search

jvinet / knock

A port-knocking daemon
http://www.zeroflux.org/projects/knock
GNU General Public License v2.0
563 stars 115 forks source link

Consider default route interface #44

Open linutsdc opened 8 years ago

linutsdc commented 8 years ago

I have a script that starts knockd which pulls the interface associated with the default route on the host. It's something along these lines:

ip route show | awk '$1=="default" && $2=="via" && $4=="dev" { print $5 }'

It pulls out he p5p1 from:

$ ip route show
default via 192.168.10.18 dev p5p1  proto static  metric 1024 
192.168.10.0/24 dev p5p1  proto kernel  scope link  src 192.168.10.13 
192.168.122.0/24 dev virbr0  proto kernel  scope link  src 192.168.122.1 
205.203.130.5 via 192.168.10.18 dev p5p1  proto static  metric 1

Is that something that could be baked into knockd?

o-jasper commented 6 years ago

In practice, automatically detects the interface? Came here to ask the same thing. Maybe like eth0|wlan0 as input and it does whichever applicable.

o-jasper commented 6 years ago

On my computer, added /etc/systemd/system/knockd-alt.service;

[Unit]
Description=Port-Knocking Daemon
After=network.target

[Service]
ExecStart=/usr/bin/knockd -i $(ip route show |grep default | cut -f 5 -d ' ')

[Install]
WantedBy=multi-user.target

-i overrides the config. But i'd rather the configuration file itself somehow supports it? It could support the @ notation, but would make more sense to make it refer to configuration files.