On Tue, Jul 19, 2016 at 4:10 PM, Jeremiah Rothschild <jerem...@franz.com>
wrote:
> Hey Michael (and others),
>
Hello Jeremiah,
>
> It seems that fwknop clients are able to override the server
> FW_ACCESS_TIMEOUT setting by providing their own --fw-timeout value. This
> is
> true for both command line versions and fwknop-gui.
>
> Is this intentional? To me, it is a security issue that users can extend
> the firewall rules beyond what I'm trying to enforce.
>
Good catch, yes, users can currently provide their own --fw-timeout value.
For other things like the port itself, the access.conf file can enforce
restrictions, so I suppose we should do this for the timeout value as well.
A new variable MAX_FW_TIMEOUT could be added to make this configurable. The
absolute maximum that fwknopd currently allows is 4194304, but much lower
maximums should be supported too.
I've opened github issue 226 to track this for the next release.
Thanks,
--Mike
>
> Thanks in advance for the feedback!
>
> j
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
