From 74ddbf63b2177f77bb3e68491cb2ce6b77836aed Mon Sep 17 00:00:00 2001 From: Michael Rash Date: Fri, 27 May 2016 23:15:39 -0700 Subject: [PATCH] minor documentation updates --- client/config_init.c | 2 ++ doc/fwknopd.man.asciidoc | 17 ++++++++++++++++- server/fwknopd.conf | 12 ++++++------ 3 files changed, 24 insertions(+), 7 deletions(-) diff --git a/client/config_init.c b/client/config_init.c index e4748810..78998664 100644 --- a/client/config_init.c +++ b/client/config_init.c @@ -2619,6 +2619,8 @@ usage(void) " --gpg-encryption Use GPG encryption (default is Rijndael).\n" " --gpg-recipient-key Specify the recipient GPG key name or ID.\n" " --gpg-signer-key Specify the signer's GPG key name or ID.\n" + " --gpg-no-signing-pw Allow no signing password if none associated\n" + " with GPG key.\n" " --gpg-home-dir Specify the GPG home directory.\n" " --gpg-agent Use GPG agent if available.\n" " --gpg-exe Set path to GPG binary.\n" diff --git a/doc/fwknopd.man.asciidoc b/doc/fwknopd.man.asciidoc index 6a165a0b..466efbcc 100644 --- a/doc/fwknopd.man.asciidoc +++ b/doc/fwknopd.man.asciidoc @@ -81,7 +81,8 @@ COMMAND-LINE OPTIONS *-D, --dump-config*:: Dump the configuration values that *fwknopd* derives from the - '@sysconfdir@/fwknop/fwknopd.conf' (or override files) and '@sysconfdir@/fwknop/access.conf' on stderr. + '@sysconfdir@/fwknop/fwknopd.conf' (or override files) and + '@sysconfdir@/fwknop/access.conf' on stderr. *--dump-serv-err-codes*:: Dump all possible *fwknopd* error codes to stdout and exit. This option is @@ -358,6 +359,15 @@ the '@sysconfdir@/fwknop/fwknopd.conf' file for additional details. ``EXIT_AT_INTF_DOWN'' variable. If disabled, fwknopd will try to recover when a downed interface comes back up. +*ENABLE_RULE_PREPEND* '':: + For systems running iptables or firewalld, have *fwknopd* insert new SPA + rules at the beginning of the relevant chain (such as ``FWKNOP_INPUT'') instead + of appending them to the end of the chain. This causes newly created rules to + have precedence over older ones. + +*ENABLE_NAT_DNS* '':: + Allow fwknopd to resolve hostnames in NAT access messages. + *GPG_HOME_DIR* '':: If GPG keys are used instead of a Rijndael symmetric key, this is the default GPG keys directory. Note that each access stanza in @@ -380,6 +390,11 @@ the '@sysconfdir@/fwknop/fwknopd.conf' file for additional details. over TCP/80 connections and a web server should be running on the same server as *fwknopd*. +*ENABLE_X_FORWARDED_FOR* '':: + Allows *fwknopd* to use the X-Forwarded-for header from a captured SPA + packet over HTTP as the source IP. This can happen when using SPA through + an HTTP proxy. + *ENABLE_TCP_SERVER* '':: Enable the fwknopd TCP server. This is a "dummy" TCP server that will accept TCP connection requests on the specified TCPSERV_PORT. diff --git a/server/fwknopd.conf b/server/fwknopd.conf index cecb03fb..647ecf05 100644 --- a/server/fwknopd.conf +++ b/server/fwknopd.conf @@ -140,21 +140,21 @@ # Allow fwknopd to acquire SPA data from HTTP requests (generated with the # fwknop client in --HTTP mode). Note that the PCAP_FILTER variable would # need to be updated when this is enabled to sniff traffic over TCP/80 -# connections +# connections. # #ENABLE_SPA_OVER_HTTP N; -# Allow fwknopd to resolve hostnames in NAT access messages +# Allow fwknopd to resolve hostnames in NAT access messages. #ENABLE_NAT_DNS Y; -# Allows using the X-Forwarded-for header from a captured packet as the -# Source IP. +# Allows the use of the X-Forwarded-for header from a captured packet as the +# Source IP. This can happen when using SPA through an HTTP proxy. # #ENABLE_X_FORWARDED_FOR N; # Instead of appending new firewall rules to the bottom of the chain, this -# option inserts rules at the top of the chain. This causes later rules -# to have precedence over earlier rules. +# option inserts rules at the top of the chain. This causes newly created +# rules to have precedence over older ones. # #ENABLE_RULE_PREPEND N;