fwknop核心配置fwknopd.conf参数--中文书虫

友情导航：

• fwknop-server—安装1.0.0
• fwknop-client—安装1.0.1
• fwknop–配置1.0.2

配置参数内容：

    ##############################################################################
    #
    #         [+] fwknopd - Firewall Knock Operator Daemon [+]
    #
    # This is the configuration file for fwknopd, the Firewall Knock Operator
    # daemon.  The primary authentication and authorization mechanism offered
    # by fwknop is known as Single Packet Authorization (SPA).  More information
    # about SPA can be found at: http://www.cipherdyne.org/fwknop/docs/SPA.html
    #
    # There are no access control directives in this file.  All access
    # control directives are located in the file "/etc/fwknop/access.conf".
    # You will need to edit the access.conf file in order for fwknop to function
    # correctly.
    #
    # Most of these can remain commented out unless you need to override the
    # default setting.
    #
    # It is also important to note that there are some subtle (and some not
    # so subtle) differences between this configuration file, its parameters
    # and valid values and the configuration file used by the legacy Perl
    # version of fwknopd.  Please pay careful attention to the format and
    # values used in this file if you are migrating from the legacy Perl
    # version.
    #
    ##############################################################################
    #

    #
    # Define the default verbosity level the fwknop server should use.
    # A value of "0" is the default verbosity level. Setting it up to "1" or higher will allow debugging messages to be displayed.
    #

    #VERBOSE                     0;

# Define the ethernet interface on which we will sniff packets.
# Default if not set is eth0.  The '-i <intf>' command line option overrides
# the PCAP_INTF setting.
# 网络名
PCAP_INTF                   ens33;

# By default fwknopd does not put the pcap interface into promiscuous mode.
默认情况下，fwknopd不会将pcap接口设置为混杂模式。
# Set this to 'Y' to enable promiscuous sniffing.
#
#ENABLE_PCAP_PROMISC         N;

# Define the filter used for PCAP modes; we default to udp port 62201.
# However, if an fwknop client uses the --rand-port option to send the  SPA packet over a random port, then this variable should be updated to something like "udp dst portrange 10000-65535;".
# Default is "udp port 62201".
#
#PCAP_FILTER                 udp port 62201;

# This instructs fwknopd to not honor SPA packets that have an old time stamp.  The value for "old" is defined by the MAX_SPA_PACKET_AGE variable.
这指示fwknopd不要对带有旧时间戳的SPA包进行处理。“old”的值由MAX_SPA_PACKET_AGE变量定义。
# If ENABLE_SPA_PACKET_AGING is set to "N", fwknopd will not use the client time stamp at all.
#如果ENABLE_SPA_PACKET_AGING设置为“N”，那么fwknopd将完全不使用客户机时间戳。
#ENABLE_SPA_PACKET_AGING     Y;

# Defines the maximum age (in seconds) that an SPA packet will be accepted.
：定义接受SPA包的最大年龄(秒)。
# This requires that the client system is in relatively close time synchronization with the fwknopd server system (NTP is good).  
#这就要求客户端系统与fwknopd服务器系统(NTP比较好)的时间同步比较紧密。
#The default age is two minutes.
#默认的年龄是两分钟。
#
#MAX_SPA_PACKET_AGE          120;

# Track digest sums associated with previous fwknop process.  This allows  digest sums to remain persistent across executions of fwknop.
跟踪与以前的fwknop过程相关联的摘要和。这允许在fwknop的执行过程中，digest和保持持续。
#
#ENABLE_DIGEST_PERSISTENCE   Y;

# Sets the number of packets that are processed when the pcap_dispatch() call is made. 
# The default is zero, since this allows fwknopd to process as many packets as possible in the corresponding callback where the SPA handling routine is called for packets that pass a set of prerequisite checks.  
默认值为0，因为这允许fwknopd在相应的回调中处理尽可能多的包，在回调中，通过一组先决条件检查的包调用SPA处理例程
# However, if fwknopd is running on a platform with an old version of libpcap, it may be necessary to change this value to a positive non-zero integer.  More information can be found in the pcap_dispatch(3)
# man page.
#PCAP_DISPATCH_COUNT            0;

# Sets the number of microseconds to pass as an argument to usleep() in
# the pcap loop.  The default is 100000 microseconds, or 1/10th of a second.
设置作为参数传递给usleep()的微秒数
#PCAP_LOOP_SLEEP                100000;

# Specify the the maximum number of bytes to sniff per frame - 1500 is a good default
#指定每帧要嗅探的最大字节数——1500是一个很好的默认值
#MAX_SNIFF_BYTES             1500;

# If GPG keys are used instead of a Rijndael symmetric key, this is
# the default GPG keys directory.  Note that each access stanza in
# fwknop access.conf can specify its own GPG directory to override
# this default.
#
#GPG_HOME_DIR        /root/.gnupg;

# Set the default GPG path when GPG is used for SPA encryption and
# authentication.
#
#GPG_EXE            /usr/bin/gpg;

# Allow fwknopd to acquire SPA data from HTTP requests (generated with the fwknop client in --HTTP mode).
允许fwknopd从HTTP请求中获取SPA数据(使用——HTTP模式下的fwknop客户端生成)。
#  Note that the PCAP_FILTER variable would need to be updated when this is enabled to sniff traffic over TCP/80 connections
#注意，当启用PCAP_FILTER变量来嗅出TCP/80连接上的流量时，需要更新该变量
#ENABLE_SPA_OVER_HTTP        N;

# Enable the fwknopd TCP server.  This is a "dummy" TCP server that will
# accept TCP connection requests on the specified TCPSERV_PORT.
# If set to "Y", fwknopd will fork off a child process to listen for and
# accept incoming TCP requests.  This server only accepts the
# request.  It does not otherwise communicate. This is only to allow the
# incoming SPA over TCP packet which is detected via PCAP. The connection
# is closed after 1 second regardless.
# Note that fwknopd still only gets its data via pcap, so the filter
# defined by PCAP_FILTER needs to be updated to include this TCP port.
#
#ENABLE_TCP_SERVER           N;
#TCPSERV_PORT                62201;

# Set/override the locale (via the LC_ALL locale category). 
设置/覆盖语言环境(通过LC_ALL语言环境类别)。
# Leave this entry commented out to  have fwknopd honor the default system locale.
#将该条目注释掉，以使fwknopd符合默认的系统区域设置。
#LOCALE                      C;

# Override syslog identity and facility (the defaults are usually ok).
覆盖syslog标识和功能(默认设置通常是ok的)。
# The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7} or LOG_DAEMON (the default).
#SYSLOG_FACILITY变量可以设置为LOG_LOCAL{0-7}或LOG_DAEMON(默认值)之一。

#SYSLOG_IDENTITY             fwknopd;
#SYSLOG_FACILITY             LOG_DAEMON;

# Define this to have fwknopd read pcap data from a file instead of sniffing a live interface.  
将其定义为让fwknopd从文件中读取pcap数据，而不是嗅闻活动接口。
# This is usually only used for debugging purposes, and is equivalent to the '-r <pcap file>' command line option.
这通常只用于调试目的，相当于“-r ”命令行选项。
#
#PCAP_FILE                   /some/path/to/file.pcap;

# This variable controls whether fwknopd is permitted to sniff SPA packets regardless of whether they are received on the sniffing interface or sent from the sniffing interface. 
这个变量控制fwknopd是否允许嗅探SPA包，而不管它们是在嗅探接口上接收还是从嗅探接口发送。
# In the latter case, this can be useful to have fwknopd sniff SPA packets that are forwarded through a system and destined for a different network. 
在后一种情况下，让fwknopd嗅探通过系统转发并目的地为不同网络的SPA包可能很有用。
# If the sniffing interface is the egress interface for such packets, then this variable will need to be set to "Y" in order for fwknopd to see them. 
如果嗅探接口是这些包的出口接口，那么需要将这个变量设置为“Y”，以便fwknopd看到它们。 
#The default is "N" so that fwknopd only looks for SPA packets that are received on the sniffing interface (note that this is independent of promiscuous mode).
默认值是“N”，因此fwknopd只查找嗅探接口上接收到的SPA包(注意，这与混杂模式无关)。
#
# ENABLE_PCAP_ANY_DIRECTION     N;

