having set up fwknop on a server and blocking port 22 I am really scared
what happens, if fwknopd crashes somehow. Then I would not be able to
log in over ssh, wouldn’t I.
What are you people doing? Knowing fwknop can not crash? Leaving a ssh
Could one set up a cronjob, that when no running fwknopd is found, port
22 is unblocked or something like this?
PS: I know that such a measure will probably weaken the security concept
From: Michael Rash <mbr@ci...> - 2008-08-31 17:21:26
On Aug 31, 2008, Franck Joncourt wrote:
> Paul Menzel wrote:
> > Dear list,
> > having set up fwknop on a server and blocking port 22 I am really scare=
> > what happens, if fwknopd crashes somehow. Then I would not be able to
> > log in over ssh, wouldn=E2=80=99t I.
> > What are you people doing? Knowing fwknop can not crash? Leaving a ssh
> > connection open?
> > Could one set up a cronjob, that when no running fwknopd is found, port=
> > 22 is unblocked or something like this?
> However knopwatchd is able to restart fwknopd if it is found not
> running. I mean try to kill fwknopd and take a look at the processus.
In addition to knopwatchd, there is also the ENABLE_VOLUNTARY_EXITS
feature. This forces fwknopd to stop on a regular interval defined by
the EXIT_INTERVAL variable. So, if you want fwknopd to restart every
hour (instead of the default of once per day), in /etc/fwknop/fwknop.conf
you could set:
EXIT_INTERVAL 60; ### minutes
Once fwknopd exits (actually it is killed by the the knoptm daemon since
it doesn't have to deal with things like blocking on the receipt of
packet data), then knopwatchd will restart it. This strategy adds an
additional protection against any potential problems where fwknopd might
not process packet data after a period of time. There are no problems
that would cause this in any recent fwknop release as far as I know, and
I have had fwknopd up for weeks with no issues. But, systems exhibit
lots of variability, and libpcap is a dependency, etc. The
ENABLE_VOLUNTARY_EXITS feature was added as an additional measure to
make absolutely certain that fwknopd is available to receive SPA
packets just in case there are any unforeseen problems.
> Hope it helps,
> Franck Joncourt
> http://debian.org - http://smhteam.info/wiki/
> Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> Fwknop-discuss mailing list
Get latest updates about Open Source Projects, Conferences and News.