Re: [Fwknop-discuss] ENABLE_IPT_OUTPUT
Brought to you by:
mbr
From: Michael R. <mb...@ci...> - 2009-01-26 03:41:03
|
On Jan 23, 2009, Nataraj wrote: > This is under the latest version of fwknop, fwknop-1.9.10-1. > > Nataraj > > On Fri, 2009-01-23 at 15:05 -0800, Nataraj wrote: > > Hi, Hi Nataraj - > > On my server, I have the following line in my fwknop.conf file: > > > > ENABLE_IPT_OUTPUT Y; > > > > > > fwknop does not create an FWKNOP_OUTPUT rule. Is this known to work? > > Is there something else that I have to do to get it to do this? > > > > The following line is also in fwknop.conf > > IPT_OUTPUT_ACCESS ACCEPT, dst, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1; Can you also add the following line to the /etc/fwknop/access.conf file for the specific source that should have this access?: ENABLE_OUTPUT_ACCESS: Y; If you already have this line as well, then this would be a bug. Perhaps fwknopd should not also require the line in access.conf - I'll think about that one for a bit in the context of other options. The fwknop test suite does have the ability to test the OUTPUT functionality as well, so I do think that it works. Here is an example of the test suite in action for this feature: # ./fwknop_test.pl --include OUTPUT [+] ==> Running fwknop test suite; firewall: iptables <== (OUTPUT chain) Stopping all running fwknopd processes...............pass (0) (OUTPUT chain) Generating OUTPUT chain access packet................pass (1) (OUTPUT chain) OUTPUT access rules..................................pass (2) (OUTPUT chain) Verifying OUTPUT access packet format................pass (3) (Sleeping for 5 (+3) seconds for firewall rule timeout) 8 7 6 5 4 3 2 1 0 (OUTPUT chain) Making sure firewall rules are removed...............pass (4) [+] ==> Passed 5/5 tests against fwknop. <== [+] This console output has been stored in: test.log Here is the output from the test/output/2.test file that shows the new ACCEPT rule: Sun Jan 25 22:24:20 2009 [+] IPTables::ChainMgr::run_ipt_cmd(waitpid()) /sbin/iptables -t filter -I FWKNOP_OUTPUT 1 -p tcp -s 0.0.0.0/0 --sport 22 -d 127.0.0.2 -j ACCEPT Sun Jan 25 22:24:20 2009 [+] IPTables::ChainMgr: Setting SIGCHLD handler to: CODE(0x99f940) Sun Jan 25 22:24:20 2009 iptables command stdout: Sun Jan 25 22:24:20 2009 iptables command stderr: Sun Jan 25 22:24:20 2009 [+] add_ip_rule() returned 1 [+] Dumping FWKNOP_OUTPUT to see newly added rule: Sun Jan 25 22:24:20 2009 [+] IPTables::ChainMgr::run_ipt_cmd(waitpid()) /sbin/iptables -t filter -v -n -L FWKNOP_OUTPUT Sun Jan 25 22:24:20 2009 [+] IPTables::ChainMgr: Setting SIGCHLD handler to: CODE(0x99f940) Sun Jan 25 22:24:20 2009 iptables command stdout: Chain FWKNOP_OUTPUT (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 127.0.0.2 tcp spt:22 Sun Jan 25 22:24:20 2009 iptables command stderr: Sun Jan 25 22:24:20 2009 [+] Writing fw time cache entry to: output/knoptm_ip_timeout.sock 1232940260 5 0.0.0.0/0 22 127.0.0.2 0 tcp filter FWKNOP_OUTPUT ACCEPT dst 0.0.0.0/0 0 TkE= 0 Please let me know if the access.conf ENABLE_OUTPUT_ACCESS variable addition works. Thanks, -- Michael Rash http://www.cipherdyne.org/ Key fingerprint: E2EF 0C8A 5AA9 654C 4763 B50F 37AC E946 7F51 8271 > > > > > > Thanks, > > Nataraj > > > > > > > > ------------------------------------------------------------------------------ > > This SF.net email is sponsored by: > > SourcForge Community > > SourceForge wants to tell your story. > > http://p.sf.net/sfu/sf-spreadtheword > > _______________________________________________ > > Fwknop-discuss mailing list > > Fwk...@li... > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |