On Apr 22, 2012, Richard Thornton wrote: > Michael, > > Thanks for the info, much appreciated. > > Is there a way for me to knock once and open up all 8 servers in the one go?
With a single SPA packet you can have multiple services opened on a single IP, but opening multiple services across multiple internal IP's is not currently supported. For multiple services on a single IP, you can put: OPEN_PORTS: tcp/22,tcp/1234; in the access.conf file, and then on the fwknop client command line use: $ fwknop tcp/22,tcp/1234 ... You would need to explicitly state each service on the client command line. If you only state, say, "tcp/22", then fwknopd will open just that service even if OPEN_PORTS contains multiple services. > With accessing the servers using HTTPS, should I just adjust the rule > timeout to x minutes, if I understand it the only real downside is > people that are behind the same NAT IP as my client will also get > access, each of the servers requires authentication so i'm not too > worried about that. In general, yes, adjusting the timeout is a way to handle HTTP/HTTPS if you don't want to have to keep sending the SPA packet. That is correct about client systems that are behind the same NAT IP. Two things to note on this though: - Some HTTP/HTTPS services are using persistent connections these days, so it is possible that you might not even need the longer timeout. - In the fwknop-2.0 sources in the extras/fwknop-launcher/ directory, the fwknop-launcher-lsof.pl script can be used to automatically send an SPA packet to a remote fwknopd server when certain connections are attempted. This requires putting your key in a file that the launcher script can read, but the advantage is that you wouldn't have to keep manually sending SPA packets for requested services. > Wouldn't I need the SNAT for consistency: > > User accesses server on public IP x.x.x.x > Server replies with the same public IP x.x.x.x > > Otherwise wouldn't the server reply with the hide NAT address of the > external firewall interface, no doubt that would work but the DNAT > would be nicer, no? Can your internal servers reach the internet through your gateway currently? If so, then you already have the SNAT + routing configured to work. So, fwknopd wouldn't need to set this up. The DNAT rules is what it will build to reach the internal systems. --Mike > Cheers > Richard > > On 22 April 2012 04:12, Michael Rash <[email protected]> wrote: > > On Apr 21, 2012, Richard Thornton wrote: > > > >> Hi, > >> > >> I am not sure if this is possible and would be grateful for the advice. I > >> want to avoid using VPNs as the resources are not super sensitive. > >> > >> I have an Ubuntu box with multiple interfaces including pppoe adsl2 and I > >> am going to use it as a firewall. > >> > >> I have 8 servers with private IPs that I need access to and I have 9 public > >> IPs (one IP is firewall external interface). > >> > >> I would like fwknop to give me access to the servers (and also to control > >> ssh access to the firewall). > >> > >> The servers will mostly have ssh and https but there is also rdp and esxi > >> mgmt ports on some. I am happy with the security implications of extending > >> the rule duration to make http work better. > >> > >> So can fwknop handle creating the 8 DNATs and corresponding 8 SNATs so each > >> server can be accessed 1:1 with the public IPs? > > > > Yes, I believe that the either the regular DNAT mode or the FORCE_NAT mode > > will support this. A corresponding SNAT rule can be created too, but is > > usually only necessary if the internal systems don't have a route back out. > > > > On the client side, here is an example invocation for SSH access: > > > > $ fwknop -A tcp/22 -a <clientIP> -D <serverExternalIP> -N <internalIP>:22 > > > > If you use the FORCE_NAT mode on the server, you don't in the "-N ..." stuff > > on the client side - the incoming connection to the requested service will > > be NAT'd transparently by the server and the client will never know it. > > > > On the server side, make sure to set: > > > > ENABLE_IPT_FORWARDING Y; > > > > If you need SNAT support at the same time (not likely in most situations) > > then set: > > > > ENABLE_IPT_SNAT Y; > > > > Now, if you are using the FORCE_NAT mode, then for each internal service > > create a different stanza in the access.conf file and use the FORCE_NAT > > directive. Here is an example where "192.168.1.123" is an IP of one of the > > internal systems: > > > > SOURCE: ANY; > > KEY: somefwknopkey; > > FW_ACCESS_TIMEOUT: 30; > > FORCE_NAT: 192.168.1.123 22; > > > > Thanks, > > > > --Mike > > > > > > > >> Any tips, tricks or advice would be much appreciated. > >> > >> Thanks for looking. > >> > >> Cheers > >> Richard > > > >> ------------------------------------------------------------------------------ > >> For Developers, A Lot Can Happen In A Second. > >> Boundary is the first to Know...and Tell You. > >> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! > >> http://p.sf.net/sfu/Boundary-d2dvs2 > > > >> _______________________________________________ > >> Fwknop-discuss mailing list > >> [email protected] > >> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > > ------------------------------------------------------------------------------ > > For Developers, A Lot Can Happen In A Second. > > Boundary is the first to Know...and Tell You. > > Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! > > http://p.sf.net/sfu/Boundary-d2dvs2 > > _______________________________________________ > > Fwknop-discuss mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > ------------------------------------------------------------------------------ > For Developers, A Lot Can Happen In A Second. > Boundary is the first to Know...and Tell You. > Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! > http://p.sf.net/sfu/Boundary-d2dvs2 > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
