Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

175 lines (156 sloc) 6.379 kb
##############################################################################
#
# File: access.conf
#
# Purpose: This file defines how fwknopd will modify firewall access
# controls for specific IPs/networks. It gets installed in
# the fwknop config directory and is consulted by fwknopd on
# startup or a reconfiguration signal.
#
# Note: This file supports multiple entries (stanzas) for different
# levels of access based on the SOURCE of the incoming SPA packet.
# If multiple stanzas are used, you should make sure they are
# entered in order from most specific to the more general SOURCE
# specifications as the first matching SOURCE wins.
#
# For example, a SOURCE that is a specific IP address should come
# before a SOURCE that specifies multiple IP's or a Subnet. The
# SOURCE: "ANY" (if used) should be the last one.
#
# At least one stanza MUST be defined.
#
##############################################################################
#
# SOURCE: <IP,..,IP/NET,..,NET/ANY>;
#
# This defines the source address from which a SPA packet will be accepted.
# Every authorization stanza in this file must start with the SOURCE
# keyword. Networks should be specified in CIDR (e.g. "192.168.10.0/24")
# notation. Individual IP addresses can be specified as well.
#
# Also, multiple IP’s and/or networks can be defined as a comma-separated
# list (e.g. "192.168.10.0/24,10.1.1.123").
#
# The string "ANY" is also accepted if a valid authorization packet should
# be honored from any source IP.
#
# OPEN_PORTS: <proto/port>, ..., <proto/port>;
#
# Define a set of ports and protocols (tcp or udp) that are allowed to be
# opened if a valid SPA packet is received and its access request matches
# one of the entries here.
#
# If this entry is not set, then fwknopd will attempt to honor the request
# specified in the SPA data.
#
# RESTRICT_PORTS: <proto/port>, ..., <proto/port>;
#
# Define a set of ports and protocols (tcp or udp) that are *NOT* allowed
# to be opened even if a valid SPA packet is received.
#
# KEY: <password>;
#
# Define the key used for decrypting an incoming SPA packet that is using
# its built-in encryption (e.g. not GPG). This variable is required for
# all non-GPG-encrypted SPA packets.
#
# FW_ACCESS_TIMEOUT: <seconds>;
#
# Define the length of time access will be granted by fwknop through the
# firewall after a valid SPA packet is received from the source IP address
# that matches this stanza's SOURCE.
#
# If FW_ACCESS_TIMEOUT is not set then the fwknopd default timeout of 30
# seconds will automatically be set.
#
# ENABLE_CMD_EXEC: <Y/N>;
#
# This specifies whether or not fwknopd will accept complete commands that
# are contained within a SPA packet. Any such command will be executed as
# user specified using the CMD_EXEC_USER parameter by the fwknopd server.
# If not set here, the default is "N".
#
# CMD_EXEC_USER: <username>;
#
# This specifies the user that will execute commands contained within a SPA
# packet. If not specified, fwknopd will execute it as the user it is
# running as (most likely root). Setting this to a non-root user is highly
# recommended.
#
# REQUIRE_USERNAME: <username>;
#
# Require a specific username from the client system as encoded in the SPA
# data. This variable is optional and if not specified, the username data
# in the SPA data is ignored.
#
# REQUIRE_SOURCE_ADDRESS: <Y/N>;
#
# Force all SPA packets to contain a real IP address within the encrypted
# data. This makes it impossible to use the "-s" command line argument
# on the fwknop client command line, so either "-R" has to be used to
# automatically resolve the external address (if the client is behind a
# NAT) or the client must know the external IP. If not set here, the
# default is "N".
#
# GPG_HOME_DIR: <path>;
#
# Define the path to the GnuPG directory to be used by fwknopd. If this
# keyword is not specified here, then fwknopd will default to using the
# "/root/.gnupg" directory for the server key(s).
#
# GPG_DECRYPT_ID: <keyID>;
#
# Define a GnuPG key ID to use for decrypting SPA messages that have been
# encrypted by an fwknop client using GPG. This keyword is required for
# authentication that is based on gpg keys. The gpg key ring on the client
# must have imported and signed the fwknopd server key, and vice versa.
#
# It is ok to use a sensitive personal gpg key on the client, but each
# fwknopd server should have its own gpg key that is generated specifically
# for fwknop communications. The reason for this is that this decryption
# password within this file.
#
# Note that you can use either keyID or its corresponding email address.
#
# For more information on using fwknop with GnuPG keys, see the following
# link: http://www.cipherdyne.org/fwknop/docs/gpghowto.html
#
# GPG DECRYPT_PW: <decrypt password>;
#
# Specify the decryption password for the gpg key defined by the
# GPG_DECRYPT_ID above. This is a required field for gpg-based
# authentication.
#
# GPG_REQUIRE_SIG: <Y/N>;
#
# With this setting set to 'Y', fwknopd check all GPG-encrypted SPA
# messages for a signature (signed by the sender's key). If the incoming
# message is not signed, the decryption process will fail. If not set, the
# default is 'N'.
# GPG_IGNORE_SIG_VERIFY_ERROR: <Y/N>;
#
# Setting this will allow fwknopd to accept incoming GPG-encrypted packets
# that are signed, but the signature did not pass verification (i.e. the
# signer key was expired, etc.). This setting only applies if the
# GPG_REQUIRE_SIG is also set to 'Y'.
# GPG_REMOTE_ID: <keyID,...,keyID>;
#
# Define a list of gpg key ID’s that are required to have signed any
# incoming SPA messages that have been encrypted with the fwknopd server
# key. This ensures that the verification of the remote user is accomplished
# via a strong cryptographic mechanism. This setting only applies if the
# GPG_REQUIRE_SIG is set to 'Y'.
#
#### fwknopd access.conf stanzas ###
SOURCE: ANY;
KEY: __CHANGEME__;
# If you want to use GnuPG keys (recommended) then define the following
# variables
#
#GPG_HOME_DIR: /root/.gnupg;
#GPG_DECRYPT_ID: ABCD1234;
#GPG_DECRYPT_PW: __CHANGEME__;
# If you want to require GPG signatures:
#GPG_REQUIRE_SIG: N;
#GPG_IGNORE_SIG_VERIFY_ERROR: N;
#GPG_REMOTE_ID: 1234ABCD;
Jump to Line
Something went wrong with that request. Please try again.