GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  DOORMAND.CF (5)

NAME

doormand.cf - The doormand configuration file

CONTENTS

Description
Keywords
Example Files
See Also
Acknowledgement
Copyright

DESCRIPTION

This is the main configuration file for the doormand daemon. It consists of simple keyword-value pairs, one pair per line; keywords are not case-sensitive. Any part of a line following a ’#’ character is ignored, and may be used as a comment. Blank lines are permitted. Unrecognized keywords are ignored without warning messages.

KEYWORDS

connection-delay-1 - the maximum number of microseconds to wait for a complete 3-way handshake between the client and the requested service, after seeing the initial ’SYN’ from the client.
  Default value is 500000 usecs (one half second)
connection-delay-2 - the number of seconds delay between checks on an established connection, waiting for it to be broken. When the doorman finds the connection has been broken, it removes the firewall rule which permitted that connection. Default is 5 seconds.
firewall-add - the full pathname of the script to be used to add firewall rules. No default.
firewall-del - the full pathname of the script to be used to delete firewall rules. No default.
guestlist - the full pathname of the doorman’s "guest list". No default.
link-header-length - the number of bytes in the data-link header of the interface that the doorman is listening on. You only need to specify this if ’pcap’ guesses this value incorrectly; this is rare, but -has- been reported, usually on PPPoE interfaces. The doorman uses the ’pcap’ package ("Packet Capture"; the Berkeley packet filter package) to watch for packets. If pcap gets the data-link header length wrong, the doorman will not recognize knock packets, and will do and log absolutely nothing.

To determine the correct value to use, dump received packets to standard output by using the doormand "-D" and "-X" command-line options. Send a few ’knock’ packets, and look for "45 00" in the dump. These are usually the first 2 bytes of the IP header; count the number of bytes before them, and you have length of the data-link header.
interface - the device name of the interface at which which the doorman should listen. No default.
logfile - the full pathname of the file to which events are logged; this may be the system messages logfile if desired. Default is "/var/log/doorman".
loglevel - the name of the severity level at which logging should occur. The names are not case-sensitive. Valid level names, in order of severity, are:

    DEBUG  INFO  NOTICE  WARNING
    ERROR  CRIT  ALERT   EMERG

For normal usage, INFO or NOTICE will probably be the preferred level. Default level is DEBUG.
pidfile - the full pathname of the process-ID file created by doormand. Default is "/var/run/doorman.pid". Doormand removes this file just before it stops running, except in the case of a program crash, after which it must be removed manually.
port - the UDP port number at which the doorman should listen for "knocks". Default is 1001.
hash-archive - the name of the file in which information about old "knock" packets is stored. The doorman uses this file to make sure that a successful knock cannot be re-used by someone sniffing traffic to your firewall.
hash-archive-size - the number of old knocks which are to be remembered. This must be at least 1000, but should be 50000 or more, to make replay attacks difficult. The hash archive consumes 20 bytes of disk space per knock. In the current implementation, some knocks may be lost when the doorman is restarted after this value is reduced, causing the archive to be re-created as a smaller file. Default is 100000 knocks.
waitfor - the number of seconds that may elapse after a valid "knock", during which a connection may be made to the requested service. Default is 10 seconds.
 

EXAMPLE FILES

for a production environment:

   interface         eth0
   port              1001
   waitfor           10
   pidfile           /var/run/doormand.pid
   logfile           /var/log/messages
   loglevel          NOTICE
   guestlist         /usr/local/etc/doormand/guestlist
   firewall-add      /usr/local/etc/doormand/firewall_add
   firewall-del      /usr/local/etc/doormand/firewall_delete
   hash-archive-size 50000
   hash-archive      /var/doormand.hash-archive

for testing:

   interface           lo
   port                1033
   waitfor             10
   pidfile             /tmp/doormand.pid
   logfile             /dev/tty
   loglevel            DEBUG
   guestlist           test_guestlist
   firewall-add        test_add_script
   firewall-del        test_del_script
   hash-archive-size   50000
   hash-archive        /tmp/doormand.hash-archive
   link-header-length  16  # if doorman is ignoring knocks,
                           # you can experiment by using
                           # different values for this.


SEE ALSO

knock(1), knockcf(5), doormand(8), guestlist(5)

ACKNOWLEDGEMENT

doormand and knock are an implementation of an original idea by Martin Krzywinski. See his site at http://www.portknocking.org

COPYRIGHT

Copyright (c) 2003-2005, J.B.Ward
<bward2@users.sourceforge.net>

Search for    or go to Top of page |  Section 5 |  Main Index


Doorman, V0.81 DOORMAND.CF (5) Aug 14, 2005

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.