# ############################################################################# # # [+] fwknop - Firewall Knock Operator [+] # # This is the configuration file for fwknop, the Firewall Knock Operator. # The primary authentication and authorization mechanism offered by fwknop # is known as Single Packet Authorization (SPA). More information about # SPA can be found at: http://www.cipherdyne.org/fwknop/docs/SPA.html # # Note there are no access control directives in this file. All access # control directives are located in the file # /etc/fwknop/access.conf. You will need to edit the access.conf file in # order for fwknop to function correctly. # ############################################################################# # # $Id: fwknop.conf 1517 2009-08-10 04:09:06Z mbr $ # ### Supports multiple email addresses (as a comma separated ### list). EMAIL_ADDRESSES root@localhost; ### Machine hostname HOSTNAME _CHANGEME_; ### Define the firewall type. The default is "iptables" for Linux systems, ### but this can be set to "ipfw" for *BSD systems. Also supported is ### "external_cmd" to allow fwknop to invoke an external command instead of ### interfacing with the firewall at all FIREWALL_TYPE iptables; ### This defines the general strategy fwknop uses to authenticate remote ### clients. Possible values are "PCAP" (authenticate via regular pcap; this ### is the default and puts the interface in promiscuous mode unless ### ENABLE_PCAP_PROMISC is turned off) FILE_PCAP (authenticate via a pcap file ### that is built by a sniffer), ULOG_PCAP (authenticate via the ulogd pcap ### writer). This variable can also be set to "KNOCK" if you really want to ### use the legacy port knocking mode. AUTH_MODE PCAP; ### Define the ethernet interface on which we will sniff packets. Note ### that this is only used if the AUTH_MODE keyword above is set to ### "PCAP" PCAP_INTF eth0; ### Define whether put the pcap interface in promiscuous mode. ENABLE_PCAP_PROMISC Y; ### Define the filter used for PCAP modes; we default to udp port 62201. ### However, if an fwknop client uses the --rand-port option to send the ### SPA packet over a random port, then this variable should be updated to ### something like "udp dst portrange 10000-65535"; PCAP_FILTER udp port 62201; ### This instructs fwknopd to not honor SPA packets that have an old time ### stamp. The value for "old" is defined by the MAX_SPA_PACKET_AGE variable. ### If ENABLE_SPA_PACKET_AGING is set to "N", fwknopd will not use the client ### time stamp at all. ENABLE_SPA_PACKET_AGING Y; ### Defines the maximum age (in seconds) that an SPA packet will be accepted. ### This requires that the client system is in relatively close time ### synchronization with the fwknopd server system (NTP is good). The default ### age is two minutes. MAX_SPA_PACKET_AGE 120; ### Track digest sums associated with previous fwknop process. This allows ### digest sums to remain persistent across executions of fwknop. ENABLE_DIGEST_PERSISTENCE Y; ### Default to using all three of SHA256, SHA1, and MD5 for SPA replay attack ### detection. This is overkill, but performance is not usually a concern. ### Further, the variable can also be set to "SHA1" or "MD5". DIGEST_TYPE ALL; ### This variable controls whether fwknopd includes the source IP of each SPA ### packet in the DIGEST store. If a replayed SPA message is detected, then ### having this information can provide information about which networks have ### people sniffing your SPA packets. ENABLE_DIGEST_INCLUDE_SRC Y; ### Allow SPA clients to request access to services through an iptables ### firewall instead of just to it (i.e. access through the FWKNOP_FORWARD ### chain instead of the INPUT chain). This also requires the ### ENABLE_FORWARD_ACCESS variable to be set in the access.conf file for the ### specific SOURCE stanzas that should be allowed for forwarding access. ENABLE_IPT_FORWARDING N; ### Allow SPA clients to request access to a local socket via NAT. This still ### puts an ACCEPT rule into the FWKNOP_INPUT chain, but a different port is ### translated via DNAT rules to the real one. So, the user would do ### "ssh -p " to access the local service (see the --NAT-local and ### --NAT-rand-port on the fwknop