[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

1.0 The firewall control daemon

fwcd is a daemon that runs on the firewall. This requires that the firewall is an ordinary computer and not a dedicated router (such as a Cisco router). It communicates with Oasis, who sends requests to fwcd to login a user. The firewall control daemon will then start to listen on the traffic to decide if the user is logged in or not. When the user is inactive (but still connected), fwcd starts to ping the user until he is active again.

This solves the problem of too much probing, since the firewall doesn't need to actively probe all the time.

1.0.1 Starting fwcd  
1.0.2 Configuring fwcd  


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

1.0.1 Starting fwcd

Options are specified by the usual GNU command line syntax, with long options starting with two dashes (--).

Usage: fwcd [options]

Options:

`-f'
`--fg'
Run in foreground, don't fork. When in foreground the log messages are sent directly to the console instead of to syslog.

`-r `FILE''
`--rcfile=`FILE''
Read configuration file `FILE' instead of the default one in `/usr/local/etc/fwcd.conf'.

`-d'
`--debug'
Show debug messages.

`-h'
`--help'
Show a short help message describing the syntax.

`-V'
`--version'
Show the version number.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

1.0.2 Configuring fwcd

The configuration file is by default installed as `/usr/local/etc/fwcd.conf'. There is a template in the `etc' subdirectory of the source distribution that you can modify to your needs. The syntax is simple: each directive consists of a keyword, an equal sign and an argument, as in:

keyword = argument

Comments begin with # or // and extends to the end of the line. Block comments can be written in C syntax, beginning with /* and ending in */.

Valid directives are:

probe-interval
Time between consecutive checks of the users' traffic.

log-facility
What facility to use when loggin to syslog. The following arguments are recognised:

LOG_AUTHPRIV, LOG_DAEMON, LOG_LOCAL0, LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7, LOG_USER

max-missed-probes
Maximum number of probes a user can miss before the user is considered away and logged out by the system.

firewall-soft-timeout
Timeout, in seconds, before the execution of the firewall program is considered failed and a SIGTERM is sent to shutdown the process.

firewall-hard-timeout
Timeout, in seconds, before the shutdown of the firewall program is considered failed and a SIGKILL is sent to the process.

firewall-program
The program to run when controlling the firewall. The firewall program is called with the following parameters:

To open up a rule: <open> <IP> <MAC>

To close a rule: <close> <IP> <MAC>

To reset the firewall: <reset>

IP is a string in dotted-decimal form (xxx.xxx.xxx.xxx) and MAC is a colon-separated string of hex numbers (00:01:60:12:a7:bd).

port
What port to use when listening for the connection from oasis.

probe-interface
What interface to use when listening for traffic and probing users.

oasis-host
The host oasis is running on.

oasis-port
The port oasis listens on for the connection from fwcd.

probe-library
The plugin library to use to probe users. If no library or an empty string is specified, no probing will be performed.

certificate-file
This is the certificate used when identifying to fwcd. Default is `/usr/local/etc/fwcd.cert'.

key-file
The private key used when identifying to fwcd. Default is `/usr/local/etc/fwcd.key'.

oasis-certificate-file
This is the certificate that will be expected from oasis. Default is `/usr/local/etc/oasis.cert'.

network
This is the network and mask we're listening on. Can be specified either on the format "192.168.1.0/24" or "192.168.1.0 mask 255.255.255.0".

promiscuous
Integer specifying whether to sniff packets in promiscuous mode or not. Generally, setting promiscuous to 0 is a better choice since the firewall only needs to listen on traffic to be routed through that machine.


[Top] [Contents] [Index] [ ? ]

Table of Contents


[Top] [Contents] [Index] [ ? ]

About this document

This document was generated by Oden Eriksson on November, 10 2004 using texi2html

The buttons in the navigation panels have the following meaning:

Button Name Go to From 1.2.3 go to
[ < ] Back previous section in reading order 1.2.2
[ > ] Forward next section in reading order 1.2.4
[ << ] FastBack previous or up-and-previous section 1.1
[ Up ] Up up section 1.2
[ >> ] FastForward next or up-and-next section 1.3
[Top] Top cover (top) of document  
[Contents] Contents table of contents  
[Index] Index concept index  
[ ? ] About this page  

where the Example assumes that the current position is at Subsubsection One-Two-Three of a document of the following structure:

This document was generated by Oden Eriksson on November, 10 2004 using texi2html