![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2024-07-09
目錄
- CLI Client - fwknop
- .fwknoprc file
- Usage Example
- NAT Opts
CLI Client - fwknop
Install
apt-get install fwknop-client
REQUIRED ARGUMENTS
-A, --access=<proto/port>[,proto/port]
Provide a list of ports and protocols to access on a remote computer running fwknopd.
-D, --destination=<hostname/IP-address>
to authenticate with the fwknopd at the "<hostname/IP-address>"
-R|-a|-s
Its tell the remote fwknopd daemon what IP should be allowed through the firewall.
-a, --allow-ip=<IP-address>
(this IP is encrypted within the SPA packet itself)
-R, --resolve-ip-https
(透過 https://www.cipherdyne.org/cgi-bin/myip 獲得 IP 地址)
P.S. --resolve-url <url>
-s, --source-ip
to use the source IP address from which the SPA packet originates
(usage of this option is not recommended)
Usage
fwknop -k #-k, --key-gen
fwknop --stanza-list # 查看 ~/.fwknoprc
fwknop -n stanza # -n, --named-config=<stanza name>
fwknop -A 'proto/ports' -D 'host' -R|-a|-s [Opts]
--------------------------------------------------------------------------------
--stanza-list
Dump a list of the stanzas found in “$HOME/.fwknoprc”.
- ollama - ollama2
-n, --named-config=<stanza name>
Specify the name of the configuration stanza in the “$HOME/.fwknoprc” file
to pull configuration and command directives.
-A, --access=<port list>
Provide a list of ports and protocols to access on a remote computer running fwknopd.
e.g. "tcp/22,udp/53"
--server-X
-p, --server-port=<port>
Specify the port number where fwknopd accepts packets. Default: 62201/UDP
-P, --server-proto=<protocol>
udpraw, tcpraw, and icmp
The tcp mode expects to establish a TCP connection to the server before sending the SPA packet.
Key 相關
--use-hmac
Set HMAC mode for authenticated encryption of SPA communications.
--hmac-digest-type=SHA256 # SHA256, SHA384, SHA512, SHA3_256, and SHA3_512
-M, --encryption-mode=CBC # CBC, AES
-G, --get-key=<file>
Load an encryption key from the specified file.
n.n.n.n:KEY
--get-hmac-key=<file>
Load an HMAC key from the specified file.
n.n.n.n:HMAC_KEY
SPA Opts
-C, --server-cmd=<command to execute>
Other Opts
--save-rc-stanza
Save command line arguments to the “$HOME/.fwknoprc”
--resolve-url <url>
Override the default URL used for resolving the source IP address.
just an IP address in the body of the HTTP response
-v, --verbose
Run the fwknop client in verbose mode.
-f, --fw-timeout=<seconds> # Default: 30
the remote firewall rule that grants access to a service is to remain active.
.fwknoprc file
Permission
chmod 600 ~/.fwknoprc
.fwknoprc format
The first one should always be `[default]' as it defines the global default settings for the user.
[default] FW_TIMEOUT 30 SPA_SERVER_PORT 62201 SPA_SERVER_PROTO udp VERBOSE N RESOLVE_IP_HTTPS Y ALLOW_IP resolve [MyServer] SPA_SERVER n.n.n.n # Fules ACCESS tcp/3389 # Key Settings USE_HMAC Y KEY_BASE64 ? HMAC_KEY_BASE64 ? DIGEST_TYPE SHA512
說明
USE_HMAC
Set HMAC mode for authenticated encryption of SPA packets.
DIGEST_TYPE
SHA256(default), SHA384, SHA512, SHA3_256, SHA3_512
HMAC_DIGEST_TYPE
SHA256(default), SHA384, SHA512, SHA3_256, SHA3_512
ALLOW_IP
Specify the address to allow within the SPA data.
RESOLVE_IP_HTTPS
Set to Y to automatically resolve the externally routable IP
This is done over SSL via wget in --secure-protocol mode
https://www.cipherdyne.org/cgi-bin/myip
VERBOSE # Default 時使用
[+] Resolved external IP (via '/usr/bin/wget -U Fwknop/2.6.10 --secure-protocol=auto --quiet -O - https://www.cipherdyne.org/cgi-bin/myip') as: S.S.S.S SPA Field Values: ================= Random Value: 1910449834563123 Username: root Timestamp: 1720582630 FKO Version: 3.0.0 Message Type: 3 (Client timeout access msg) Message String: S.S.S.S,tcp/22 Nat Access: <NULL> Server Auth: <NULL> Client Timeout: 10 Digest Type: 5 (SHA512) HMAC Type: 3 (SHA256) Encryption Type: 1 (Rijndael) Encryption Mode: 2 (CBC) Encoded Data: ... SPA Data Digest: ... HMAC: ... Final SPA Data: ... Generating SPA packet: protocol: udp source port: <OS assigned> destination port: 12345 IP/host: R.R.R.R send_spa_packet: bytes sent: 289
Usage Example
1) 使用 .fwknoprc 內的 '[MyServer]' stanza
fwknop -n MyServer
Notes: 在 .fwknoprc 內設定了要開什麼 port "ACCESS tcp/22"
2) Test
--test # 配合 -v 一起使用. 只 preveiw SPA package 不發出去
e.g.
fwknop -v --test -n MyServer
3) 無視 "ACCESS tcp/22" 自行設定開另一個 port
fwknop -n ollama -A tcp/2222
NAT Opts
--nat-local
port N can be translated to port M on the local system.
這裡的 N 由 --nat-port 或 --nat-rand-port 設定
--nat-port N
e.g.
# 22001 -> 22
fwknop -v -n ollama -A tcp/22 --nat-local --nat-port 22001
-r, --rand-port
fwknop client to send an SPA packet over a random destination port(10000~65535)
使用這 Opt 時 fwknopd 要有設定
PCAP_FILTER "udp dst portrange 10000-65535"
e.g.
# rand-port -> 22
fwknop -v -n ollama -A tcp/22 --nat-local --nat-rand-port
Output
fwknop -v -n ollama -A tcp/22 --nat-local --nat-port 2201
Message Type: 5 (Local NAT access msg)
Message String: S.S.S.S,tcp/2201 # --nat-port
Nat Access: R.R.R.R,22fwknop -v -n ollama -A tcp/22 --nat-local --nat-rand-port
Message Type: 5 (Local NAT access msg)
Message String: S.S.S.S,tcp/24855 # --nat-rand-port
Nat Access: R.R.R.R,22
-N, --nat-access=<internalIP:forwardPort>
e.g.
# Client --> (2201)FW --> 192.168.123.11:22
... -A tcp/22 -N 192.168.123.11:2201