client command line). ENABLE_IPT_LOCAL_NAT Y; ### By default, if forwarding access is enabled (see the ENABLE_IPT_FORWARDING ### variable above), then fwknop creates DNAT rules for incoming connections, ### but does not also complement these rules with SNAT rules at the same time. ### In some situations, internal systems may not have a route back out for the ### source address of the incoming connection, so it is necessary to also ### apply SNAT rules so that the internal systems see the IP of the internal ### interface where fwknopd is running. This functionality is only enabled ### when ENABLE_IPT_SNAT is set to "Y", and by default SNAT rules are built ### with the MASQUERADE target (since then the internal IP does not have to be ### defined here in the fwknop.conf file), but if you want fwknopd to use the ### SNAT target then also defined an IP address with the SNAT_TRANSLATE_IP ### variable. ENABLE_IPT_SNAT N; SNAT_TRANSLATE_IP _CHANGEME_; ### If ENABLE_IPT_FORWARDING is enabled, but the /proc/sys/net/ipv4/ip_forward ### disables forwarding, then by default enable forwarding ENABLE_PROC_IP_FORWARD Y; ### Add ACCEPT rules to the FWKNOP_OUTPUT chain. This is usually only useful ### if there are no state tracking rules to allow connection responses out and ### the OUTPUT chain has a default-drop stance. ENABLE_IPT_OUTPUT N; ### Force all SPA packets to contain a real IP address within the encrypted ### data. This makes it impossible to use the -s command line argument on ### the fwknop client command line, so either -R has to be used to ### automatically resolve the external address (if the client behind a NAT) or ### the client must know the external IP. REQUIRE_SOURCE_ADDRESS N; ### Config variable to force fwknopd to always treat the sniffing interface as ### the "cooked" interface type on Linux. ENABLE_COOKED_INTF N; ### This pair of variables controls whether fwknopd voluntarily exits and over ### what time interval. When fwknopd exits, knopwatchd will restart it. ### Because fwknop controls the accessibility of services, this feature can be ### used to make sure that the fwknop rules are flushed (see the ### FLUSH_IPT_AT_INIT variable), and the effects of any potential logic (or ### other) bugs are minimized since fwknopd will start "fresh" when knopwatchd ### kicks it off. NOTE: This feature is almost never required since fwknopd is ### generally quite stable, and is mostly offered for the extra paranoid. ENABLE_VOLUNTARY_EXITS N; EXIT_INTERVAL 1440; ### minutes (1 day) ### These variables control whether special checks are run against the ### interface that fwknopd sniffs to acquire SPA packets. The basic strategy ### is for the knoptm daemon to make sure that the sniffing interface exists ### is in the "RUNNING" state, and always has increasing numbers of received ### and transmitted bytes (Linux only). If not then knoptm stops fwknopd once ### the error condition has been cleared (and not before, since fwknopd cannot ### receive packets anyway until then). Then, knopwatchd will restart fwknopd ### so that it can once again receive SPA packets from the interface. The ### typical example for where this become important is when fwknopd has been ### deployed against a ppp interface that is shut down and then restarted. ### Note that usually the RUNNING check is not needed because fwknopd can once ### again receive packet data if the interface is brought back into the RUNNING ### state, but there is little harm in enabling it by default. Another check ### that is enabled by default is to ensure that the number of bytes received ### and transmitted does not decrease. ENABLE_INTF_CHECKS Y; INTF_CHECKS_INTERVAL 20; ### seconds ENABLE_INTF_EXISTS_CHECK Y; ENABLE_INTF_RUNNING_CHECK Y; ### looks for the string "RUNNING" ENABLE_INTF_BYTES_CHECK Y; ### checks for resets in bytes RX/TX counters ### If this feature is enabled, then knoptm will not time out any rules added ### by fwknopd if any connection is in the ESTBALISHED state involving the IP ### that was granted access and a destination port that is specified by the ### CONNTRACK_ESTAB_PORTS variable (which supports comma-separated lists of ### ports). ENABLE_CONNTRACK_PERSIST N; CONNTRACK_ESTAB_PORTS 0; ### can