|connection-delay-1 - the maximum number of microseconds to wait for a complete 3-way handshake between the client and the requested service, after seeing the initial SYN from the client.|
|Default value is 500000 usecs (one half second)|
connection-delay-2 - the number of seconds delay between checks on an established connection,
waiting for it to be broken. When the doorman
finds the connection has been broken, it removes the firewall rule which
permitted that connection. Default is 5 seconds.
firewall-add - the full pathname of the script to be used to add firewall rules. No default.
firewall-del - the full pathname of the script to be used to delete firewall rules. No default.
guestlist - the full pathname of the doormans "guest list". No default.
link-header-length - the number of bytes in the data-link header of the interface that the doorman is listening on. You only need to specify this if pcap guesses this value incorrectly; this is rare, but -has- been reported, usually on PPPoE interfaces. The doorman uses the pcap package ("Packet Capture"; the Berkeley packet filter package) to watch for packets. If pcap gets the data-link header length wrong, the doorman will not recognize knock packets, and will do and log absolutely nothing.
To determine the correct value to use, dump received packets to standard output
by using the doormand "-D" and "-X" command-line options.
Send a few knock packets, and look for "45 00" in the dump.
These are usually the first 2 bytes of the IP header; count the number of bytes
before them, and you have length of the data-link header.
DEBUG INFO NOTICE WARNING ERROR CRIT ALERT EMERGFor normal usage, INFO or NOTICE will probably be the preferred level. Default level is DEBUG.
pidfile - the full pathname of the process-ID file created by doormand. Default is "/var/run/doorman.pid". Doormand removes this file just before it stops running, except in the case of a program crash, after which it must be removed manually.
port - the UDP port number at which the doorman should listen for "knocks". Default is 1001.
hash-archive - the name of the file in which information about old "knock" packets is stored. The doorman uses this file to make sure that a successful knock cannot be re-used by someone sniffing traffic to your firewall.
hash-archive-size - the number of old knocks which are to be remembered. This must be at least 1000, but should be 50000 or more, to make replay attacks difficult. The hash archive consumes 20 bytes of disk space per knock. In the current implementation, some knocks may be lost when the doorman is restarted after this value is reduced, causing the archive to be re-created as a smaller file. Default is 100000 knocks.
waitfor - the number of seconds that may elapse after a valid "knock", during which a connection may be made to the requested service. Default is 10 seconds.
for a production environment:interface eth0 port 1001 waitfor 10 pidfile /var/run/doormand.pid logfile /var/log/messages loglevel NOTICE guestlist /usr/local/etc/doormand/guestlist firewall-add /usr/local/etc/doormand/firewall_add firewall-del /usr/local/etc/doormand/firewall_delete hash-archive-size 50000 hash-archive /var/doormand.hash-archive
for testing:interface lo port 1033 waitfor 10 pidfile /tmp/doormand.pid logfile /dev/tty loglevel DEBUG guestlist test_guestlist firewall-add test_add_script firewall-del test_del_script hash-archive-size 50000 hash-archive /tmp/doormand.hash-archive link-header-length 16 # if doorman is ignoring knocks, # you can experiment by using # different values for this.
doormand and knock are an implementation of an original idea by Martin Krzywinski. See his site at http://www.portknocking.org
Copyright (c) 2003-2005, J.B.Ward
|Doorman, V0.81||DOORMAND.CF (5)||Aug 14, 2005|