search

mrash / fwknop

Single Packet Authorization > Port Knocking
http://www.cipherdyne.org/fwknop/
GNU General Public License v2.0
1.09k stars 228 forks source link

nftables: configuring fails if no firewall program specified #320

Open NicholasFahey opened 4 years ago

NicholasFahey commented 4 years ago

How should I be configuring fwknop if my system's only firewall binary is nft? I'm using CMD_CYCLE_OPEN and CMD_CYCLE_CLOSE with nft, so I shouldn't have to specify a firewall binary but configure fails with

checking for firewall-cmd... no
checking for firewalld... no
checking for iptables... no
checking for ipfw... no
checking for pfctl... no
checking for ipf... no
configure: error: No firewall program was found or specified.

There's no way to tell configure I am using custom commands and to not check for a firewall binary. Seems like an oversight. I can work around it with something like --with-firewall-cmd=/usr/bin/nft as a configure option but seems a bit hacky and misleading. Think there needs to be a configure option indicating that we are using custom scripts and not one of the supported firewalls.

damienstuart commented 4 years ago

Though it is a bit hacky, using --with-firewall-cmd= should work. In a similar situation, I used --with-firewall-cmd=/bin/true. Ideally, a configure option to specify cmd_cycle only or a --disable-firewall-cmd option would be the way to go so configure would not look for a firewall command.

-Damien

On Wed, Sep 2, 2020 at 11:09 AM Nicholas Fahey notifications@github.com wrote:

How should I be configuring fwknop if my system's only firewall binary is nft? I'm using CMD_CYCLE_OPEN and CMD_CYCLE_CLOSE with nft, so I shouldn't have to specify a firewall binary but configure fails with

checking for firewall-cmd... no checking for firewalld... no checking for iptables... no checking for ipfw... no checking for pfctl... no checking for ipf... no configure: error: No firewall program was found or specified.

There's no way to tell configure I am using custom commands and to not check for a firewall binary. Seems like an oversight. I can work around it with something like --with-firewall-cmd=/usr/bin/nft as a configure option but seems a bit hacky and misleading. Think there needs to be a configure option indicating that we are using custom scripts and not one of the supported firewalls.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mrash/fwknop/issues/320, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGRNJBUG27B32MVFS5WYDTSDZN2FANCNFSM4QTD2VRA .