# Controls whether fwknopd will set the destination field on the firewall rule to the destination address specified on the incoming SPA packet.
控制fwknopd是否将防火墙规则上的目标字段设置为传入SPA包上指定的目标地址。
# This is useful for interfaces with multiple IP addresses hosting separate services. 
这对于托管独立服务的多个IP地址的接口非常有用。
#If ENABLE_IPT_OUTPUT is set to "Y", the source field of the firewall rule is set. 
如果ENABLE_IPT_OUTPUT设置为“Y”，则设置防火墙规则的源字段。
#FORWARD and SNAT rules are not affected however, DNAT rules will also have their destination field set. The default is "N", which sets the destination field to 0.0.0.0/0 (any).
#但是转发和SNAT规则不受影响，DNAT规则也会设置它们的目标字段。默认为“N”，将目标字段设置为0.0.0/0 (any)。
# ENABLE_DESTINATION_RULE       Y;

##############################################################################
# NOTE: The following EXTERNAL_CMD functionality is not yet implemented.
#       This is a possible future feature of fwknopd.
#
# The following four variables control whether a global set of "open" and
# "close" commands are executed after receiving a valid SPA packet.  These
# variables are used only if FIREWALL_TYPE is set to "external_cmd", but
# the same variables can also exist within the access.conf file so that
# mixed deployments are possible - that is, some SPA packets will operate
# as usual and result in firewall commands being executed, but others will
# result in the commands defined by these variables (in access.conf) being
# executed.
#     The "open" and "close" commands might be manually supplied firewall
# commands, and both support variable substitution of any of the variables
# in the access.conf file with "$VAR".  Also, three special variables are
# supported: $SRC, $PORT, and $PROTO, which are derived from actual values
# from within valid SPA packets (as opposed to $SOURCE from access.conf
# which may contain a list of networks instead of a single IP address).
# Here are some examples:
#     - Execute a specific iptables command on behalf of the source IP
#     in a valid SPA packet to add a new ACCEPT rule, and execute
#     another command (to delete the same rule after a timeout):
#         EXTERNAL_CMD_OPEN       iptables -A INPUT -s $SRC -j ACCEPT
#         EXTERNAL_CMD_CLOSE      iptables -D INPUT -s $SRC -j ACCEPT
#     - Execute a custom binary with the SOURCE and OPEN_PORTS variables
#     from the access.conf file as input on the command line, and after
#     a timeout execute a different program but use the real SPA source
#     IP:
#         EXTERNAL_CMD_OPEN       /path/someprog $SOURCE $OPEN_PORTS
#         EXTERNAL_CMD_OPEN       /path/otherprog $SRC
#
#ENABLE_EXTERNAL_CMDS        N;
#EXTERNAL_CMD_OPEN           __NONE__;
#EXTERNAL_CMD_CLOSE          __NONE__;
#EXTERNAL_CMD_ALARM          30;

# if EXTERNAL_CMD_OPEN is used above, then the following two variables can
# be used to enforce a prefix on variable substitutions - useful if there
# are any naming conflicts with the external script and command line
# arguments that are named the same as the variables to be substituted.
#
#ENABLE_EXT_CMD_PREFIX       N;
#EXT_CMD_PREFIX              FWKNOP_;

##############################################################################
# Parameters specific to firewalld:
：firewalld特有的参数:

