DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

Added check for libpcap. More stubbing in on the server code side.

Browse Source 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@137 510a4753-2344-4c79-9c09-4d669213fbeb
This commit is contained in:
Damien Stuart 2009-09-04 21:14:44 +00:00
parent f0fa45cec2
commit 791eb4055b
9 changed files with 617 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
client/fwknop.8
View File

@ -389,10 +389,13 @@ The following examples illustrate the command line arguments that could be suppl
.sp
Packet contents printed to stdout at the fwknop client when creating an \(lqaccess mode\(rq SPA packet:
.sp
.if n \{\
.RS 4
.\}
.\" .if n \{\
.\" .RS 4
.\" .\}
.\" .nf
.ft CW
.nf
.ne 1
Random data: 6565240948266426
Username: mbr
Timestamp: 1203863233
@ -400,10 +403,12 @@ Packet contents printed to stdout at the fwknop client when creating an \(lqacce
Type: 1 (access mode)
Access: 127\&.0\&.0\&.2,tcp/22
SHA256 sum: gngquSL8AuM7r27XsR4qPmJhuBo9pG2PYwII06AaJHw
.ft R
.fi
.if n \{\
.RE
.\}
.\" .fi
.\" .if n \{\
.\" .RE
.\" .\}
.sp
Use the Single Packet Authorization mode to gain access to tcp/22 (ssh) and udp/53 running on the system 10\&.0\&.0\&.123 from the IP 192\&.168\&.10\&.4:
.sp

4
client/fwknop_common.h
View File

@ -65,8 +65,8 @@ typedef struct fko_cli_options
char config_file[MAX_PATH_LEN];
char access_str[MAX_PATH_LEN];
char server_command[MAX_LINE_LEN];
char get_key_file[MAX_LINE_LEN];
char save_packet_file[MAX_LINE_LEN];
char get_key_file[MAX_PATH_LEN];
char save_packet_file[MAX_PATH_LEN];
int save_packet_file_append;
int show_last_command;
int no_save_args;

11
configure.ac
View File

@ -189,6 +189,16 @@ AC_ARG_ENABLE([server],
[])
AM_CONDITIONAL([WANT_SERVER], [test "$want_server" = yes])
dnl Check for libpcap if we are building the server component
dnl
have_pcap=yes
AS_IF([test "$want_server" = yes],
AC_CHECK_LIB([pcap],[pcap_open_live],
AC_DEFINE([HAVE_LIBPCAP], [1], [Define if you have libpcap]), [have_pcap=no]
)
)
AM_CONDITIONAL([HAVE_LIBPCAP],[test "$have_pcap" = yes])
AC_CONFIG_FILES([Makefile
lib/Makefile
client/Makefile
@ -203,5 +213,6 @@ echo "
============================================
Client build: $want_client
Server build: $want_server
- with libpcap: $have_pcap
GPG encryption support: $have_gpgme
"

5
server/Makefile.am
View File

@ -4,4 +4,9 @@ fwknopd_SOURCES = fwknopd.c fwknopd.h config_init.c config_init.h \
fwknopd_common.h utils.c utils.h
fwknopd_LDADD = $(top_builddir)/lib/libfko.la
if HAVE_LIBPCAP
fwknopd_LDADD += -lpcap
endif
fwknopd_CPPFLAGS = -I $(top_srcdir)/lib -I $(top_srcdir)/common

