[Fwknop-discuss] fwknopd and FORWARD chain / OpenVZ
Brought to you by:
mbr
From: Suno A. <sun...@su...> - 2009-06-08 19:44:28
|
I am using http://en.wikipedia.org/wiki/Openvz and thus I have a bunch of VEs (Virtual Environments) running atop the HN (Hardware Node) -- each VE then appears/feels like a stand-alone Linux. The systems are Debian -- HN and VEs. Note: With OpenVZ there is always just one HN and usually one or more VEs. Of course, there might be no VE at all but ... I do all the firewalling on the HN i.e. the VEs are protected by using iptables rules within the FORWARD chain of the filter table on the HN. There is no need to do additional firewalling within the VEs itself. Now that this is working excellent, I want to plug fwknop into that setup of mine. Of course, I do not want to start firewalling within the VEs, rather, it must be possible to only run fwknopd on the HN and protect all VEs with this one instance of fwknopd on the HN. I already installed fwknop-server (the Debian package containing fwknopd) on the HN. I also started reading man files and the docu on http://www.cipherdyne.org/fwknop/ as well as the config files that come with fwknop-{server,client}. So far so good ... I figure it is possible to only run fwknopd on the HN and enable the setup to use FORWARD. /etc/fwknop/fwknop.conf says: ### Allow SPA clients to request access to services through an ### iptables firewall instead of just to it (i.e. access through the ### FWKNOP_FORWARD chain instead of the INPUT chain). This also ### requires the ENABLE_FORWARD_ACCESS variable to be set in the ### access.conf file for the specific SOURCE stanzas that should be ### allowed for forwarding access. ENABLE_IPT_FORWARDING N; So I set ENABLE_IPT_FORWARDING N; to ENABLE_IPT_FORWARDING Y; and then ... well, that is where I am not sure anymore how to proceed. My current understanding is to put ENABLE_FORWARD_ACCESS into /etc/fwknop/access.conf. However, looking at the examples in /usr/share/doc/fwknop-server/README.ACCESS I could not fine an example that would mention my use case. Can anyone help me to reach my goal i.e. integrate fwknopd into my forwarding setup? Also, I would like to also protect the sshd running on the HN not just the sshds running within the VEs. Is that possible with just one fwknopd running on the HN? |