# Flush all existing rules in the fwknop chains at fwknop start time and/or exit time. They default to Y and it is a recommended setting for both.
#在fwknop启动时间和/或退出时间刷新fwknop链中的所有现有规则。它们的默认值是Y，这是两者的推荐设置。
#FLUSH_FIREWD_AT_INIT           Y;
#FLUSH_FIREWD_AT_EXIT           Y;
#

# Allow SPA clients to request access to services through a firewalld firewall instead of just to it (i.e. access through the FWKNOP_FORWARD chain instead of the INPUT chain).
#允许SPA客户端通过firewalld防火墙请求对服务的访问，而不仅仅是对服务的访问(即通过FWKNOP_FORWARD链而不是输入链进行访问)。

#ENABLE_FIREWD_FORWARDING       N;

# Allow SPA clients to request access to a local socket via NAT. 
允许SPA客户端请求通过NAT访问本地套接字。
# This still puts an ACCEPT rule into the FWKNOP_INPUT chain, but a different port istranslated via DNAT rules to the real one. 
这仍然将ACCEPT规则放入FWKNOP_INPUT链中，但是通过DNAT规则将不同的端口转换为真正的端口。
# So, the user would do "ssh -p <port>" to access the local service (see the --NAT-local and --NAT-rand-port on the fwknop client command line).
因此，用户将执行“ssh -p ”来访问本地服务(请参阅fwknop客户机命令行上的-NAT-local和-NAT-rand-port)。
#
#ENABLE_FIREWD_LOCAL_NAT        Y;

# By default, if forwarding access is enabled (see the ENABLE_FIREWD_FORWARDING variable above), then fwknop creates DNAT rules for incoming connections,
默认情况下，如果启用了转发访问(请参阅上面的ENABLE_FIREWD_FORWARDING变量)，那么fwknop将为传入连接创建DNAT规则
# but does not also complement these rules with SNAT rules at the same time.
但也没有同时用SNAT规则来补充这些规则。
# In some situations, internal systems may not have a route back out for the source address of the incoming connection, so it is necessary to also interface where fwknopd is running. 
在某些情况下，内部系统可能没有返回到传入连接源地址的路由，因此还需要在运行fwknopd的地方运行接口。
# This functionality is only enabled when ENABLE_FIREWD_SNAT is set to "Y",and by default SNAT rules are built with the MASQUERADE target (since then the internal IP does not have to be defined here in the fwknop.conf file),
#只有当ENABLE_FIREWD_SNAT设置为“Y”时才启用此功能，并且默认情况下，SNAT规则是用伪装目标构建的(从那时起，内部IP不必在这里的fwknop.conf配置文件),
# but if you want fwknopd to use the  SNAT target then also define an IP address with the SNAT_TRANSLATE_IP
# variable.
#
#ENABLE_FIREWD_SNAT             N;
#SNAT_TRANSLATE_IP           __CHANGEME__;

# Add ACCEPT rules to the FWKNOP_OUTPUT chain. 
# 向FWKNOP_OUTPUT链添加ACCEPT规则。
#This is usually only useful if there are no state tracking rules to allow connection responses out and the OUTPUT chain has a default-drop stance.
这通常只在没有状态跟踪规则允许连接响应输出且输出链具有默认的drop姿态时有用
#
#ENABLE_FIREWD_OUTPUT           N;