77
server/config_init.c
View File

@ -164,21 +164,73 @@ config_init(fko_srv_options_t *options, int argc, char **argv)
*/
while ((cmd_arg = getopt_long(argc, argv,
"hvV", cmd_opts, &index)) != -1) {
"c:Dhi:KO:RSvV", cmd_opts, &index)) != -1) {
switch(cmd_arg) {
case 'c':
strlcpy(options->config_file, optarg, MAX_PATH_LEN);
break;
case 'D':
fprintf(stderr, "*NOT IMPLEMENTED YET*\n");
// TODO: Add this...
//dump_config();
exit(EXIT_SUCCESS);
break;
case FIREWALL_LIST:
fprintf(stderr, "*NOT IMPLEMENTED YET*\n");
// TODO: Add this...
//list_firewall_rules();
exit(EXIT_SUCCESS);
break;
case FIREWALL_FLUSH:
fprintf(stderr, "*NOT IMPLEMENTED YET*\n");
// TODO: Add this...
//flush_firewall_rules();
exit(EXIT_SUCCESS);
break;
case FIREWALL_LOG:
strlcpy(options->firewall_log, optarg, MAX_PATH_LEN);
break;
case GPG_HOME_DIR:
strlcpy(options->gpg_home_dir, optarg, MAX_PATH_LEN);
break;
case GPG_KEY:
strlcpy(options->gpg_key, optarg, MAX_GPG_KEY_ID);
break;
case 'h':
usage();
exit(EXIT_SUCCESS);
break;
case 'i':
strlcpy(options->net_interface, optarg, MAX_PATH_LEN);
break;
case 'K':
fprintf(stderr, "*NOT IMPLEMENTED YET*\n");
// TODO: Add this...
//kill_fwknopd();
exit(EXIT_SUCCESS);
break;
case 'O':
strlcpy(options->override_config, optarg, MAX_PATH_LEN);
break;
case 'R':
fprintf(stderr, "*NOT IMPLEMENTED YET*\n");
// TODO: Add this...
//restart_fwknopd();
exit(EXIT_SUCCESS);
break;
case 'S':
fprintf(stderr, "*NOT IMPLEMENTED YET*\n");
// TODO: Add this...
//fwkop_status();
exit(EXIT_SUCCESS);
break;
case 'v':
options->verbose = 1;
break;
case 'V':
options->version = 1;
break;
case GPG_HOME_DIR:
strlcpy(options->gpg_home_dir, optarg, MAX_PATH_LEN);
fprintf(stdout, "fwknopd server %s\n", MY_VERSION);
exit(EXIT_SUCCESS);
break;
default:
usage();
@ -189,7 +241,6 @@ config_init(fko_srv_options_t *options, int argc, char **argv)
/* Parse configuration file to populate any params not already specified
* via command-line options
*/
//--DSS XXX: We will use this when we have a config file to use.
//parse_config_file(options, &ot);
/* Now that we have all of our options set, we can validate them.
@ -209,9 +260,21 @@ usage(void)
"Usage: fwknopd [options]\n\n"
" -h, --help - Print this usage message and exit.\n"
" -c, --config-file - Specify an alternate configuration file.\n"
" -D, --dump-config - Dump the current fwknop configuration values.\n"
" --fw-list - List all active rules in the FWKNOP Netfilter chain.\n"
" --fw-flush - Flush all rules in the FWKNOP Netfilter chain.\n"
" --fw-log - Specify the path to the Netfilter log file that is\n"
" parsed when running in 'os-mode'.\n"
" -i, --interface - Specify interface to listen for incoming SPA\n"
" packets.\n"
" -K, --kill - Kill the currently running fwknopd.\n"
" --gpg-home-dir - Specify the GPG home directory.\n"
" --gpg-key - Specify the GPG key ID used for decryption.\n"
" -O, --override-config - \n"
" -R, --restart - Force the currently running fwknopd to restart.\n"
" -S, --status - Display the status of any running fwknopd process.\n"
" -v, --verbose - Set verbose mode.\n"
" -V, --version - Print version number.\n"
" --gpg-home-dir - Specify the GPG home directory.\n"
"\n"
);

