search

jvinet / knock

A port-knocking daemon
http://www.zeroflux.org/projects/knock
GNU General Public License v2.0
552 stars 114 forks source link

Use multiple interfaces #21

Open Lem opened 9 years ago

Lem commented 9 years ago

Hi,

I would like to use knockd on multiple interfaces within one instance. For example interface=eth0,wlan0 would be nice.

airwoflgh commented 8 years ago

Will take a look at this. Am trying to get the codebase to have the issues fixed so I can add some cool functionality.

airwoflgh commented 8 years ago

Will need some more time playing with this - am working on the 0.8.0 release which will support dynamic port knocking using cryptographically strong mechanisms. Once complete, will take a look at this unless someone else has time?

debuti commented 7 years ago

This would be awesome

o-jasper commented 5 years ago

Maybe interface_cmd so this solution can be done in the configuration file instead of a systemd service.(Also i see a .service file in the knockd arch repo, maybe add a @.service so multiple configs can be provided.)

TDFKAOlli commented 5 years ago

I guess it can be done by a fork() before opening the pcap interface. So read-in multiple interfaces, let parent process handle the first and fork childs to handle subsequent interfaces. As such we would have multiple threads/process, for each interface one. As a plus this would be relatively easy to implement, allow multiple interfaces and interate, fork at the right place, restructure the code a bit + check for other impacts. As a drawback, each individual process would read-in the config file and build up the memory and pcap filters and as such for n interfaces it would require n-time memory, compared to one.

zenonp commented 2 years ago

This was quite easy to solve with the existing 0.8-1 version (instructions for redhattish systems):

mkdir /etc/sysconfig/knockd.d
echo 'OPTIONS=" -i eth0"' > /etc/sysconfig/knockd.d/eth0
echo 'OPTIONS=" -i wlan0"' > /etc/sysconfig/knockd.d/wlan0

cat <<EOF > /usr/lib/systemd/system/knockd@.service
[Unit]
Description=A port-knocking server
After=network.target

[Service]
Type=forking
EnvironmentFile=-/etc/sysconfig/knockd.d/%i
ExecStart=/usr/sbin/knockd -d $OPTIONS

[Install]
WantedBy=multi-user.target
EOF

systemctl --now enable knockd@eth0
systemctl --now enable knockd@wlan0

This way you can have as many knock daemons as you have interfaces. The rpm-owned files /etc/sysconfig/knockd and /usr/lib/systemd/system/knockd.service are left alone, while /usr/lib/systemd/system/knockd@.service and the files in /etc/sysconfig/knockd.d will be left alone by rpm updates. With less than 10 minutes of work, this could be integrated in the knock-server .spec and .deb, and be pushed out to most major distributions.

porridge commented 7 months ago

An even simpler (though less flexible) solution if you don't need to customize the options per interface would be to have just the following line in the unit template's Service section:

ExecStart=/usr/sbin/knockd -i %i

This removes the need for the environment files.

Kudos to @zenonp for the inspiration!