On 10.06.23 11:19, Carsten Andrich wrote:
For the time being, I've deployed a quasi-knocking KISS solution that sends an unencrypted secret via a single UDP packet. Server side is
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
realized entirely with nftables
... frankly, for that reason, I like fwknop (in my case, straight from OS repos) better ... I'd still have to see fwknopd exit unexpectedly, which is where a host-firewall-only mechanism on the server side would have an advantage ...
http://www.cipherdyne.org/fwknop/
~# cd /etc/fwknop
fwknop# diff access.conf.orig access.conf | sed -e '/> .*KEY/s/\t.*/\t.../' 204,206c204,211 < SOURCE ANY < KEY_BASE64 __CHANGEME__ < HMAC_KEY_BASE64 __CHANGEME__ ---SOURCE ANY KEY_BASE64 ... HMAC_KEY_BASE64 ... REQUIRE_SOURCE_ADDRESS Y # fwknopd fiddles with iptables, we need to have nftables modified. CMD_CYCLE_OPEN /usr/local/sbin/fwknop2nftables $IP $PORT CMD_CYCLE_CLOSE NONE CMD_CYCLE_TIMER 30s
fwknop# diff fwknopd.conf.orig fwknopd.conf 40a41PCAP_INTF enp0s25
fwknop# cat /usr/local/sbin/fwknop2nftables
#!/bin/sh
# Syntax: $0 SRC_IP PORT
NFT="/usr/sbin/nft"
SET="fwkn"
# Note that we are ignoring everything from the accepted fwknop
# requests except the src IP and tgt port to be allowed ...
PREP=`$NFT list chain inet firewalld filter_IN_public_allow | grep -c "@${SET}_$2"`
if [ $PREP -eq 0 ]; then
$NFT add set inet firewalld "${SET}_$2" '{ type ipv4_addr ; timeout 30s ; size 32 ; }'
$NFT add rule inet firewalld filter_IN_public_allow ip saddr "@${SET}_$2" tcp dport "$2" accept
fi
$NFT add element inet firewalld "${SET}_$2" { $1 }
~$ tail -8 .fwknoprc | sed -e '/^[SKH]/s/\t.*/\t.../' -e '/^\[/s/[a-z][a-z]*/.../g' [...] ACCESS tcp/22 SPA_SERVER ... #ALLOW_IP TBD KEY_BASE64 ... HMAC_KEY_BASE64 ... USE_HMAC Y RESOLVE_IP_HTTPS N
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