19
server/config_init.h
View File

@ -29,10 +29,14 @@
#include <getopt.h>
#include <sys/stat.h>
/* Long options values (for those without a short option).
/* Long options values (for those that may not have a short option).
*/
enum {
GPG_HOME_DIR = 0x200,
GPG_KEY,
FIREWALL_LIST,
FIREWALL_FLUSH,
FIREWALL_LOG,
NOOP /* Just to be a marker for the end */
};
@ -40,8 +44,19 @@ enum {
*/
static struct option cmd_opts[] =
{
{"gpg-home-dir", 1, NULL, GPG_HOME_DIR },
{"config-file", 1, NULL, 'c'},
{"dump-config", 0, NULL, 'D'},
{"fw-list", 0, NULL, FIREWALL_LIST },
{"fw-flush", 0, NULL, FIREWALL_FLUSH },
{"fw-log", 1, NULL, FIREWALL_LOG },
{"help", 0, NULL, 'h'},
{"interface", 1, NULL, 'i'},
{"kill", 0, NULL, 'K'},
{"gpg-home-dir", 1, NULL, GPG_HOME_DIR },
{"gpg-key", 1, NULL, GPG_KEY },
{"override-config", 1, NULL, 'O' },
{"restart", 0, NULL, 'R'},
{"status", 0, NULL, 'S'},
{"verbose", 0, NULL, 'v'},
{"version", 0, NULL, 'V'},
{0, 0, 0, 0}

15
server/fwknopd.c
View File

@ -46,15 +46,16 @@ main(int argc, char **argv)
*/
config_init(&options, argc, argv);
/* Display version info and exit.
/* TODO: add fwknop server code below :)
*/
if (options.version) {
fko_get_version(ctx, &version);
printf("\nThis is fwknopd. It would do something if it was coded"
" to do something:\n\n");
fprintf(stdout, "[+] fwknopd server %s\n", MY_VERSION);
return(0);
}
#if HAVE_LIBPCAP
printf(" - fwknopd would be using libpcap version %s\n\n", pcap_lib_version());
#else
printf(" - fwknopd is not using libpcap\n\n");
#endif
return(0);
}

