Hello fwknop-list
I have started using fwknop and have grown quite enthusiastic about its
capabilities. Thanks a lot to the developers for making this great piece
of software available! I am a bit uncertain if my understanding of the
concepts are correct, so please bear with me while I lay out my thoughts!
fwknop runs on my router. I do not want to open access from the outside
to the SSH-server on the router itself but I want to allow direct access
to an internal SSH-server. In addition to that, I want to open certain
port forwardings (defined on the router as without fwknop) on demand.
The first part successfully works by having NAT/IPT_FORWARDING set in
fwknopd.conf. This is truly great! However, I do not see any way of
restricting NAT-access on a per user base. It seems that it can only be
globally allowed or disallowed. Is this correct?
To be more specific, say there were three users defined in access.conf.
One of them should be allowed to use IPT_FORWARDING at will ("free
NAT"). The second user should be allowed to use IPT_FORWARDING only to
select hosts/ports ("restricted NAT"). The third user should be
forwarded to a single port on a single host ("no NAT", fixed port
forwarding).
The way I it is set up now, the whole of the LAN is available to all
users. The option OPEN_PORTS does not seem to matter at all as the users
can define their own forwarding rules anyways. (It can be set to tcp/22
for all users the same by the above reasoning.) Is it correct to say so?
I have read most of the documentation on cipherdyne.org and have
searched the mailing list archives for the keyword IPT_FORWARDING
combined with user but have been unable to extract anything pertaining
to this case. So I would be grateful for comments or hints.
Sincerely,
Stefan Mueller
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