# fwknopd adds allow rules to a custom firewalld chain "FWKNOP_INPUT".
fwknopd添加允许规则到定制的firewalld链“FWKNOP_INPUT”
# This chain is called from the INPUT chain, and by default no other firewalld chains are used.
该链是从输入链调用的，默认情况下不使用其他firewalld链。
# However, additional chains can be added (say, if access needs to be allowed through the local system via the FORWARD chain) by altering the FIREWD_FORWARD_ACCESS variable below.
但是，可以通过更改下面的FIREWD_FORWARD_ACCESS变量来添加额外的链(例如，如果需要通过转发链允许访问本地系统)。
# For a discussion of the format followed by these keywords, read on:
要讨论这些关键字后面的格式，请继续阅读:                       
#
# Specify chain names to which firewalld blocking rules will be
# added with the FIREWD_INPUT_ACCESS and FIREWD_FORWARD_ACCESS keyword.
# The format for these variables is:
#
#   <Target>,<Table>,<From_chain>,<Jump_rule_position>,\
#       <To_chain>,<Rule_position>.
#
# "Target":
#   Can be any legitimate firewalld target, but should usually just be "DROP".
#
# "Table":
#   Can be any firewalld table, but the default is "filter".
#
# "From_chain":
#   Is the chain from which packets will be jumped.
#
# "Jump_rule_position":
#   Defines the position within the From_chain where the jump rule is added.
#
# "To_chain":
#   Is the chain to which packets will be jumped. This is the main chain
#   where fwknop rules are added.
#
# "Rule_position":
#   Defines the position where rules are added within the To_chain.
#
#FIREWD_INPUT_ACCESS        ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1;

# The FIREWD_OUTPUT_ACCESS variable is only used if ENABLE_FIREWD_OUTPUT is enabled
#只有在启用ENABLE_FIREWD_OUTPUT时才使用FIREWD_OUTPUT_ACCESS变量
#FIREWD_OUTPUT_ACCESS       ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1;

# The FIREWD_FORWARD_ACCESS variable is only used if ENABLE_FIREWD_FORWARDING is enabled.
#只有在启用ENABLE_FIREWD_FORWARDING时才使用FIREWD_FORWARD_ACCESS变量。
#FIREWD_FORWARD_ACCESS      ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1;
#FIREWD_DNAT_ACCESS         DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1;

# The FIREWD_SNAT_ACCESS variable is not used unless both ENABLE_FIREWD_SNAT and ENABLE_FIREWD_FORWARDING are enabled. 
除非启用ENABLE_FIREWD_SNAT和ENABLE_FIREWD_FORWARDING，否则不会使用firewd_grab _access变量。
# Also, the external static IP must be set with the SNAT_TRANSLATE_IP variable.
此外，外部静态IP必须使用grab _translate_ip变量设置。
#  The default is to use the FIREWD_MASQUERADE_ACCESS variable.
默认情况下使用FIREWD_MASQUERADE_ACCESS变量。
#
#FIREWD_SNAT_ACCESS         SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
#FIREWD_MASQUERADE_ACCESS   MASQUERADE, nat, POSTROUTING, 1, FWKNOP_MASQUERADE, 1;

# The ENABLE_COMMENT_MATCH_CHECK variable instructs fwknopd to check for the firewalld 'comment' match at start up. 
ENABLE_COMMENT_MATCH_CHECK变量指示fwknopd在启动时检查firewalld“注释”匹配。
# If it's not found, then fwknopd will exit and throw an error. 
如果没有找到，那么fwknopd将退出并抛出一个错误。
# This variable is enabled by default, but can be disabled if you want fwknopd to run without being sure that the comment match is available (not recommended, since the comment match enables new SPA rules to be timed out).
#该变量在默认情况下是启用的，但是如果您希望fwknopd在不确定注释匹配是否可用的情况下运行，则可以禁用该变量(不推荐使用注释匹配，因为注释匹配允许新的SPA规则超时)
#ENABLE_FIREWD_COMMENT_CHECK        Y;

##############################################################################
# Parameters specific to iptables:
特定于iptables的参数:

# Flush all existing rules in the fwknop chains at fwknop start time and/or exit time.
在fwknop启动时间和/或退出时间刷新fwknop链中的所有现有规则。
# They default to Y and it is a recommended setting for both.
#它们的默认值是Y，这是两者的推荐设置。
#FLUSH_IPT_AT_INIT           Y;
#FLUSH_IPT_AT_EXIT           Y;
#

