, and by default no other
|
|
# firewalld chains are used. However, additional chains can be added
|
|
# (say, if access needs to be allowed through the local system via the
|
|
# FORWARD chain) by altering the FIREWD_FORWARD_ACCESS variable below.
|
|
# For a discussion of the format followed by these keywords, read on:
|
|
#
|
|
# Specify chain names to which firewalld blocking rules will be
|
|
# added with the FIREWD_INPUT_ACCESS and FIREWD_FORWARD_ACCESS keyword.
|
|
# The format for these variables is:
|
|
#
|
|
# <Target>,<Table>,<From_chain>,<Jump_rule_position>,\
|
|
# <To_chain>,<Rule_position>.
|
|
#
|
|
# "Target":
|
|
# Can be any legitimate firewalld target, but should usually just be "DROP".
|
|
#
|
|
# "Table":
|
|
# Can be any firewalld table, but the default is "filter".
|
|
#
|
|
# "From_chain":
|
|
# Is the chain from which packets will be jumped.
|
|
#
|
|
# "Jump_rule_position":
|
|
# Defines the position within the From_chain where the jump rule is added.
|
|
#
|
|
# "To_chain":
|
|
# Is the chain to which packets will be jumped. This is the main chain
|
|
# where fwknop rules are added.
|
|
#
|
|
# "Rule_position":
|
|
# Defines the position where rules are added within the To_chain.
|
|
#
|
|
#FIREWD_INPUT_ACCESS ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1;
|
|
|
|
# The FIREWD_OUTPUT_ACCESS variable is only used if ENABLE_FIREWD_OUTPUT is enabled
|
|
#
|
|
#FIREWD_OUTPUT_ACCESS ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1;
|
|
|
|
# The FIREWD_FORWARD_ACCESS variable is only used if ENABLE_FIREWD_FORWARDING is
|
|
# enabled.
|
|
#
|
|
#FIREWD_FORWARD_ACCESS ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1;
|
|
#FIREWD_DNAT_ACCESS DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1;
|
|
|
|
# The FIREWD_SNAT_ACCESS variable is not used unless both ENABLE_FIREWD_SNAT and
|
|
# ENABLE_FIREWD_FORWARDING are enabled. Also, the external static IP must be
|
|
# set with the SNAT_TRANSLATE_IP variable. The default is to use the
|
|
# FIREWD_MASQUERADE_ACCESS variable.
|
|
#
|
|
#FIREWD_SNAT_ACCESS SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
|
|
#FIREWD_MASQUERADE_ACCESS MASQUERADE, nat, POSTROUTING, 1, FWKNOP_MASQUERADE, 1;
|
|
|
|
# The ENABLE_COMMENT_MATCH_CHECK variable instructs fwknopd to check for the
|
|
# firewalld 'comment' match at start up. If it's not found, then fwknopd will
|
|
# exit and throw an error. This variable is enabled by default, but can be
|
|
# disabled if you want fwknopd to run without being sure that the comment match
|
|
# is available (not recommended, since the comment match enables new SPA rules
|
|
# to be timed out).
|
|
#
|
|
#ENABLE_FIREWD_COMMENT_CHECK Y;
|
|
|
|
##############################################################################
|
|
# Parameters specific to iptables:
|
|
|
|
# Flush all existing rules in the fwknop chains at fwknop start time and/or
|
|
# exit time. They default to Y and it is a recommended setting for both.
|
|
#
|
|
#FLUSH_IPT_AT_INIT Y;
|
|
#FLUSH_IPT_AT_EXIT Y;
|
|
#
|
|
|
|
# Allow SPA clients to request access to services through an iptables
|
|
# firewall instead of just to it (i.e. access through the FWKNOP_FORWARD
|
|
# chain instead of the INPUT chain).
|
|
#
|
|
#ENABLE_IPT_FORWARDING N;
