Linux Firewalls - Michael Rash [142]
/usr/sbin/knopmd
This is a daemon used to parse iptables log messages out of the /var/lib/fwknop/fwknopfifo named pipe. This daemon is only used if fwknop is being run in the legacy port-knocking mode.
/usr/sbin/knoptm
This is a daemon that removes rule entries from the iptables chains to which fwknop has added access rules for legitimate SPA clients. This daemon is necessary because the main fwknopd daemon is sniffing from a live interface and the OS does not schedule it to run until a packet is received by the interface. The knoptm daemon is not used if fwknopd is reading packet data from a PCAP file that is being updated either by a separate sniffer process or by ulogd. In this case, fwknopd is periodically scheduled to run, regardless of whether a packet is received on an interface; hence, fwknopd can enforce timeouts against iptables rules on its own.
/usr/sbin/knopwatchd
This is a monitoring daemon that restarts a daemon if it dies. However, fwknop is generally quite stable, so knopwatchd does not usually have very much work to do; it exists merely as a precautionary measure, since running SPA implies that nothing can access a protected service unless fwknopd is also running.
/etc/init.d/fwknop
This is the initialization script for fwknop. It allows the user to start fwknop in a manner that is consistent with most Linux distributions—by executing /etc/init.d/fwknop start. Using the init script only makes sense in the context of starting fwknop in server mode.
* * *
[78] 1 As mentioned in Chapter 5, my GnuPG key is available from http://www.cipherdyne.org/public_key. It is necessary to import this key with gpg --import in order to verify the GnuPG signature for each software distribution file at http://www.cipherdyne.org.
fwknop Configuration
In server mode, fwknop references two main configuration files, fwknop.conf and access.conf, for configuration directives. Like the psad configuration files (see Chapter 5), within these files each line follows the simple key-value convention for defining configuration variables. As usual, comment lines begin with a hash mark (#). I'll present a selection of the more important configuration variables from these files in the following sections.
/etc/fwknop/fwknop.conf
The fwknop.conf file defines critical configuration variables such as the authentication mode, the firewall type, the interface to sniff packets from, whether packets should be sniffed promiscuously (i.e., whether or not fwknop processes Ethernet frames that are not destined for the MAC address of the local interface), and the email address(es) to which alerts are sent.
AUTH_MODE
The AUTH_MODE variable tells the fwknop daemon how to collect packet data. Several collection modes are supported, including sniffing packets from a live interface via the Net::Pcap Perl module, reading PCAP-formatted packets from a file in the filesystem that is written by ulogd (see http://www.netfilter.org), using a separate Ethernet sniffer such as tcpdump, or parsing iptables log messages from the file /var/log/fwknop/fwdata. Possible values for the AUTH_MODE variable are PCAP, FILE_PCAP, ULOG_PCAP, and KNOCK; PCAP is the default.
AUTH_MODE PCAP;
PCAP_INTF
The PCAP_INTF variable defines the live interface the fwknop daemon uses to monitor packets. This is only used if AUTH_MODE is set to PCAP; the default setting is the eth0 interface.
PCAP_INTF eth0;
PCAP_FILTER
A live interface may transmit or receive lots of packet data that is completely unrelated to SPA traffic, and there is no need to force the fwknop daemon to process it. The PCAP_FILTER variable allows you to restrict the types of packets libpcap passes into fwknop based upon criteria such as network layer addresses or transport layer port numbers. Because, by default, fwknop transfers SPA packets over UDP port 62201, this variable is set as follows (this can be modified to acquire SPA packets over different ports and/or protocols).
PCAP_FILTER udp port 62201;
ENABLE_PCAP_PROMISC
When set to Y, this variable instructs the