463
server/fwknopd.conf Normal file
View File

@ -0,0 +1,463 @@
# $Id$
##############################################################################
#
# [+] fwknopd - Firewall Knock Operator Daemon [+]
#
# This is the configuration file for fwknopd, the Firewall Knock Operator
# daemon. The primary authentication and authorization mechanism offered
# by fwknop is known as Single Packet Authorization (SPA). More information
# about SPA can be found at: http://www.cipherdyne.org/fwknop/docs/SPA.html
#
# Note there are no access control directives in this file. All access
# control directives are located in the file "/etc/fwknop/access.conf".
# You will need to edit the access.conf file in order for fwknop to function
# correctly.
#
##############################################################################
#
# Supports multiple email addresses (as a comma separated list).
#
EMAIL_ADDRESSES root@localhost;
# Machine hostname.
#
HOSTNAME _CHANGEME_;
# Define the firewall type. The default is "iptables" for Linux systems,
# but this can be set to "ipfw" for *BSD systems. Also supported is
# "external_cmd" to allow fwknop to invoke an external command instead of
# interfacing with the firewall at all.
#
FIREWALL_TYPE iptables;
# This defines the general strategy fwknop uses to authenticate remote
# clients. Possible values are "PCAP" (authenticate via regular pcap; this
# is the default and puts the interface in promiscuous mode unless
# ENABLE_PCAP_PROMISC is turned off) FILE_PCAP (authenticate via a pcap file
# that is built by a sniffer), ULOG_PCAP (authenticate via the ulogd pcap
# writer).
#
AUTH_MODE PCAP;
# Define the ethernet interface on which we will sniff packets. Note
# that this is only used if the AUTH_MODE keyword above is set to
# "PCAP".
#
PCAP_INTF eth0;
# Define whether put the pcap interface in promiscuous mode.
#
ENABLE_PCAP_PROMISC Y;
# Define the filter used for PCAP modes; we default to udp port 62201.
# However, if an fwknop client uses the --rand-port option to send the
# SPA packet over a random port, then this variable should be updated to
# something like "udp dst portrange 10000-65535;".
#
PCAP_FILTER udp port 62201;
# This instructs fwknopd to not honor SPA packets that have an old time
# stamp. The value for "old" is defined by the MAX_SPA_PACKET_AGE variable.
# If ENABLE_SPA_PACKET_AGING is set to "N", fwknopd will not use the client
# time stamp at all.
#
ENABLE_SPA_PACKET_AGING Y;
# Defines the maximum age (in seconds) that an SPA packet will be accepted.
# This requires that the client system is in relatively close time
# synchronization with the fwknopd server system (NTP is good). The default
# age is two minutes.
#
MAX_SPA_PACKET_AGE 120;
# Track digest sums associated with previous fwknop process. This allows
# digest sums to remain persistent across executions of fwknop.
#
ENABLE_DIGEST_PERSISTENCE Y;
# Default to using all of SHA1/256/384/512, and MD5 for SPA replay attack
# detection. This is overkill, but performance is not usually a concern.
# Further, the variable can also be set to "SHA1" or "MD5".
#
DIGEST_TYPE ALL;
# This variable controls whether fwknopd includes the source IP of each SPA
# packet in the DIGEST store. If a replayed SPA message is detected, then
# having this information can provide information about which networks have
# people sniffing your SPA packets.
#
ENABLE_DIGEST_INCLUDE_SRC Y;
# Allow SPA clients to request access to services through an iptables
# firewall instead of just to it (i.e. access through the FWKNOP_FORWARD
# chain instead of the INPUT chain). This also requires the
# ENABLE_FORWARD_ACCESS variable to be set in the access.conf file for the
# specific SOURCE stanzas that should be allowed for forwarding access.
#
ENABLE_IPT_FORWARDING N;
# Allow SPA clients to request access to a local socket via NAT. This still
# puts an ACCEPT rule into the FWKNOP_INPUT chain, but a different port is
# translated via DNAT rules to the real one. So, the user would do
# "ssh -p <port>" to access the local service (see the --NAT-local and
# --NAT-rand-port on the fwknop client command line).
#
ENABLE_IPT_LOCAL_NAT Y;
