Doorman & Knocker      

NAME - The doormand configuration file

       This  is  the main configuration file for the doormand daemon.  It con-
       sists of simple keyword-value pairs, one pair per  line;  keywords  are
       not  case-sensitive.   Any  part of a line following a '#' character is
       ignored, and may be used as a  comment.   Blank  lines  are  permitted.
       Unrecognized keywords are ignored without warning messages.

       connection-delay-1  -  the maximum number of microseconds to wait for a
           complete 3-way handshake between the client and the requested  ser-
           vice, after seeing the initial 'SYN' from the client.
           Default value is 500000 usecs (one half second)

       connection-delay-2  -  the number of seconds delay between checks on an
           established connection, waiting for it  to  be  broken.   When  the
           doorman  finds the connection has been broken, it removes the fire-
           wall rule which permitted that connection.   Default is 5  seconds.

       firewall-add  - the full pathname of the script to be used to add fire-
           wall rules.  No default.

       firewall-del - the full pathname of the script to  be  used  to  delete
           firewall rules.  No default.

       guestlist  -  the  full  pathname  of  the  doorman's "guest list".  No

       link-header-length - the number of bytes in the data-link header of the
           interface that the doorman is listening on.  You only need to spec-
           ify this if 'pcap' guesses this value incorrectly;  this  is  rare,
           but  -has- been reported, usually on PPPoE interfaces.  The doorman
           uses the 'pcap' package ("Packet Capture"; the Berkeley packet fil-
           ter  package)  to  watch  for  packets.  If pcap gets the data-link
           header length wrong, the doorman will not recognize knock  packets,
           and will do and log absolutely nothing.

           To  determine  the  correct  value to use, dump received packets to
           standard output by using the doormand "-D"  and  "-X"  command-line
           options.   Send  a few 'knock' packets, and look for "45 00" in the
           dump.  These are usually the first 2 bytes of the IP header;  count
           the  number  of bytes before them, and you have length of the data-
           link header.

       interface - the device name of the interface at which which the doorman
           should listen.  No default.

       logfile  -  the  full  pathname of the file to which events are logged;
           this may be the system messages logfile  if  desired.   Default  is

       loglevel  -  the  name  of  the  severity level at which logging should
           occur.  The names are not case-sensitive.  Valid  level  names,  in
           order of severity, are:
               ERROR  CRIT  ALERT   EMERG
           For  normal  usage,  INFO  or NOTICE will probably be the preferred
           level.  Default level is DEBUG.

       pidfile - the full pathname of the process-ID file created by doormand.
           Default is "/var/run/".  Doormand removes this file just
           before it stops running, except in the case  of  a  program  crash,
           after which it must be removed manually.

       port  -  the  UDP  port  number  at which the doorman should listen for
           "knocks".  Default is 1001.

       hash-archive - the name of the file  in  which  information  about  old
           "knock" packets is stored.  The doorman uses this file to make sure
           that a successful knock cannot be re-used by someone sniffing traf-
           fic to your firewall.

       hash-archive-size  -  the  number  of old knocks which are to be remem-
           bered.  This must be at least 1000, but should be 50000 or more, to
           make  replay attacks difficult.  The hash archive consumes 20 bytes
           of disk space per  knock.   In  the  current  implementation,  some
           knocks  may  be lost when the doorman is restarted after this value
           is reduced, causing the archive to be re-created as a smaller file.
           Default is 100000 knocks.

       waitfor  - the number of seconds that may elapse after a valid "knock",
           during which a connection may be made  to  the  requested  service.
           Default is 10 seconds.

       for a production environment:
          interface         eth0
          port              1001
          waitfor           10
          pidfile           /var/run/
          logfile           /var/log/messages
          loglevel          NOTICE
          guestlist         /usr/local/etc/doormand/guestlist
          firewall-add      /usr/local/etc/doormand/firewall_add
          firewall-del      /usr/local/etc/doormand/firewall_delete
          hash-archive-size 50000
          hash-archive      /var/doormand.hash-archive

       for testing:
          interface           lo
          port                1033
          waitfor             10
          pidfile             /tmp/
          logfile             /dev/tty
          loglevel            DEBUG
          guestlist           test_guestlist
          firewall-add        test_add_script
          firewall-del        test_del_script
          hash-archive-size   50000
          hash-archive        /tmp/doormand.hash-archive
          link-header-length  16  # if doorman is ignoring knocks,
                                  # you can experiment by using
                                  # different values for this.

       knock(1), knockcf(5), doormand(8), guestlist(5)

       doormand  and knock are an implementation of an original idea by Martin
       Krzywinski.  See his site at

       Copyright (c) 2003-2005, J.B.Ward

Doorman, V0.81                   Aug 14, 2005