Linux Firewalls - Michael Rash [144]
REQUIRE_SOURCE_ADDRESS Y;
EMAIL_ADDRESSES
The fwknop server sends email alerts under various circumstances, such as when SPA packets are accepted and access to a service is granted, when access is removed, and when a replay attack has been thwarted. Multiple email addresses are supported as a comma-separated list, like so:
EMAIL_ADDRESSES root@localhost, mbr@cipherdyne.org;
GPG_DEFAULT_HOME_DIR
The GPG_DEFAULT_HOME_DIR variable specifies the path to the directory where GnuPG keys are kept for digital signature verification and decryption of SPA packets. The default is to use the .gnupg directory in root's home directory.
GPG_DEFAULT_HOME_DIR /root/.gnupg;
ENABLE_TCP_SERVER
The ENABLE_TCP_SERVER variable controls whether or not fwknop binds a TCP server to a port to accept SPA packet data. If you want to route SPA packets over the Tor network, which only uses TCP for data transport, you must enable this feature. (You'll find more on this topic in "SPA over Tor" on page 254.) This feature is disabled by default.
ENABLE_TCP_SERVER N;
TCPSERV_PORT
The TCPSERV_PORT variable specifies the port on which the fwknop_serv daemon listens for TCP connections. This is only used by fwknop if ENABLE_TCP_SERVER is enabled. The default is the following:
TCPSERV_PORT 62201;
/etc/fwknop/access.conf
The section on the fwknop.conf file gave lots of information about macro-level configuration options for fwknop, but it left out a discussion of important topics such as decryption passwords and authorization rights assigned to users. I'll rectify this by presenting the fwknop access.conf file, which defines all usernames, authorization rights, decryption keys, iptables rule time-outs, and command channels that the fwknop server uses.
SOURCE
Authorization of multiple users from arbitrary IP addresses is supported by fwknop; each user may use different encryption keys (and associated encryption algorithms). SOURCE is the main partitioning variable that allows fwknop to determine the access level of a valid SPA packet, and each group of configuration variables within the access.conf file defines a complete SOURCE access definition. The access.conf file supports multiple SOURCE access definitions. The default value for the SOURCE variable instructs fwknop to validate an SPA packet from any source IP address as shown below, but individual IP addresses and CIDR networks are also supported.
SOURCE: ANY;
OPEN_PORTS
The OPEN_PORTS variable instructs fwknop to grant access to the specified ports by reconfiguring the local iptables policy. Unless the PERMIT_CLIENT_PORTS variable (see below) is set to Y, the client cannot gain access to any services other than those listed by OPEN_PORTS. The following definition allows a valid SPA packet to reconfigure iptables to allow access to TCP port 22 (SSHD).
OPEN_PORTS: tcp/22;
PERMIT_CLIENT_PORTS
When set to Y, this variable allows the fwknop client to dictate to the fwknop server the set of traffic (i.e., ports and protocols) that will be allowed through the iptables policy, instead of the fwknop server only reconfiguring iptables to allow the traffic defined by the OPEN_PORTS variable. An SPA packet may contain several ports that the client wishes to access (see "fwknop SPA Packet Format" on page 241 for more information).
PERMIT_CLIENT_PORTS: Y;
ENABLE_CMD_EXEC
When enabled, this variable allows authorized SPA clients to have the fwknop server execute a command on their behalf. This feature is controversial because fwknop (as of the 1.0 release) executes these commands as root, although the ability to run commands as less privileged users is in development. The ENABLE_CMD_EXEC feature must be explicitly and deliberately enabled if you want to use it.
ENABLE_CMD_EXEC: Y;
CMD_REGEX
The CMD_REGEX variable allows you to provide a regular expression that must match a command supplied by an fwknop client before the fwknop server will execute it. It only makes sense to use this variable in the context of setting ENABLE_CMD_EXEC to Y. For