be "80, 6997, 22", etc. IPT_CONNTRACK_FILE /proc/net/ip_conntrack; ### Specify the the maximum number of bytes to sniff per frame - 1500 ### is a good default MAX_SNIFF_BYTES 1500; ### Flush all existing rules in the fwknop chains at fwknop start time. FLUSH_IPT_AT_INIT Y; ### If running on ipfw firewalls, this variable defines the rule number that ### fwknopd uses to insert an ipfw pass rule. IPFW_RULE_NUM 1; ### If running on ipfw firewalls, this variable defines the rule set that will ### be used to store expired rules that still have a dynamic rule associated ### to them. That set will be disabled by fwknop and should not be enabled ### while fwknop is running. Not used when ipfw isn't using dynamic rules. IPFW_SET_NUM 1; ### For ipfw firewalls set the interval (in seconds) over which rules that ### have no remaining dynamic rules associated with them will be removed. IPFW_DYNAMIC_INTERVAL 60; ### seconds ### Define the timeout for running a command PCAP_CMD_TIMEOUT 10; ### If GPG keys are used instead of a Rijndael symmetric key, this is ### the default GPG keys directory. Note that each access block in ### /etc/fwknop/access.conf can specify its own GPG directory to override ### this default. GPG_DEFAULT_HOME_DIR /root/.gnupg; ### This gets used if AUTH_MODE is set to "FILE_PCAP". This file must ### be created by a sniffer process (or something like the ulogd pcap ### writer). PCAP_PKT_FILE /var/log/sniff.pcap; ### By default fwknopd tests to see if the FKO module has been installed, and ### if so all SPA operations are performed via FKO functions. If this ### variable is set to "N", then fwknopd will fall back to the original perl ### SPA implementation. It is recommended to leave this as "Y" and install ### the libfko library and associated FKO perl module. ENABLE_FKO_MODULE Y; ### Define a comma-separated set of IP addresses and/or networks that should ### be globally blacklisted. That is, any SPA packet that is from a source ### IP (or has an internal --allow-ip) within a blacklisted network will be ### ignored. BLACKLIST NONE; ### Defines interval fwknop will use to check for more iptables ### messages (this is only used in the legacy port knocking mode). SLEEP_INTERVAL 2; ### seconds ### TTL values are decremented depending on the number of hops the packet ### has taken before it hits the firewall. We will assume packets will not ### jump through more than 20 hops on average. MAX_HOPS 20; ### Allow fwknopd to acquire SPA data from HTTP requests (generated with the ### fwknop client in --HTTP mode). Note that the PCAP_FILTER variable would ### need to be updated when this is enabled to sniff traffic over TCP/80 ### connections ENABLE_SPA_OVER_HTTP N; ### Note that fwknopd still only gets its data via pcap (unless AUTH_MODE is ### set to 'SOCKET'), so the filter defined by PCAP_FILTER needs to be updated ### to include the tcp or udp port if either of these variables are enabled. ENABLE_TCP_SERVER N; ENABLE_UDP_SERVER N; ### Set the default port number for a "dummy" tcp or udp server (udp is ### best to use since nothing will be sent back to the client, so as far as a ### scanner can tell the port is 'filtered'). The server is only spawned when ### ENABLE_TCP_SERVER or ENABLE_UDP_SERVER is set to "Y". TCPSERV_PORT 62201; UDPSERV_PORT 62201; ### Set the locale (via the LC_ALL variable). This can be set to NONE to ### have fwknopd honor the default system locale. LOCALE C; ### Set the type of syslog daemon that is used. The SYSLOG_DAEMON variable ### accepts three possible values: syslogd, syslog-ng, or metalog. SYSLOG_DAEMON syslogd; ### syslog facility and priority (the defaults are usually ok) ### The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}, and ### SYSLOG_PRIORITY can be set to one of LOG_INFO, LOG_DEBUG, LOG_NOTICE, ### LOG_WARNING, LOG_ERR, LOG_CRIT, LOG_ALERT, or LOG_EMERG SYSLOG_IDENTITY fwknopd; SYSLOG_FACILITY LOG_LOCAL7; SYSLOG_PRIORITY LOG_INFO; ### syslog config for knoptm KNOPTM_SYSLOG_IDENTITY fwknop(knoptm); KNOPTM_SYSLOG_FACILITY LOG_LOCAL7; KNOPTM_SYSLOG_PRIORITY LOG_INFO; ### syslog config for fwknop_serv FWSERV_SYSLOG_IDENTITY fwknop(fwknop_serv); FWSERV_SYSLOG_FACILITY LOG_LOCAL7; FWSERV_SYSLOG_PRIORITY