On Tue, Oct 23, 2018 at 4:42 PM Stefan Mueller via Fwknop-discuss <
fwknop-discuss@lists.sourceforge.net> wrote:
> Hello fwknop-list
>
> I have started using fwknop and have grown quite enthusiastic about its
> capabilities. Thanks a lot to the developers for making this great piece
> of software available! I am a bit uncertain if my understanding of the
> concepts are correct, so please bear with me while I lay out my thoughts!
>
Hello Stefan,
These are good suggestions, and something that can likely be implemented in
the next release of fwknop. I'll respond in-depth by tomorrow.
Thanks,
--Mike
>
> fwknop runs on my router. I do not want to open access from the outside
> to the SSH-server on the router itself but I want to allow direct access
> to an internal SSH-server. In addition to that, I want to open certain
> port forwardings (defined on the router as without fwknop) on demand.
>
> The first part successfully works by having NAT/IPT_FORWARDING set in
> fwknopd.conf. This is truly great! However, I do not see any way of
> restricting NAT-access on a per user base. It seems that it can only be
> globally allowed or disallowed. Is this correct?
>
> To be more specific, say there were three users defined in access.conf.
> One of them should be allowed to use IPT_FORWARDING at will ("free
> NAT"). The second user should be allowed to use IPT_FORWARDING only to
> select hosts/ports ("restricted NAT"). The third user should be
> forwarded to a single port on a single host ("no NAT", fixed port
> forwarding).
>
> The way I it is set up now, the whole of the LAN is available to all
> users. The option OPEN_PORTS does not seem to matter at all as the users
> can define their own forwarding rules anyways. (It can be set to tcp/22
> for all users the same by the above reasoning.) Is it correct to say so?
>
> I have read most of the documentation on cipherdyne.org and have
> searched the mailing list archives for the keyword IPT_FORWARDING
> combined with user but have been unable to extract anything pertaining
> to this case. So I would be grateful for comments or hints.
>
> Sincerely,
> Stefan Mueller
>
>
> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
