DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity
Files
02e5d45bf0ca861acc89d206d80404689949f7c2
fwknop/server/access.conf

160 lines
5.6 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

##############################################################################
#
# File: access.conf
#
# Purpose: This file defines how fwknopd will modify firewall access
# controls for specific IPs/networks. It gets installed in
# the fwknop config directory and is consulted by fwknopd on
# startup or a reconfiguration signal.
#
# Note: This file supports multiple entries (stanzas) for different
# levels of access based on the SOURCE of the incoming SPA packet.
# If multiple stanzas are used, you should make sure they are
# entered in order from most specific to the more general SOURCE
# specifications as the first matching SOURCE wins.
#
# For example, a SOURCE that is a specific IP address should come
# before a SOURCE that specifies multiple IP's or a Subnet. The
# SOURCE: "ANY" should be the last one.
#
# At least one stanza MUST be defined.
#
##############################################################################
#
# SOURCE: <IP,..,IP/NET,..,NET/ANY>;
#
# This defines the source address from which a SPA packet will be accepted.
# Every authorization stanza in this file must start with the SOURCE
# keyword. Networks should be specified in CIDR (e.g. "192.168.10.0/24")
# notation. Individual IP addresses can be specified as well.
#
# Also, multiple IPs and/or networks can be defined as a comma-separated
# list (e.g. "192.168.10.0/24,10.1.1.123").
#
# The string "ANY" is also accepted if a valid authorization packet should
# be honored from any source IP.
#
# OPEN_PORTS: <proto/port>, ..., <proto/port>;
#
# Define a set of ports and protocols (tcp or udp) that are allowed to be
# opened if a valid SPA packet is received and its access request matches
# one of the entries here.
#
# If this entry is not set, then fwknopd will attempt to honor the request
# specifed in the SPA data.
#
# RESTRICT_PORTS: <proto/port>, ..., <proto/port>;
#
# Define a set of ports and protocols (tcp or udp) that are *NOT* allowed
# to be opened even if a valid SPA packet is received.
#
# KEY: <8 or more chars>;
#
# Define the key used for decrypting an incoming SPA packet that is using
# its built-in encryption (e.g. not GPG). This variable is required for
# all non-GPG-encrypted SPA packets.
#
# FW_ACCESS_TIMEOUT: <seconds>;
#
# Define the length of time access will be granted by fwknop through the
# firewall after a valid SPA packet is received from the source IP address
# that matches this stanza's SOURCE.
#
# If FW_ACCESS_TIMEOUT is not set then the fwknopd default timeout of 60
# seconds will automatically be set.
#
# ENABLE_CMD_EXEC: <Y/N>;
#
# This specifies whether or not fwknopd will accept complete commands that
# are contained within a SPA packet. Any such command will be executed as
# root by the fwknopd server. If not set here, the default is "N".
#
# CMD_REGEX: <regex>; **NOT YET SUPPORTED**
#
# If ENABLE_CMD_EXEC is set to "Y" (allowed), and this CMD_REGEX keyword is
# set, it instructs fwknopd to restrict command execution to only commands
# that match the given regular expression.
#
# REQUIRE_USERNAME: <username>;
#
# Require a specific username from the client system as encoded in the SPA
# data. This variable is optional and if not specified, the username data
# in the SPA data is ignored.
#
# REQUIRE_SOURCE_ADDRESS: <Y/N>;
#
# Force all SPA packets to contain a real IP address within the encrypted
# data. This makes it impossible to use the "-s" command line argument
# on the fwknop client command line, so either "-R" has to be used to
# automatically resolve the external address (if the client is behind a
# NAT) or the client must know the external IP. If not set here, the
# default is "N".
#
# GPG_HOME_DIR: <path>;
#
# Define the path to the GnuPG directory to be used by fwknopd. If this
# keyword is not specified here, then fwknopd will default to using the
# "/root/.gnupg" directory for the server key(s).
#
# GPG_DECRYPT_ID: <keyID>;
#
# Define a GnuPG key ID to use for decrypting SPA messages that have been
# encrypted by an fwknop client using GPG. This keyword is required for
# authentication that is based on gpg keys. The gpg key ring on the client
# must have imported and signed the fwknopd server key, and vice versa.
#
# It is ok to use a sensitive personal gpg key on the client, but each
# fwknopd server should have its own gpg key that is generated specifically
# for fwknop communications. The reason for this is that this decryption
# password within this file.
#
# Note that you can use either keyID or its corresponding email address.
#
# For more information on using fwknop with GnuPG keys, see the following
# link: http://www.cipherdyne.org/fwknop/docs/gpghowto.html
#
# GPG DECRYPT_PW: <decrypt password>;
#
# Specify the decryption password for the gpg key defined by the
# GPG_DECRYPT_ID above. This is a required field for gpg-based
# authentication.
#
# GPG_REMOTE_ID: <keyID,...,keyID>;
#
# Define a list of gpg key IDs that are required to have signed any
# incoming SPA messages that have been encrypted with the fwknopd server
# key.
#
# This ensures that the verification of the remote user is accomplished
# via a strong cryptographic mechanism.
#
# Note that you can use either keyIDs or their corresponding email addresses.
#
#### fwknopd access.conf stanzas ###
SOURCE: ANY;
KEY: __CHANGEME__;
FW_ACCESS_TIMEOUT: 30;
## If you want to use GnuPG keys (recommended) then define the following
## variables
#
#GPG_HOME_DIR: /root/.gnupg;
#GPG_DECRYPT_ID: ABCD1234;
#GPG_DECRYPT_PW: __CHANGEME__;
#GPG_REMOTE_ID: 1234ABCD;
View Git Blame Copy Permalink