knock icon indicating copy to clipboard operation
knock copied to clipboard

Published 20 hours ago verified publisher icon jvinet

Use multiple interfaces

Open Lem opened this issue 10 years ago • 7 comments
trafficstars

Hi,

I would like to use knockd on multiple interfaces within one instance. For example interface=eth0,wlan0 would be nice.

Lem avatar Sep 06 '15 12:09 Lem

Will take a look at this. Am trying to get the codebase to have the issues fixed so I can add some cool functionality.

airwoflgh avatar Dec 09 '15 14:12 airwoflgh

Will need some more time playing with this - am working on the 0.8.0 release which will support dynamic port knocking using cryptographically strong mechanisms. Once complete, will take a look at this unless someone else has time?

airwoflgh avatar Mar 01 '16 03:03 airwoflgh

This would be awesome

debuti avatar Sep 13 '17 13:09 debuti

Maybe interface_cmd so this solution can be done in the configuration file instead of a systemd service.(Also i see a .service file in the knockd arch repo, maybe add a @.service so multiple configs can be provided.)

o-jasper avatar Sep 15 '18 16:09 o-jasper

I guess it can be done by a fork() before opening the pcap interface. So read-in multiple interfaces, let parent process handle the first and fork childs to handle subsequent interfaces. As such we would have multiple threads/process, for each interface one. As a plus this would be relatively easy to implement, allow multiple interfaces and interate, fork at the right place, restructure the code a bit + check for other impacts. As a drawback, each individual process would read-in the config file and build up the memory and pcap filters and as such for n interfaces it would require n-time memory, compared to one.

TDFKAOlli avatar Oct 03 '18 13:10 TDFKAOlli

This was quite easy to solve with the existing 0.8-1 version (instructions for redhattish systems):

mkdir /etc/sysconfig/knockd.d
echo 'OPTIONS=" -i eth0"' > /etc/sysconfig/knockd.d/eth0
echo 'OPTIONS=" -i wlan0"' > /etc/sysconfig/knockd.d/wlan0

cat <<EOF > /usr/lib/systemd/system/[email protected]
[Unit]
Description=A port-knocking server
After=network.target

[Service]
Type=forking
EnvironmentFile=-/etc/sysconfig/knockd.d/%i
ExecStart=/usr/sbin/knockd -d $OPTIONS

[Install]
WantedBy=multi-user.target
EOF

systemctl --now enable knockd@eth0
systemctl --now enable knockd@wlan0

This way you can have as many knock daemons as you have interfaces. The rpm-owned files /etc/sysconfig/knockd and /usr/lib/systemd/system/knockd.service are left alone, while /usr/lib/systemd/system/[email protected] and the files in /etc/sysconfig/knockd.d will be left alone by rpm updates. With less than 10 minutes of work, this could be integrated in the knock-server .spec and .deb, and be pushed out to most major distributions.

zenonp avatar May 26 '22 20:05 zenonp

An even simpler (though less flexible) solution if you don't need to customize the options per interface would be to have just the following line in the unit template's Service section:

ExecStart=/usr/sbin/knockd -i %i

This removes the need for the environment files.

Kudos to @zenonp for the inspiration!

porridge avatar Jan 29 '24 21:01 porridge