# By default, if forwarding access is enabled (see the ENABLE_IPT_FORWARDING
# variable above), then fwknop creates DNAT rules for incoming connections,
# but does not also complement these rules with SNAT rules at the same time.
# In some situations, internal systems may not have a route back out for the
# source address of the incoming connection, so it is necessary to also
# apply SNAT rules so that the internal systems see the IP of the internal
# interface where fwknopd is running. This functionality is only enabled
# when ENABLE_IPT_SNAT is set to "Y", and by default SNAT rules are built
# with the MASQUERADE target (since then the internal IP does not have to be
# defined here in the fwknop.conf file), but if you want fwknopd to use the
# SNAT target then also defined an IP address with the SNAT_TRANSLATE_IP
# variable.
#
ENABLE_IPT_SNAT N;
SNAT_TRANSLATE_IP _CHANGEME_;
# If ENABLE_IPT_FORWARDING is enabled, but the /proc/sys/net/ipv4/ip_forward
# disables forwarding, then by default enable forwarding
#
ENABLE_PROC_IP_FORWARD Y;
# Add ACCEPT rules to the FWKNOP_OUTPUT chain. This is usually only useful
# if there are no state tracking rules to allow connection responses out and
# the OUTPUT chain has a default-drop stance.
#
ENABLE_IPT_OUTPUT N;
# Force all SPA packets to contain a real IP address within the encrypted
# data. This makes it impossible to use the -s command line argument on
# the fwknop client command line, so either -R has to be used to
# automatically resolve the external address (if the client behind a NAT) or
# the client must know the external IP.
#
REQUIRE_SOURCE_ADDRESS N;
# Config variable to force fwknopd to always treat the sniffing interface as
# the "cooked" interface type on Linux.
#
ENABLE_COOKED_INTF N;
# This pair of variables controls whether fwknopd voluntarily exits and over
# what time interval. When fwknopd exits, knopwatchd will restart it.
# Because fwknop controls the accessibility of services, this feature can be
# used to make sure that the fwknop rules are flushed (see the
# FLUSH_IPT_AT_INIT variable), and the effects of any potential logic (or
# other) bugs are minimized since fwknopd will start "fresh" when knopwatchd
# kicks it off. NOTE: This feature is almost never required since fwknopd is
# generally quite stable, and is mostly offered for the the extra paranoid.
#
ENABLE_VOLUNTARY_EXITS N;
EXIT_INTERVAL 1440; ### minutes (1 day)
# Specify the the maximum number of bytes to sniff per frame - 1500
# is a good default
#
MAX_SNIFF_BYTES 1500;
# Flush all existing rules in the fwknop chains at fwknop start time.
#
FLUSH_IPT_AT_INIT Y;
# If running on ipfw firewalls, this variable defines the rule number that
# fwknopd uses to insert an ipfw pass rule.
#
IPFW_RULE_NUM 1;
# If running on ipfw firewalls, this variable defines the rule set that will
# be used to store expired rules that still have a dynamic rule associated
# to them. That set will be disabled by fwknop and should not be enabled
# while fwknop is running. Not used when ipfw isn't using dynamic rules.
#
IPFW_SET_NUM 1;
# For ipfw firewalls set the interval (in seconds) over which rules that
# have no remaining dynamic rules associated with them will be removed.
#
IPFW_DYNAMIC_INTERVAL 60; ### seconds
# Define the timeout for running a command
#
PCAP_CMD_TIMEOUT 10;
# If GPG keys are used instead of a Rijndael symmetric key, this is
# the default GPG keys directory. Note that each access block in
# /etc/fwknop/access.conf can specify its own GPG directory to override
# this default.
#
GPG_DEFAULT_HOME_DIR /root/.gnupg;
# This gets used if AUTH_MODE is set to "FILE_PCAP". This file must
# be created by a sniffer process (or something like the ulogd pcap
# writer).
#
PCAP_PKT_FILE /var/log/sniff.pcap;
# Define a comma-separated set of IP addresses and/or networks that should
# be globally blacklisted. That is, any SPA packet that is from a source
# IP (or has an internal --allow-ip) within a blacklisted network will be
# ignored.
#
BLACKLIST NONE;
# Defines interval fwknop will use to check for more iptables
# messages (this is only used in the legacy port knocking mode).
#
SLEEP_INTERVAL 2; ### seconds
# TTL values are decremented depending on the number of hops the packet
# has taken before it hits the firewall. We will assume packets will not
# jump through more than 20 hops on average.
#
MAX_HOPS 20;
# Allow fwknopd to acquire SPA data from HTTP requests (generated with the
# fwknop client in --HTTP mode). Note that the PCAP_FILTER variable would
# need to be updated when this is enabled to sniff traffic over TCP/80
# connections
#
ENABLE_SPA_OVER_HTTP N;
# Note that fwknopd still only gets its data via pcap, so the filter
# defined by PCAP_FILTER needs to be updated to include this TCP port.
#
ENABLE_TCP_SERVER N;
# Set the default port number that the fwknop_serv "dummy" TCP server
# listens on. This server is only spawned when ENABLE_TCP_SERVER is set
# to "Y".
#
TCPSERV_PORT 62201;