LOG_INFO; ### Allow reporting methods to be enabled/restricted. This keyword can ### accept values of "nosyslog" (don't write any messages to syslog), ### "noemail" (don't send any email messages), or "ALL" (to generate both ### syslog and email messages). "ALL" is the default. Both "nosyslog" ### and "noemail" can be combined with a comma to disable all logging ### and alerting. ALERTING_METHODS ALL; ### (Legacy port knocking mode) ### The following variable can be modified to look for logging messages ### that are specific to your firewall configuration (specified by the ### "--log-prefix" for iptables firewalls). For example, if your firewall ### uses the string "Audit" for packets that have been blocked, then you ### could set FW_MSG_SEARCH = "Audit"; FW_MSG_SEARCH DROP; ### (Legacy port knocking mode) ### This variable controls whether fwknopd parses the /var/log/messages ### file for port knock sequences, or if it assumes that the local syslog ### daemon has been configured to write iptables log messages to the ### fwknopfifo named pipe ENABLE_SYSLOG_FILE Y; IPT_SYSLOG_FILE /var/log/messages; ### This variable defines the number of seconds that the IPTables::ChainMgr ### module should wait for running iptables commands. Normally iptables ### runs extremely fast from the command line (at least for the commands ### that fwknopd executes), so the default of 30 seconds is plenty. IPT_CMD_ALARM 30; ### Set the strategy that the IPTables::ChainMgr module will use for executing ### iptables commands. The default of "waitpid" means that IPTables::ChainMgr ### will use fork(), exec(), and waitpid(), whereas "system" means that ### "system()" will used, and finally "popen" means that iptables will be ### executed via popen(). IPT_EXEC_STYLE waitpid; ### Define the number of seconds that the IPTables::ChainMgr policy uses to ### sleep between successive iptables commands. Zero is the default. IPT_EXEC_SLEEP 0; ### Define the number of times that fwknopd or knoptm will run certain ### critical iptables commands (such as adding a new access rule) if any ### problems are encountered. IPT_EXEC_TRIES 1; ### The following four variables control whether a global set of "open" and ### "close" commands are executed after receving a valid SPA packet. These ### variables are used only if FIREWALL_TYPE is set to "external_cmd", but ### the same variables can also exist within the access.conf file so that ### mixed deployments are possible - that is, some SPA packets will operate ### as usual and result in firewall commands being executed, but others will ### result in the commands defined by these variables (in access.conf) being ### executed. ### The "open" and "close" commands might be manually supplied firewall ### commands, and both support variable substitution of any of the variables ### in the access.conf file with "$VAR". Also, three special variables are ### supported: $SRC, $PORT, and $PROTO, which are derived from actual values ### from within valid SPA packets (as opposed to $SOURCE from access.conf ### which may contain a list of networks instead of a single IP address). ### Here are some examples: ### - Execute a specific iptables command on behalf of the source IP ### in a valid SPA packet to add a new ACCEPT rule, and execute ### another command (to delete the same rule after a timeout): ### EXTERNAL_CMD_OPEN iptables -A INPUT -s $SRC -j ACCEPT ### EXTERNAL_CMD_CLOSE iptables -D INPUT -s $SRC -j ACCEPT ### - Execute a custom binary with the SOURCE and OPEN_PORTS variables ### from the access.conf file as input on the command line, and after ### a timeout execute a different program but use the real SPA source ### IP: ### EXTERNAL_CMD_OPEN /path/someprog $SOURCE $OPEN_PORTS ### EXTERNAL_CMD_OPEN /path/otherprog $SRC ENABLE_EXTERNAL_CMDS N; EXTERNAL_CMD_OPEN __NONE__; EXTERNAL_CMD_CLOSE __NONE__; EXTERNAL_CMD_ALARM 30; ### if EXTERNAL_CMD_OPEN is used above, then the following two variables can ### be used to enforce a prefix on variable substitutions - useful if there ### are any naming conflicts with the external script and command line ### arguments that are named the same as the variables to be substituted. ENABLE_EXT_CMD_PREFIX N; EXT_CMD_PREFIX FWKNOP_; ### For