Re: [Fwknop-discuss] using fwknopd to add port 22 to iptables as well as start ssh systemd service

Fri, 27 Jul 2018 11:08:51 -0700 

On Wed, Jul 25, 2018 at 5:32 PM Stephen Isard <xkyr47r...@snkmail.com>
wrote:

> I think that the -C,--server-cmd option may be what you want.  You
> would first use that to run your shell script, then ssh in with a normal
> fwknop command.
>

Another option that would probably be more robust is to use the command
cycle feature to execute a shell script. A comprehensive example of using
fwknopd to interface with ipset can be found here:

http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#spa-with-ipset

If you replace the 'ipset' command in the CMD_CYCLE_OPEN variable with the
path to a script script then I think it would accomplish the goal. The
script would add port 22 to the firewall and start the ssh service. The
corresponding CMD_CYCLE_CLOSE script could stop ssh after the timeout (if
that is required).

Thanks,

--Mike



>
> Stephen Isard
>
> On Wed, 25 Jul 2018, Davis Roman davis.roman84-at-gmail.com |fwknop|
> wrote:
>
> > hello,
> >
> > I'm currently using fwknop to punch a hole in the firewall when the
> client
> > uses the correct knock packet.
> >
> > We're now required to disable our systemd service by disabled which means
> > I'll have to resort to the following:
> >
> > When client sends knock packet:
> >
> > 1. add port 22 to our firewall
> > 2. start systemd ssh service.
> >
> > So essentially I would need to be able to tell fwknopd to execute a shell
> > script when the knock packet arrives.
> >
> > I've read all the fwknopd documentation and I don't see a way to do this.
> >
> > Any ideas would be extremely appreciated.
> >
> > Thank you,
> >
> > Davis
> >
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>


-- 
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss

Reply via email to