# Set the locale (via the LC_ALL variable). This can be set to NONE to
# have fwknopd honor the default system locale.
#
LOCALE C;
# Set the type of syslog daemon that is used. The SYSLOG_DAEMON variable
# accepts three possible values: syslogd, syslog-ng, or metalog.
#
SYSLOG_DAEMON syslogd;
# syslog facility and priority (the defaults are usually ok)
# The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}, and
# SYSLOG_PRIORITY can be set to one of LOG_INFO, LOG_DEBUG, LOG_NOTICE,
# LOG_WARNING, LOG_ERR, LOG_CRIT, LOG_ALERT, or LOG_EMERG
#
SYSLOG_IDENTITY fwknopd;
SYSLOG_FACILITY LOG_LOCAL7;
SYSLOG_PRIORITY LOG_INFO;
# syslog config for knoptm
#
KNOPTM_SYSLOG_IDENTITY fwknop(knoptm);
KNOPTM_SYSLOG_FACILITY LOG_LOCAL7;
KNOPTM_SYSLOG_PRIORITY LOG_INFO;
# Allow reporting methods to be enabled/restricted. This keyword can
# accept values of "nosyslog" (don't write any messages to syslog),
# "noemail" (don't send any email messages), or "ALL" (to generate both
# syslog and email messages). "ALL" is the default. Both "nosyslog"
# and "noemail" can be combined with a comma to disable all logging
# and alerting.
#
ALERTING_METHODS ALL;
# (Legacy port knocking mode)
# The following variable can be modified to look for logging messages
# that are specific to your firewall configuration (specified by the
# "--log-prefix" for iptables firewalls). For example, if your firewall
# uses the string "Audit" for packets that have been blocked, then you
# could set FW_MSG_SEARCH = "Audit";
#
FW_MSG_SEARCH DROP;
# (Legacy port knocking mode)
# This variable controls whether fwknopd parses the /var/log/messages
# file for port knock sequences, or if it assumes that the local syslog
# daemon has been configured to write iptables log messages to the
# fwknopfifo named pipe
#
ENABLE_SYSLOG_FILE Y;
IPT_SYSLOG_FILE /var/log/messages;
# This variable defines the number of seconds that the IPTables::ChainMgr
# module should wait for running iptables commands. Normally iptables
# runs extremely fast from the command line (at least for the commands
# that fwknopd executes), so the default of 30 seconds is plenty.
#
IPT_CMD_ALARM 30;
# Set the strategy that the IPTables::ChainMgr module will use for executing
# iptables commands. The default of "waitpid" means that IPTables::ChainMgr
# will use fork(), exec(), and waitpid(), whereas "system" means that
# "system()" will used, and finally "popen" means that iptables will be
# executed via popen().
#
IPT_EXEC_STYLE waitpid;
# Define the number of seconds that the IPTables::ChainMgr policy uses to
# sleep between successive iptables commands. Zero is the default.
#
IPT_EXEC_SLEEP 0;
# Define the number of times that fwknopd or knoptm will run certain
# critical iptables commands (such as adding a new access rule) if any
# problems are encountered.
#
IPT_EXEC_TRIES 1;
# The following four variables control whether a global set of "open" and
# "close" commands are executed after receving a valid SPA packet. These
# variables are used only if FIREWALL_TYPE is set to "external_cmd", but
# the same variables can also exist within the access.conf file so that
# mixed deployments are possible - that is, some SPA packets will operate
# as usual and result in firewall commands being executed, but others will
# result in the commands defined by these variables (in access.conf) being
# executed.
# The "open" and "close" commands might be manually supplied firewall
# commands, and both support variable substitution of any of the variables
# in the access.conf file with "$VAR". Also, three special variables are
# supported: $SRC, $PORT, and $PROTO, which are derived from actual values
# from within valid SPA packets (as opposed to $SOURCE from access.conf
# which may contain a list of networks instead of a single IP address).
# Here are some examples:
# - Execute a specific iptables command on behalf of the source IP
# in a valid SPA packet to add a new ACCEPT rule, and execute
# another command (to delete the same rule after a timeout):
# EXTERNAL_CMD_OPEN iptables -A INPUT -s $SRC -j ACCEPT
# EXTERNAL_CMD_CLOSE iptables -D INPUT -s $SRC -j ACCEPT
# - Execute a custom binary with the SOURCE and OPEN_PORTS variables
# from the access.conf file as input on the command line, and after
# a timeout execute a different program but use the real SPA source
# IP:
# EXTERNAL_CMD_OPEN /path/someprog $SOURCE $OPEN_PORTS
# EXTERNAL_CMD_OPEN /path/otherprog $SRC
#
ENABLE_EXTERNAL_CMDS N;
EXTERNAL_CMD_OPEN __NONE__;
EXTERNAL_CMD_CLOSE __NONE__;