knopwatchd KNOPWATCHD_CHECK_INTERVAL 5; ### seconds KNOPWATCHD_MAX_RETRIES 10; ### Default minimum for any SPA packet (including both the data link, ### network, and transport layer headers) MIN_SPA_PKT_LEN 150; ### Default minimum message size SPA messages encrypted with GnuPG. The ### fwknopd daemon will not attempt to decrypt any packet with gpg that is not ### at least as large as this value. MIN_GNUPG_MSG_SIZE 400; ### fwknop uses the IPTables::ChainMgr module to add allow rules to a ### custom iptables chain "FWKNOP_INPUT". This chain is called from ### the INPUT chain, and by default no other iptables chains are used. ### However, additional chains can be added (say, if access needs to ### be allowed through the local system via the FORWARD chain) by ### altering the IPT_FORWARD_ACCESS variable below. For a discussion of ### the format followed by these keywords, read on: ### Specify chain names to which iptables blocking rules will be ### added with the IPT_INPUT_ACCESS and IPT_FORWARD_ACCESS keyword. ### The format for these variables is: ### ,,,,, \ ### ,. ### "Target": Can be any legitimate iptables target, but should usually ### just be "DROP". ### "Direction": Can be "src", "dst", or "both", which correspond to the ### INPUT, OUTPUT, and FORWARD chains. ### "Table": Can be any iptables table, but the default is "filter". ### "From_chain": Is the chain from which packets will be jumped. ### "Jump_rule_position": Defines the position within the From_chain where ### the jump rule is added. ### "To_chain": Is the chain to which packets will be jumped. This is the ### main chain where fwknop rules are added. ### "Rule_position": Defines the position where rule are added within the ### To_chain. IPT_INPUT_ACCESS ACCEPT, src, filter, INPUT, 1, FWKNOP_INPUT, 1; ### The IPT_OUTPUT_ACCESS variable is only used if ENABLE_IPT_OUTPUT is enabled IPT_OUTPUT_ACCESS ACCEPT, dst, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1; ### The IPT_FORWARD_ACCESS variable is only used if ENABLE_IPT_FORWARDING is enabled IPT_FORWARD_ACCESS ACCEPT, src, filter, FORWARD, 1, FWKNOP_FORWARD, 1; IPT_DNAT_ACCESS DNAT, src, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1; ### The IPT_SNAT_ACCESS variable is not used unless both ENABLE_IPT_SNAT and ### ENABLE_IPT_FORWARDING are enabled. Also, the external static IP must be ### set with the SNAT_TRANSLATE_IP variable. The default is to use the ### IPT_MASQUERADE_ACCESS variable. IPT_SNAT_ACCESS SNAT, src, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1; IPT_MASQUERADE_ACCESS MASQUERADE, src, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1; ### Directories FWKNOP_DIR /var/log/fwknop; FWKNOP_RUN_DIR /var/run/fwknop; FWKNOP_LIB_DIR /var/lib/fwknop; # for legacy port knocking mode FWKNOP_MOD_DIR /usr/lib/fwknop; FWKNOP_CONF_DIR /etc/fwknop; FWKNOP_ERR_DIR $FWKNOP_DIR/errs; ### Files FW_DATA_FILE $FWKNOP_DIR/fwdata; # legacy port knocking mode ACCESS_CONF $FWKNOP_CONF_DIR/access.conf; P0F_FILE $FWKNOP_CONF_DIR/pf.os; ### p0f-based fingerprints DIGEST_FILE $FWKNOP_DIR/digest.cache; FWKNOP_PID_FILE $FWKNOP_RUN_DIR/fwknopd.pid; FWKNOP_CMDLINE_FILE $FWKNOP_RUN_DIR/fwknopd.cmd; TCPSERV_PID_FILE $FWKNOP_RUN_DIR/fwknop_serv.pid; KNOPWATCHD_PID_FILE $FWKNOP_RUN_DIR/knopwatchd.pid; KNOPMD_PID_FILE $FWKNOP_RUN_DIR/knopmd.pid; KNOPTM_PID_FILE $FWKNOP_RUN_DIR/knoptm.pid; KNOPTM_IP_TIMEOUT_SOCK $FWKNOP_RUN_DIR/knoptm_ip_timeout.sock; FWKNOP_SERV_SOCK $FWKNOP_RUN_DIR/fwknop_serv.sock; KNOPMD_FIFO $FWKNOP_LIB_DIR/fwknopfifo; PROC_IP_FORWARD_FILE /proc/sys/net/ipv4/ip_forward; ### iptables command output and error collection files; these are ### used by IPTables::ChainMgr IPT_OUTPUT_FILE $FWKNOP_DIR/fwknopd.iptout; IPT_ERROR_FILE $FWKNOP_DIR/fwknopd.ipterr; KNOPTM_IPT_OUTPUT_FILE $FWKNOP_DIR/knoptm.iptout; KNOPTM_IPT_ERROR_FILE $FWKNOP_DIR/knoptm.ipterr; ### system binaries gpgCmd /usr/bin/gpg; mailCmd /bin/mail; sendmailCmd /usr/sbin/sendmail; shCmd /bin/sh; ifconfigCmd /sbin/ifconfig; mknodCmd /bin/mknod; iptablesCmd /sbin/iptables; ipfwCmd /sbin/ipfw; ### BSD and Mac OS X only fwknopdCmd /usr/sbin/fwknopd; fwknop_servCmd /usr/sbin/fwknop_serv; knopmdCmd /usr/sbin/knopmd; knoptmCmd /usr/sbin/knoptm; knopwatchdCmd /usr/sbin/knopwatchd;