doormand.cf(5) Doorman & Knocker doormand.cf(5) NAME doormand.cf - The doormand configuration file DESCRIPTION This is the main configuration file for the doormand daemon. It con- sists of simple keyword-value pairs, one pair per line; keywords are not case-sensitive. Any part of a line following a '#' character is ignored, and may be used as a comment. Blank lines are permitted. Unrecognized keywords are ignored without warning messages. KEYWORDS connection-delay-1 - the maximum number of microseconds to wait for a complete 3-way handshake between the client and the requested ser- vice, after seeing the initial 'SYN' from the client. Default value is 500000 usecs (one half second) connection-delay-2 - the number of seconds delay between checks on an established connection, waiting for it to be broken. When the doorman finds the connection has been broken, it removes the fire- wall rule which permitted that connection. Default is 5 seconds. firewall-add - the full pathname of the script to be used to add fire- wall rules. No default. firewall-del - the full pathname of the script to be used to delete firewall rules. No default. guestlist - the full pathname of the doorman's "guest list". No default. link-header-length - the number of bytes in the data-link header of the interface that the doorman is listening on. You only need to spec- ify this if 'pcap' guesses this value incorrectly; this is rare, but -has- been reported, usually on PPPoE interfaces. The doorman uses the 'pcap' package ("Packet Capture"; the Berkeley packet fil- ter package) to watch for packets. If pcap gets the data-link header length wrong, the doorman will not recognize knock packets, and will do and log absolutely nothing. To determine the correct value to use, dump received packets to standard output by using the doormand "-D" and "-X" command-line options. Send a few 'knock' packets, and look for "45 00" in the dump. These are usually the first 2 bytes of the IP header; count the number of bytes before them, and you have length of the data- link header. interface - the device name of the interface at which which the doorman should listen. No default. logfile - the full pathname of the file to which events are logged; this may be the system messages logfile if desired. Default is "/var/log/doorman". loglevel - the name of the severity level at which logging should occur. The names are not case-sensitive. Valid level names, in order of severity, are: DEBUG INFO NOTICE WARNING ERROR CRIT ALERT EMERG For normal usage, INFO or NOTICE will probably be the preferred level. Default level is DEBUG. pidfile - the full pathname of the process-ID file created by doormand. Default is "/var/run/doorman.pid". Doormand removes this file just before it stops running, except in the case of a program crash, after which it must be removed manually. port - the UDP port number at which the doorman should listen for "knocks". Default is 1001. hash-archive - the name of the file in which information about old "knock" packets is stored. The doorman uses this file to make sure that a successful knock cannot be re-used by someone sniffing traf- fic to your firewall. hash-archive-size - the number of old knocks which are to be remem- bered. This must be at least 1000, but should be 50000 or more, to make replay attacks difficult. The hash archive consumes 20 bytes of disk space per knock. In the current implementation, some knocks may be lost when the doorman is restarted after this value is reduced, causing the archive to be re-created as a smaller file. Default is 100000 knocks. waitfor - the number of seconds that may elapse after a valid "knock", during which a connection may be made to the requested service. Default is 10 seconds. EXAMPLE FILES for a production environment: interface eth0 port 1001 waitfor 10 pidfile /var/run/doormand.pid logfile /var/log/messages loglevel NOTICE guestlist /usr/local/etc/doormand/guestlist firewall-add /usr/local/etc/doormand/firewall_add firewall-del /usr/local/etc/doormand/firewall_delete hash-archive-size 50000 hash-archive /var/doormand.hash-archive for testing: interface lo port 1033 waitfor 10 pidfile /tmp/doormand.pid logfile /dev/tty loglevel DEBUG guestlist test_guestlist firewall-add test_add_script firewall-del test_del_script hash-archive-size 50000 hash-archive /tmp/doormand.hash-archive link-header-length 16 # if doorman is ignoring knocks, # you can experiment by using # different values for this. SEE ALSO knock(1), knockcf(5), doormand(8), guestlist(5) ACKNOWLEDGEMENT doormand and knock are an implementation of an original idea by Martin Krzywinski. See his site at http://www.portknocking.org COPYRIGHT Copyright (c) 2003-2005, J.B.Ward <bward2@users.sourceforge.net> Doorman, V0.81 Aug 14, 2005 doormand.cf(5)