On Tue, Mar 2, 2010 at 11:17 PM, Michael Rash <mbr@cipherdyne.org> wrote:
On Mar 02, 2010, Steve D wrote:

> How do I know what variables are available to me with external commands?
> All of the examples use $SRC, but a few of the config files claim there are
> many more.  How would I find what these are?
> Specifically, I'd like to use the source IP address where the packet
> originated (not the one specified in the message) and I'd like the
> username.  Is this possible?

The variable substitutions take place for any variable in the access.conf
file.  Most of these are documented in the fwknopd man page, but a few
aren't yet.  If you want to substitute the user, then the 'REQUIRE_USERNAME'
variable will do the trick.

For the source IP, the variable substitution is done for the source IP that
is contained within the encrypted SPA packet, and this may or may not be
the source IP in the IP header when the packet is sniffed by the fwknopd
daemon.  Using the source IP in the IP header instead is not currently
supported.  In general, fwknop tries to be careful about untrusted data,
and the source IP in the header is much less trustworthy than the IP within
the SPA packet.  Perhaps I'm missing a compelling use case though - is
there a good reason to use the IP in the header?



This reason isn't very compelling, but it seemed like Morpheus failed to acquire an acceptable external IP, so I was just going to ignore the message and use the sender's IP.  REQUIRE_USERNAME substitution is closer to what I was looking for, but if I have a handful of users and my external command takes different actions depending on the user, if I'm not mistaken, I'd have to have make a fwknopd access rule for each user.

I had a very basic system of ruby scripts in place to track user histories and enforce limits on open ports, such that knockd's only role was to verify a proper knock sequence.  Managing iptables took place through external scripts.  I have things in place now with fwknop to do something similar, but initially it may have been nice to have more of the associated variables available for substitution in external commands.  IP of origin, username, and maybe the raw message and leave the parsing up to the server admin.

What I'm describing may not fit what fwknopd does.  I'm more looking for it to authenticate, then parse all of the relevant items, then fire a one-off (not open/timeout/close) external command '/path/to/foo.rb <username> <originating ip> <maybe the raw text of the message to be parsed by me>' .  Rather than have it also be the one to manage firewall rules.

- Steve

- Steve