On Tue, Mar 2, 2010 at 11:17 PM, Michael Rash <[email protected]> wrote:
> On Mar 02, 2010, Steve D wrote:
>
> > How do I know what variables are available to me with external commands?
> > All of the examples use $SRC, but a few of the config files claim there
> are
> > many more. How would I find what these are?
> >
> > Specifically, I'd like to use the source IP address where the packet
> > originated (not the one specified in the message) and I'd like the
> > username. Is this possible?
>
> The variable substitutions take place for any variable in the access.conf
> file. Most of these are documented in the fwknopd man page, but a few
> aren't yet. If you want to substitute the user, then the
> 'REQUIRE_USERNAME'
> variable will do the trick.
>
> For the source IP, the variable substitution is done for the source IP that
> is contained within the encrypted SPA packet, and this may or may not be
> the source IP in the IP header when the packet is sniffed by the fwknopd
> daemon. Using the source IP in the IP header instead is not currently
> supported. In general, fwknop tries to be careful about untrusted data,
> and the source IP in the header is much less trustworthy than the IP within
> the SPA packet. Perhaps I'm missing a compelling use case though - is
> there a good reason to use the IP in the header?
>
> Thanks,
>
> --Mike
>
This reason isn't very compelling, but it seemed like Morpheus failed to
acquire an acceptable external IP, so I was just going to ignore the message
and use the sender's IP. REQUIRE_USERNAME substitution is closer to what I
was looking for, but if I have a handful of users and my external command
takes different actions depending on the user, if I'm not mistaken, I'd have
to have make a fwknopd access rule for each user.
I had a very basic system of ruby scripts in place to track user histories
and enforce limits on open ports, such that knockd's only role was to verify
a proper knock sequence. Managing iptables took place through external
scripts. I have things in place now with fwknop to do something similar,
but initially it may have been nice to have more of the associated variables
available for substitution in external commands. IP of origin, username,
and maybe the raw message and leave the parsing up to the server admin.
What I'm describing may not fit what fwknopd does. I'm more looking for it
to authenticate, then parse all of the relevant items, then fire a one-off
(not open/timeout/close) external command '/path/to/foo.rb <username>
<originating ip> <maybe the raw text of the message to be parsed by me>' .
Rather than have it also be the one to manage firewall rules.
- Steve
- Steve
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