EXTERNAL_CMD_ALARM 30;
# if EXTERNAL_CMD_OPEN is used above, then the following two variables can
# be used to enforce a prefix on variable substitutions - useful if there
# are any naming conflicts with the external script and command line
# arguments that are named the same as the variables to be substituted.
#
ENABLE_EXT_CMD_PREFIX N;
EXT_CMD_PREFIX FWKNOP_;
# For knopwatchd
#
KNOPWATCHD_CHECK_INTERVAL 5; ### seconds
KNOPWATCHD_MAX_RETRIES 10;
# Default minimum for any SPA packet (including both the data link,
# network, and transport layer headers)
#
MIN_SPA_PKT_LEN 150;
# Default minimum message size SPA messages encrypted with GnuPG. The
# fwknopd daemon will not attempt to decrypt any packet with gpg that is not
# at least as large as this value.
#
MIN_GNUPG_MSG_SIZE 400;
# fwknop uses the IPTables::ChainMgr module to add allow rules to a
# custom iptables chain "FWKNOP_INPUT". This chain is called from
# the INPUT chain, and by default no other iptables chains are used.
# However, additional chains can be added (say, if access needs to
# be allowed through the local system via the FORWARD chain) by
# altering the IPT_FORWARD_ACCESS variable below. For a discussion of
# the format followed by these keywords, read on:
# Specify chain names to which iptables blocking rules will be
# added with the IPT_INPUT_ACCESS and IPT_FORWARD_ACCESS keyword.
# The format for these variables is:
# <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \
# <To_chain>,<Rule_position>.
# "Target": Can be any legitimate iptables target, but should usually
# just be "DROP".
# "Direction": Can be "src", "dst", or "both", which correspond to the
# INPUT, OUTPUT, and FORWARD chains.
# "Table": Can be any iptables table, but the default is "filter".
# "From_chain": Is the chain from which packets will be jumped.
# "Jump_rule_position": Defines the position within the From_chain where
# the jump rule is added.
# "To_chain": Is the chain to which packets will be jumped. This is the
# main chain where fwknop rules are added.
# "Rule_position": Defines the position where rule are added within the
# To_chain.
#
IPT_INPUT_ACCESS ACCEPT, src, filter, INPUT, 1, FWKNOP_INPUT, 1;
# The IPT_OUTPUT_ACCESS variable is only used if ENABLE_IPT_OUTPUT is enabled
#
IPT_OUTPUT_ACCESS ACCEPT, dst, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1;
# The IPT_FORWARD_ACCESS variable is only used if ENABLE_IPT_FORWARDING is
# enabled.
#
IPT_FORWARD_ACCESS ACCEPT, src, filter, FORWARD, 1, FWKNOP_FORWARD, 1;
IPT_DNAT_ACCESS DNAT, src, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1;
# The IPT_SNAT_ACCESS variable is not used unless both ENABLE_IPT_SNAT and
# ENABLE_IPT_FORWARDING are enabled. Also, the external static IP must be
# set with the SNAT_TRANSLATE_IP variable. The default is to use the
# IPT_MASQUERADE_ACCESS variable.
#
IPT_SNAT_ACCESS SNAT, src, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
IPT_MASQUERADE_ACCESS MASQUERADE, src, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
# Directories
#
FWKNOP_DIR /var/log/fwknop;
FWKNOP_RUN_DIR /var/run/fwknop;
FWKNOP_LIB_DIR /var/lib/fwknop; # for legacy port knocking mode
FWKNOP_MOD_DIR /usr/lib/fwknop;
FWKNOP_CONF_DIR /etc/fwknop;
FWKNOP_ERR_DIR $FWKNOP_DIR/errs;
# Files
#
FW_DATA_FILE $FWKNOP_DIR/fwdata; # legacy port knocking mode
ACCESS_CONF $FWKNOP_CONF_DIR/access.conf;
P0F_FILE $FWKNOP_CONF_DIR/pf.os; ### p0f-based fingerprints
DIGEST_FILE $FWKNOP_DIR/digest.cache;
FWKNOP_PID_FILE $FWKNOP_RUN_DIR/fwknopd.pid;
FWKNOP_CMDLINE_FILE $FWKNOP_RUN_DIR/fwknopd.cmd;
TCPSERV_PID_FILE $FWKNOP_RUN_DIR/fwknop_serv.pid;
KNOPWATCHD_PID_FILE $FWKNOP_RUN_DIR/knopwatchd.pid;
KNOPMD_PID_FILE $FWKNOP_RUN_DIR/knopmd.pid;
KNOPTM_PID_FILE $FWKNOP_RUN_DIR/knoptm.pid;
KNOPTM_IP_TIMEOUT_SOCK $FWKNOP_RUN_DIR/knoptm_ip_timeout.sock;
KNOPMD_FIFO $FWKNOP_LIB_DIR/fwknopfifo;
PROC_IP_FORWARD_FILE /proc/sys/net/ipv4/ip_forward;
# iptables command output and error collection files; these are
# used by IPTables::ChainMgr
#
IPT_OUTPUT_FILE $FWKNOP_DIR/fwknopd.iptout;
IPT_ERROR_FILE $FWKNOP_DIR/fwknopd.ipterr;
KNOPTM_IPT_OUTPUT_FILE $FWKNOP_DIR/knoptm.iptout;
KNOPTM_IPT_ERROR_FILE $FWKNOP_DIR/knoptm.ipterr;
# system binaries
#
gpgCmd /usr/bin/gpg;
mailCmd /bin/mail;
sendmailCmd /usr/sbin/sendmail;
shCmd /bin/sh;
mknodCmd /bin/mknod;
iptablesCmd /sbin/iptables;
ipfwCmd /sbin/ipfw; ### BSD and Mac OS X only
fwknopdCmd /usr/sbin/fwknopd;
fwknop_servCmd /usr/sbin/fwknop_serv;
knopmdCmd /usr/sbin/knopmd;
knoptmCmd /usr/sbin/knoptm;
knopwatchdCmd /usr/sbin/knopwatchd;
###EOF###

