Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help		       Doorman & Knocker

NAME - The doormand configuration	file

       This  is	 the main configuration	file for the doormand daemon.  It con-
       sists of	simple keyword-value pairs, one	pair per  line;	 keywords  are
       not  case-sensitive.   Any  part	of a line following a '#' character is
       ignored,	and may	be used	as a comment.  Blank lines are permitted.  Un-
       recognized keywords are ignored without warning messages.

       connection-delay-1  -  the maximum number of microseconds to wait for a
	   complete 3-way handshake between the	client and the requested  ser-
	   vice, after seeing the initial 'SYN'	from the client.
	   Default value is 500000 usecs (one half second)

       connection-delay-2  -  the number of seconds delay between checks on an
	   established connection, waiting for it  to  be  broken.   When  the
	   doorman  finds the connection has been broken, it removes the fire-
	   wall	rule which permitted that connection.	Default	is 5 seconds.

       firewall-add - the full pathname	of the script to be used to add	 fire-
	   wall	rules.	No default.

       firewall-del  -	the  full  pathname of the script to be	used to	delete
	   firewall rules.  No default.

       guestlist - the full pathname of	the doorman's "guest  list".   No  de-

       link-header-length - the	number of bytes	in the data-link header	of the
	   interface that the doorman is listening on.	You only need to spec-
	   ify	this  if  'pcap' guesses this value incorrectly; this is rare,
	   but -has- been reported, usually on PPPoE interfaces.  The  doorman
	   uses	the 'pcap' package ("Packet Capture"; the Berkeley packet fil-
	   ter package)	to watch for packets.	If  pcap  gets	the  data-link
	   header  length wrong, the doorman will not recognize	knock packets,
	   and will do and log absolutely nothing.

	   To determine	the correct value to use,  dump	 received  packets  to
	   standard  output  by	 using the doormand "-D" and "-X" command-line
	   options.  Send a few	'knock'	packets, and look for "45 00"  in  the
	   dump.   These are usually the first 2 bytes of the IP header; count
	   the number of bytes before them, and	you have length	of  the	 data-
	   link	header.

       interface - the device name of the interface at which which the doorman
	   should listen.  No default.

       logfile - the full pathname of the file to  which  events  are  logged;
	   this	 may  be  the  system messages logfile if desired.  Default is

       loglevel	- the name of the severity level at which logging  should  oc-
	   cur.	  The names are	not case-sensitive.  Valid level names,	in or-
	   der of severity, are:
	   For normal usage, INFO or NOTICE will  probably  be	the  preferred
	   level.  Default level is DEBUG.

       pidfile - the full pathname of the process-ID file created by doormand.
	   Default is "/var/run/".  Doormand	removes	this file just
	   before it stops running, except in the case of a program crash, af-
	   ter which it	must be	removed	manually.

       port - the UDP port number at  which  the  doorman  should  listen  for
	   "knocks".  Default is 1001.

       hash-archive  -	the  name  of  the file	in which information about old
	   "knock" packets is stored.  The doorman uses	this file to make sure
	   that	a successful knock cannot be re-used by	someone	sniffing traf-
	   fic to your firewall.

       hash-archive-size - the number of old knocks which  are	to  be	remem-
	   bered.  This	must be	at least 1000, but should be 50000 or more, to
	   make	replay attacks difficult.  The hash archive consumes 20	 bytes
	   of  disk  space  per	 knock.	  In  the current implementation, some
	   knocks may be lost when the doorman is restarted after  this	 value
	   is reduced, causing the archive to be re-created as a smaller file.
	   Default is 100000 knocks.

       waitfor - the number of seconds that may	elapse after a valid  "knock",
	   during  which  a  connection	 may be	made to	the requested service.
	   Default is 10 seconds.

       for a production	environment:
	  interface	    eth0
	  port		    1001
	  waitfor	    10
	  pidfile	    /var/run/
	  logfile	    /var/log/messages
	  loglevel	    NOTICE
	  guestlist	    /usr/local/etc/doormand/guestlist
	  firewall-add	    /usr/local/etc/doormand/firewall_add
	  firewall-del	    /usr/local/etc/doormand/firewall_delete
	  hash-archive-size 50000
	  hash-archive	    /var/doormand.hash-archive

       for testing:
	  interface	      lo
	  port		      1033
	  waitfor	      10
	  pidfile	      /tmp/
	  logfile	      /dev/tty
	  loglevel	      DEBUG
	  guestlist	      test_guestlist
	  firewall-add	      test_add_script
	  firewall-del	      test_del_script
	  hash-archive-size   50000
	  hash-archive	      /tmp/doormand.hash-archive
	  link-header-length  16  # if doorman is ignoring knocks,
				  # you	can experiment by using
				  # different values for this.

       knock(1), knockcf(5), doormand(8), guestlist(5)

       doormand	and knock are an implementation	of an original idea by	Martin
       Krzywinski.  See	his site at

       Copyright (c) 2003-2005,	J.B.Ward

Doorman, V0.81			 Aug 14, 2005


Want to link to this manual page? Use this URL:

home | help