DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity
fwknop/extras/fwknop-launcher/fwknop-launcher.conf
Michael Rash 7748423b15 Added the fwknop lsof launcher under the extras/ directory 
The fwknop lsof launcher (extras/fwknop-launcher/fwknop-launcher-lsof.pl) is a
lightweight daemon that allows the user to not have to manually run the fwknop
client when attempting to gain access to a service that is protected by Single
Packet Authorization via fwknopd.  This is accomplished by checking the output
of lsof to look for pending connections in the SYN_SENT state, which (usually)
indicate that a remote firewall is blocking the attempted connection.  At this
point, the launcher executes the fwknop client with the --get-key arg (so the
user must place the key in the local filesystem) to generate an SPA packet for
the attempted connection.  The remote fwknopd daemon will reconfigure the
firewall to allow temporary access, and this usually happens fast enough that
the original connection attempt will then succeed.

The idea for this was originally for a pcap-based connection watcher by
Sebastien Jeanquier.
2011-09-24 22:31:18 -04:00

31 lines
1.1 KiB
Plaintext
Raw Blame History

#
# This file defines various settings for the fwknop-launcher.pl script. By
# using the fwknop-launcher, the user does not have to manually run the fwknop
# client before trying to access a remote service - the launcher will execute
# the client on behalf of the user when a connection is attempted (as seen
# currently through lsof).
#
### The main variable in this file is the SPA_ACCESS variable below (at least
### one definition of SPA_ACCESS is required). It can be
### specified multiple times - one on each line. The format for this variable
### is as follows:
#
# SPA_ACCESS <command>:<proto>:<dst_ip>:<dst_port>;
#
# Example: SPA_ACCESS ssh:tcp:1.2.3.4:22;
#
# The string "any" can be used as a wildcard (see below). Note that it is
# usually a good idea to restrict the launcher to sending SPA access requests
# that the remote fwknopd daemon is allowing - such as port 22 for SSH access.
#
# SPA_ACCESS any:any:any:any;
SPA_ACCESS ssh:tcp:any:22;
KEY_FILE ~/.fwknop.key;
#FWKNOP_ARGS_APPEND "--server-port 50003";
#FWKNOP_ARGS_OVERRIDE "-A tcp/22 -s -D 127.0.0.1 --get-key /some/file";
View Git Blame Copy Permalink