40
server/fwknopd_common.h
View File

@ -28,6 +28,10 @@
#include "common.h"
#if HAVE_LIBPCAP
#include <pcap.h>
#endif
/* My Name and Version
*/
#define MY_NAME "fwknopd"
@ -37,24 +41,40 @@
*/
#define MY_VERSION VERSION
/* Default config path, can override with -c
/* Some program defaults.
*/
#define DEF_CONFIG_FILE MY_NAME".conf"
#ifndef DEF_CONF_DIR
#define DEF_CONF_DIR "/etc/fwknop"
#endif
#define DEF_CONFIG_FILE DEF_CONF_DIR"/"MY_NAME".conf"
#define DEF_INTERFACE "eth0"
/* fwknopd-specific limits
*/
#define MAX_PCAP_FILTER_LEN 1024
#define MAX_IFNAME_LEN 128
/* fwknopd server configuration parameters and values
*/
typedef struct fko_srv_options
{
char config_file[MAX_PATH_LEN];
char gpg_home_dir[MAX_PATH_LEN];
/* Various command-line options and flags
*/
char config_file[MAX_PATH_LEN]; /* The main fwknopd config file */
char firewall_log[MAX_PATH_LEN]; /* The firewall log file */
char gpg_home_dir[MAX_PATH_LEN]; /* GPG Home directory */
char gpg_key[MAX_GPG_KEY_ID]; /* The gpg key id for decrypting */
char net_interface[MAX_IFNAME_LEN]; /* Network interface to sniff */
char override_config[MAX_PATH_LEN]; /* One of more overried config files */
/* Various command-line flags */
unsigned char verbose; /* --verbose mode */
unsigned char version; /* --version */
unsigned char test;
int fw_timeout;
unsigned char dump_config; /* Dump current configuration flag */
unsigned char restart; /* Restart fwknopd flag*/
unsigned char verbose; /* Verbose mode flag */
unsigned char test; /* Test mode flag */
/* Options from the config file only.
*/
//char config_file[MAX_PATH_LEN];
} fko_srv_options_t;