|
|
|
|
# Allow SPA clients to request access to a local socket via NAT. This still
|
|
# puts an ACCEPT rule into the FWKNOP_INPUT chain, but a different port is
|
|
# translated via DNAT rules to the real one. So, the user would do
|
|
# "ssh -p <port>" to access the local service (see the --NAT-local and
|
|
# --NAT-rand-port on the fwknop client command line).
|
|
#
|
|
#ENABLE_IPT_LOCAL_NAT Y;
|
|
|
|
# By default, if forwarding access is enabled (see the ENABLE_IPT_FORWARDING
|
|
# variable above), then fwknop creates DNAT rules for incoming connections,
|
|
# but does not also complement these rules with SNAT rules at the same time.
|
|
# In some situations, internal systems may not have a route back out for the
|
|
# source address of the incoming connection, so it is necessary to also
|
|
# apply SNAT rules so that the internal systems see the IP of the internal
|
|
# interface where fwknopd is running. This functionality is only enabled
|
|
# when ENABLE_IPT_SNAT is set to "Y", and by default SNAT rules are built
|
|
# with the MASQUERADE target (since then the internal IP does not have to be
|
|
# defined here in the fwknop.conf file), but if you want fwknopd to use the
|
|
# SNAT target then also define an IP address with the SNAT_TRANSLATE_IP
|
|
# variable.
|
|
#
|
|
#ENABLE_IPT_SNAT N;
|
|
#SNAT_TRANSLATE_IP __CHANGEME__;
|
|
|
|
# Add ACCEPT rules to the FWKNOP_OUTPUT chain. This is usually only useful
|
|
# if there are no state tracking rules to allow connection responses out and
|
|
# the OUTPUT chain has a default-drop stance.
|
|
#
|
|
#ENABLE_IPT_OUTPUT N;
|
|
|
|
# fwknopd adds allow rules to a custom iptables chain "FWKNOP_INPUT".
|
|
# This chain is called from the INPUT chain, and by default no other
|
|
# iptables chains are used. However, additional chains can be added
|
|
# (say, if access needs to be allowed through the local system via the
|
|
# FORWARD chain) by altering the IPT_FORWARD_ACCESS variable below.
|
|
# For a discussion of the format followed by these keywords, read on:
|
|
#
|
|
# Specify chain names to which iptables blocking rules will be
|
|
# added with the IPT_INPUT_ACCESS and IPT_FORWARD_ACCESS keyword.
|
|
# The format for these variables is:
|
|
#
|
|
# <Target>,<Table>,<From_chain>,<Jump_rule_position>,\
|
|
# <To_chain>,<Rule_position>.
|
|
#
|
|
# "Target":
|
|
# Can be any legitimate iptables target, but should usually just be "DROP".
|
|
#
|
|
# "Table":
|
|
# Can be any iptables table, but the default is "filter".
|
|
#
|
|
# "From_chain":
|
|
# Is the chain from which packets will be jumped.
|
|
#
|
|
# "Jump_rule_position":
|
|
# Defines the position within the From_chain where the jump rule is added.
|
|
#
|
|
# "To_chain":
|
|
# Is the chain to which packets will be jumped. This is the main chain
|
|
# where fwknop rules are added.
|
|
#
|
|
# "Rule_position":
|
|
# Defines the position where rule are added within the To_chain.
|
|
#
|
|
#IPT_INPUT_ACCESS ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1;
|
|
|
|
# The IPT_OUTPUT_ACCESS variable is only used if ENABLE_IPT_OUTPUT is enabled
|
|
#
|
|
#IPT_OUTPUT_ACCESS ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1;
|
|
|
|
# The IPT_FORWARD_ACCESS variable is only used if ENABLE_IPT_FORWARDING is
|
|
# enabled.
|
|
#
|
|
#IPT_FORWARD_ACCESS ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1;
|
|
#IPT_DNAT_ACCESS DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1;
|
|
|
|
# The IPT_SNAT_ACCESS variable is not used unless both ENABLE_IPT_SNAT and
|
|
# ENABLE_IPT_FORWARDING are enabled. Also, the external static IP must be
|
|
# set with the SNAT_TRANSLATE_IP variable. The default is to use the
|
|
# IPT_MASQUERADE_ACCESS variable.
|
|
#
|
|
#IPT_SNAT_ACCESS SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
|
|
#IPT_MASQUERADE_ACCESS MASQUERADE, nat, POSTROUTING, 1, FWKNOP_MASQUERADE, 1;