# Allow SPA clients to request access to services through an iptables firewall instead of just to it (i.e. access through the FWKNOP_FORWARD chain instead of the INPUT chain).
#允许SPA客户端通过iptables防火墙请求对服务的访问，而不仅仅是对服务的访问(即通过FWKNOP_FORWARD链而不是输入链进行访问)。
#ENABLE_IPT_FORWARDING       N;

# Allow SPA clients to request access to a local socket via NAT.  This still
# puts an ACCEPT rule into the FWKNOP_INPUT chain, but a different port is
# translated via DNAT rules to the real one.  So, the user would do
# "ssh -p <port>" to access the local service (see the --NAT-local and
# --NAT-rand-port on the fwknop client command line).
#
#ENABLE_IPT_LOCAL_NAT        Y;

# By default, if forwarding access is enabled (see the ENABLE_IPT_FORWARDING
# variable above), then fwknop creates DNAT rules for incoming connections,
# but does not also complement these rules with SNAT rules at the same time.
# In some situations, internal systems may not have a route back out for the
# source address of the incoming connection, so it is necessary to also
# apply SNAT rules so that the internal systems see the IP of the internal
# interface where fwknopd is running.  This functionality is only enabled
# when ENABLE_IPT_SNAT is set to "Y", and by default SNAT rules are built
# with the MASQUERADE target (since then the internal IP does not have to be
# defined here in the fwknop.conf file), but if you want fwknopd to use the
# SNAT target then also define an IP address with the SNAT_TRANSLATE_IP
# variable.
#
#ENABLE_IPT_SNAT             N;
#SNAT_TRANSLATE_IP           __CHANGEME__;

# Add ACCEPT rules to the FWKNOP_OUTPUT chain. This is usually only useful
# if there are no state tracking rules to allow connection responses out and
# the OUTPUT chain has a default-drop stance.
#
#ENABLE_IPT_OUTPUT           N;

# fwknopd adds allow rules to a custom iptables chain "FWKNOP_INPUT".
# This chain is called from the INPUT chain, and by default no other
# iptables chains are used.  However, additional chains can be added
# (say, if access needs to be allowed through the local system via the
# FORWARD chain) by altering the IPT_FORWARD_ACCESS variable below.
# For a discussion of the format followed by these keywords, read on:
#
# Specify chain names to which iptables blocking rules will be
# added with the IPT_INPUT_ACCESS and IPT_FORWARD_ACCESS keyword.
# The format for these variables is:
#
#   <Target>,<Table>,<From_chain>,<Jump_rule_position>,\
#       <To_chain>,<Rule_position>.
#
# "Target":
#   Can be any legitimate iptables target, but should usually just be "DROP".
#
# "Table":
#   Can be any iptables table, but the default is "filter".
#
# "From_chain":
#   Is the chain from which packets will be jumped.
#
# "Jump_rule_position":
#   Defines the position within the From_chain where the jump rule is added.
#
# "To_chain":
#   Is the chain to which packets will be jumped. This is the main chain
#   where fwknop rules are added.
#
# "Rule_position":
#   Defines the position where rule are added within the To_chain.
#
#IPT_INPUT_ACCESS        ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1;

# The IPT_OUTPUT_ACCESS variable is only used if ENABLE_IPT_OUTPUT is enabled
#
#IPT_OUTPUT_ACCESS       ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1;

# The IPT_FORWARD_ACCESS variable is only used if ENABLE_IPT_FORWARDING is
# enabled.
#
#IPT_FORWARD_ACCESS      ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1;
#IPT_DNAT_ACCESS         DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1;

# The IPT_SNAT_ACCESS variable is not used unless both ENABLE_IPT_SNAT and
# ENABLE_IPT_FORWARDING are enabled.  Also, the external static IP must be
# set with the SNAT_TRANSLATE_IP variable.  The default is to use the
# IPT_MASQUERADE_ACCESS variable.
#
#IPT_SNAT_ACCESS         SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
#IPT_MASQUERADE_ACCESS   MASQUERADE, nat, POSTROUTING, 1, FWKNOP_MASQUERADE, 1;

