This file is indexed.

/etc/fwknop/access.conf is in fwknop-server 2.6.9-2.

This file is owned by root:root, with mode 0o600.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
##############################################################################
#
# File:    access.conf
#
# Purpose: This file defines how fwknopd will modify firewall access
#          controls for specific IPs/networks.  It gets installed in
#          the fwknop config directory and is consulted by fwknopd on
#          startup or a reconfiguration signal.
#
# Note:    This file supports multiple entries (stanzas) for different
#          levels of access based on the SOURCE of the incoming SPA packet.
#          If multiple stanzas are used, you should make sure they are
#          entered in order from most specific to the more general SOURCE
#          specifications as the first matching SOURCE wins.
#
#          For example, a SOURCE that is a specific IP address should come
#          before a SOURCE that specifies multiple IP's or a Subnet.  The
#          SOURCE: "ANY" (if used) should be the last one.
#
#          At least one stanza MUST be defined.
#
##############################################################################
#
### Directives ###

# %include /etc/fwknop/myInlcudeFile.conf
#
# This processes the access.conf stanzas from an additional file.
# Complete stanzas should be contained within each file.

# %include_folder /etc/fwknop/myFolder.d
#
# This processes all the *.conf files in the specified directory.

# %include_keys /home/user/fwknop_keys.conf
#
# This directive loads the encryption and HMAC keys from an external file.
# Any other commands in the stanza must come before the %include_keys
# directive.

### Commands ###

# SOURCE                <IP,..,IP/NET,..,NET/ANY>
#
# This defines the source address from which a SPA packet will be accepted.
# Every  authorization stanza in this file must start  with  the  SOURCE
# keyword. Networks should be specified in CIDR  (e.g. "192.168.10.0/24")
# notation. Individual IP addresses can be specified as well.
#
# Also, multiple IP’s and/or networks can be defined as a comma-separated
# list  (e.g. "192.168.10.0/24,10.1.1.123").
#
# The string "ANY" is also accepted if a valid authorization packet should
# be honored from any source IP.
#

# DESTINATION                <IP,..,IP/NET,..,NET/ANY>
#
# This defines the destination address for which a SPA packet will be accepted.
# Networks should be specified in CIDR  (e.g. "192.168.10.0/24") notation. 
# Individual IP addresses can be specified as well.
#
# Also, multiple IP’s and/or networks can be defined as a comma-separated
# list  (e.g. "192.168.10.0/24,10.1.1.123").
#
# The string "ANY" is also accepted if a valid authorization packet should
# be honored to any destination IP.
#

# OPEN_PORTS            <proto/port>, ..., <proto/port
#
# Define a set of ports and protocols (tcp or udp) that are allowed to be
# opened if a valid SPA packet is received and its access request matches
# one of the entries here.
#
# If this entry is not set, then fwknopd will attempt to honor the request
# specified in the SPA data.
#

# RESTRICT_PORTS        <proto/port>, ..., <proto/port>
#
# Define a set of ports and protocols (tcp or udp) that are *NOT* allowed
# to be opened even if a valid SPA packet is received.
#

# KEY                   <password>
#
# Define the key used for decrypting an incoming SPA packet that is using
# its built-in encryption (e.g. not GPG).  This variable is required for
# all non-GPG-encrypted SPA packets.
#

# FW_ACCESS_TIMEOUT     <seconds>
#
# Define the length of time access will be granted by fwknop through the
# firewall after a valid SPA packet is received from the source IP address
# that matches this stanza's SOURCE.
#
# If  FW_ACCESS_TIMEOUT is not set then the fwknopd default timeout of 30
# seconds will automatically be set.
#

# ENABLE_CMD_EXEC       <Y/N>
#
# This specifies whether or not fwknopd will accept complete commands that
# are contained within a SPA packet.  Any such command will be executed as
# user specified using the CMD_EXEC_USER parameter by the fwknopd server.
# If not set here, the default is "N".
#

# CMD_EXEC_USER         <username>
#
# This specifies the user that will execute commands contained within a SPA
# packet.  If not specified, fwknopd will execute it as the user it is
# running as (most likely root). Setting this to a non-root user is highly
# recommended.
#

# REQUIRE_USERNAME      <username>
#
# Require a specific username from the client system as encoded in the SPA
# data.  This variable is optional and if not specified, the username data
# in the SPA data is ignored.
#

# REQUIRE_SOURCE_ADDRESS    <Y/N>
#
# Force all SPA packets to contain a real IP address within the encrypted
# data.  This makes it impossible to use the "-s" command line argument
# on the fwknop client command line, so either "-R" has to be used to
# automatically resolve the external address (if the client is behind a
# NAT) or the client must know the external IP.  If not set here, the
# default is "N".
#

# GPG_HOME_DIR          <path>
#
# Define the path to the GnuPG directory to be used by fwknopd.  If this
# keyword is not specified here, then fwknopd will default to using the
# "/root/.gnupg" directory for the server key(s).
#

# GPG_DECRYPT_ID        <keyID>
#
# Define a GnuPG key ID to use for decrypting SPA messages that have been
# encrypted by an fwknop client using GPG.  This keyword is required for
# authentication that is based on gpg keys.  The gpg key ring on the client
# must have imported and signed the fwknopd server key, and vice versa.
#
# It is ok to use a sensitive personal gpg key on the client, but each
# fwknopd server should have its own gpg key that is generated specifically
# for fwknop communications.  The reason for this is that this decryption
# password within this file.
#
# Note that you can use either keyID or its corresponding email address.
#
# For more information on using fwknop with GnuPG keys, see the following
# link: http://www.cipherdyne.org/fwknop/docs/gpghowto.html
#

# GPG DECRYPT_PW        <decrypt password>
#
# Specify the decryption password for the gpg key defined by the
# GPG_DECRYPT_ID above.  This is a required field for gpg-based
# authentication.
#

# GPG_REQUIRE_SIG       <Y/N>
#
# With this setting set to 'Y',  fwknopd check all GPG-encrypted SPA
# messages for a signature (signed by the sender's key).  If the incoming
# message is not signed, the decryption process will fail.  If not set, the
# default is 'N'.

# GPG_IGNORE_SIG_VERIFY_ERROR   <Y/N>
#
# Setting this will allow fwknopd to accept incoming GPG-encrypted packets
# that are signed, but the signature did not pass verification (i.e. the
# signer key was expired, etc.).  This setting only applies if the
# GPG_REQUIRE_SIG is also set to 'Y'.

# GPG_REMOTE_ID         <keyID,...,keyID>
#
# Define a list of gpg key ID’s that are required to have signed any
# incoming SPA messages that have been encrypted with the fwknopd server
# key.  This ensures that the verification of the remote user is accomplished
# via a strong cryptographic mechanism. This setting only applies if the
# GPG_REQUIRE_SIG is set to 'Y'.
#

#### fwknopd access.conf stanzas ###

SOURCE              ANY
KEY_BASE64          __CHANGEME__
HMAC_KEY_BASE64     __CHANGEME__

# If you want to use GnuPG keys then define the following variables
#
#GPG_HOME_DIR           /homedir/path/.gnupg
#GPG_DECRYPT_ID         ABCD1234
#GPG_DECRYPT_PW         __CHANGEME__

# If you want to require GPG signatures:
#GPG_REQUIRE_SIG                    Y
#GPG_IGNORE_SIG_VERIFY_ERROR        N
#GPG_REMOTE_ID                      1234ABCD