Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use multiple interfaces #21

Open
Lem opened this issue Sep 6, 2015 · 7 comments
Open

Use multiple interfaces #21

Lem opened this issue Sep 6, 2015 · 7 comments

Comments

@Lem
Copy link

Lem commented Sep 6, 2015

Hi,

I would like to use knockd on multiple interfaces within one instance. For example interface=eth0,wlan0 would be nice.
@airwoflgh
Copy link
Contributor

Will take a look at this. Am trying to get the codebase to have the issues fixed so I can add some cool functionality.

@airwoflgh
Copy link
Contributor

Will need some more time playing with this - am working on the 0.8.0 release which will support dynamic port knocking using cryptographically strong mechanisms. Once complete, will take a look at this unless someone else has time?

@debuti
Copy link

debuti commented Sep 13, 2017

This would be awesome

@o-jasper o-jasper mentioned this issue Jul 27, 2018
Closed
@o-jasper
Copy link

Maybe interface_cmd so this solution can be done in the configuration file instead of a systemd service.(Also i see a .service file in the knockd arch repo, maybe add a @.service so multiple configs can be provided.)

@TDFKAOlli
Copy link
Contributor

I guess it can be done by a fork() before opening the pcap interface. So read-in multiple interfaces, let parent process handle the first and fork childs to handle subsequent interfaces. As such we would have multiple threads/process, for each interface one.
As a plus this would be relatively easy to implement, allow multiple interfaces and interate, fork at the right place, restructure the code a bit + check for other impacts.
As a drawback, each individual process would read-in the config file and build up the memory and pcap filters and as such for n interfaces it would require n-time memory, compared to one.

@zenonp
Copy link

zenonp commented May 26, 2022
edited
Loading

This was quite easy to solve with the existing 0.8-1 version (instructions for redhattish systems):

mkdir /etc/sysconfig/knockd.d
echo 'OPTIONS=" -i eth0"' > /etc/sysconfig/knockd.d/eth0
echo 'OPTIONS=" -i wlan0"' > /etc/sysconfig/knockd.d/wlan0

cat <<EOF > /usr/lib/systemd/system/[email protected]
[Unit]
Description=A port-knocking server
After=network.target

[Service]
Type=forking
EnvironmentFile=-/etc/sysconfig/knockd.d/%i
ExecStart=/usr/sbin/knockd -d $OPTIONS

[Install]
WantedBy=multi-user.target
EOF

systemctl --now enable knockd@eth0
systemctl --now enable knockd@wlan0

This way you can have as many knock daemons as you have interfaces. The rpm-owned files /etc/sysconfig/knockd and /usr/lib/systemd/system/knockd.service are left alone, while /usr/lib/systemd/system/[email protected] and the files in /etc/sysconfig/knockd.d will be left alone by rpm updates. With less than 10 minutes of work, this could be integrated in the knock-server .spec and .deb, and be pushed out to most major distributions.

@porridge
Copy link

An even simpler (though less flexible) solution if you don't need to customize the options per interface would be to have just the following line in the unit template's Service section:

ExecStart=/usr/sbin/knockd -i %i

This removes the need for the environment files.

Kudos to @zenonp for the inspiration!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@o-jasper @Lem @debuti @porridge @airwoflgh @zenonp @TDFKAOlli