# The ENABLE_COMMENT_MATCH_CHECK variable instructs fwknopd to check for the
# iptables 'comment' match at start up.  If it's not found, then fwknopd will
# exit and throw an error.  This variable is enabled by default, but can be
# disabled if you want fwknopd to run without being sure that the comment match
# is available (not recommended, since the comment match enables new SPA rules
# to be timed out).
#
#ENABLE_IPT_COMMENT_CHECK        Y;

##############################################################################
# Parameters specific to ipfw:
ipfw专用参数:
#
#
# This variable defines the rule number that fwknopd uses to insert an ipfw
# pass rule.  You would most likely want to change this parameter to a
# number that makes sense in your current ipfw firewall configuration.
#
#IPFW_START_RULE_NUM         10000;

# This variable defines the maximum number of rules fwknopd will create at
# a time. This also tells fwknopd where to stop when flushing all rules.
#
#IPFW_MAX_RULES              1000;

# Flush all existing rules in the fwknop ipfw sets at fwknop start time and/or
# exit time. They default to Y and it is a recommended setting for both.
#
#FLUSH_IPFW_AT_INIT           Y;
#FLUSH_IPFW_AT_EXIT           Y;

# This variable defines the rule set fwknopd uses for active rules. By
# default, it is set 1 and fwknopd assumes that it has full control over this
# set.  That is, fwknopd routinely creates and deletes rules in this set, and
# the entire set itself is also created/deleted during routine operations.
# You have some measure of control over whether the entire set is deleted at
# init/exit with the FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT, but in general
# it is recommended to leave these variables set to the default "Y" setting.
#
#IPFW_ACTIVE_SET_NUM         1;

# This variable defines the rule set that will be used to store expired rules
# that still have a dynamic rule associated to them. That set will be disabled
# by fwknop and should not be enabled while fwknop is running. Not used when
# ipfw isn't using dynamic rules.  By default, it is set 2, but can be anything
# in the range 1-31 except that it shouldn't be the same as
# IPFW_ACTIVE_SET_NUM.  Note that fwknopd disables this set through routine
# operations according to the FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT
# variables.
#
#IPFW_EXPIRE_SET_NUM         2;

# Set the interval (in seconds) over which rules that are expired and
# have no remaining dynamic rules associated with them will be removed.
#
#IPFW_EXPIRE_PURGE_INTERVAL  30;

# Set this variable to "Y" if you want fwknopd to create its own "check-state"
# rule as the first rule in the set.  This would only be needed if there
# was not already a check-state rule in the current firewall configuration.
#
# IPFW_ADD_CHECK_STATE       N;

##############################################################################
# Parameters specific to the pf firewall:
#特定于pf防火墙的参数
#
# This variable defines the pf anchor name to which fwknopd will add and
# delete rules.  This anchor must be linked into the pf policy (typically
# done by adding it into the /etc/pf.conf file), and fwknopd runs a check at
# init time to ensure that the anchor exists.
#
#PF_ANCHOR_NAME             fwknop;

# Set the interval (in seconds) over which rules that are expired
#
#PF_EXPIRE_INTERVAL         30;

##############################################################################

# Directories - These can override compile-time defaults.
#目录——这些可以覆盖编译时默认设置

#FWKNOP_RUN_DIR              /var/run/fwknop;
#FWKNOP_CONF_DIR             /etc/fwknop;

# Files
#
#ACCESS_FILE                 access.conf;
#FWKNOP_PID_FILE             $FWKNOP_RUN_DIR/fwknopd.pid;
#DIGEST_FILE                 $FWKNOP_RUN_DIR/digest.cache;
### The DB version is only used if fwknopd was built with gdbm/ndbm
### support (not needed by default).
#DIGEST_DB_FILE              $FWKNOP_RUN_DIR/digest_db.cache;

# System binaries
#
FIREWALL_EXE                /usr/bin/firewall-cmd;
#FIREWALL_EXE                /sbin/iptables;

###EOF###