|
|
|
|
# The ENABLE_COMMENT_MATCH_CHECK variable instructs fwknopd to check for the
|
|
# iptables 'comment' match at start up. If it's not found, then fwknopd will
|
|
# exit and throw an error. This variable is enabled by default, but can be
|
|
# disabled if you want fwknopd to run without being sure that the comment match
|
|
# is available (not recommended, since the comment match enables new SPA rules
|
|
# to be timed out).
|
|
#
|
|
#ENABLE_IPT_COMMENT_CHECK Y;
|
|
|
|
##############################################################################
|
|
# Parameters specific to ipfw:
|
|
#
|
|
#
|
|
# This variable defines the rule number that fwknopd uses to insert an ipfw
|
|
# pass rule. You would most likely want to change this parameter to a
|
|
# number that makes sense in your current ipfw firewall configuration.
|
|
#
|
|
#IPFW_START_RULE_NUM 10000;
|
|
|
|
# This variable defines the maximum number of rules fwknopd will create at
|
|
# a time. This also tells fwknopd where to stop when flushing all rules.
|
|
#
|
|
#IPFW_MAX_RULES 1000;
|
|
|
|
# Flush all existing rules in the fwknop ipfw sets at fwknop start time and/or
|
|
# exit time. They default to Y and it is a recommended setting for both.
|
|
#
|
|
#FLUSH_IPFW_AT_INIT Y;
|
|
#FLUSH_IPFW_AT_EXIT Y;
|
|
|
|
# This variable defines the rule set fwknopd uses for active rules. By
|
|
# default, it is set 1 and fwknopd assumes that it has full control over this
|
|
# set. That is, fwknopd routinely creates and deletes rules in this set, and
|
|
# the entire set itself is also created/deleted during routine operations.
|
|
# You have some measure of control over whether the entire set is deleted at
|
|
# init/exit with the FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT, but in general
|
|
# it is recommended to leave these variables set to the default "Y" setting.
|
|
#
|
|
#IPFW_ACTIVE_SET_NUM 1;
|
|
|
|
# This variable defines the rule set that will be used to store expired rules
|
|
# that still have a dynamic rule associated to them. That set will be disabled
|
|
# by fwknop and should not be enabled while fwknop is running. Not used when
|
|
# ipfw isn't using dynamic rules. By default, it is set 2, but can be anything
|
|
# in the range 1-31 except that it shouldn't be the same as
|
|
# IPFW_ACTIVE_SET_NUM. Note that fwknopd disables this set through routine
|
|
# operations according to the FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT
|
|
# variables.
|
|
#
|
|
#IPFW_EXPIRE_SET_NUM 2;
|
|
|
|
# Set the interval (in seconds) over which rules that are expired and
|
|
# have no remaining dynamic rules associated with them will be removed.
|
|
#
|
|
#IPFW_EXPIRE_PURGE_INTERVAL 30;
|
|
|
|
# Set this variable to "Y" if you want fwknopd to create its own "check-state"
|
|
# rule as the first rule in the set. This would only be needed if there
|
|
# was not already a check-state rule in the current firewall configuration.
|
|
#
|
|
# IPFW_ADD_CHECK_STATE N;
|
|
|
|
##############################################################################
|
|
# Parameters specific to the pf firewall:
|
|
#
|
|
#
|
|
# This variable defines the pf anchor name to which fwknopd will add and
|
|
# delete rules. This anchor must be linked into the pf policy (typically
|
|
# done by adding it into the /etc/pf.conf file), and fwknopd runs a check at
|
|
# init time to ensure that the anchor exists.
|
|
#
|
|
#PF_ANCHOR_NAME fwknop;
|
|
|
|
# Set the interval (in seconds) over which rules that are expired
|
|
#
|
|
#PF_EXPIRE_INTERVAL 30;
|
|
|
|
##############################################################################
|
|
|
|
# Directories - These can override compile-time defaults.
|
|
#
|
|
#FWKNOP_RUN_DIR /var/run/fwknop;
|
|
#FWKNOP_CONF_DIR /etc/fwknop;
|
|
|
|
# Files
|
|
#
|
|
#ACCESS_FILE access.conf;
|
|
#FWKNOP_PID_FILE $FWKNOP_RUN_DIR/fwknopd.pid;
|
|
#DIGEST_FILE $FWKNOP_RUN_DIR/digest.cache;
|
|
### The DB version is only used if fwknopd was built with gdbm/ndbm
|
|
### support (not needed by default).
|
|
#DIGEST_DB_FILE $FWKNOP_RUN_DIR/digest_db.cache;
|
|
|
|
# System binaries
|
|
#
|
|
#FIREWALL_EXE /bin/firewall-cmd;
|
|
#FIREWALL_EXE /sbin/iptables;
|
|
|
|
###EOF###
|