| View previous topic :: View next topic |
| Author |
Message |
menschmeier
l33t
Joined: 15 Dec 2004
Posts: 727
|
 Posted: Tue Jan 08, 2008 8:35 pm Post subject: problem mit knockd [solved] |
 |
|
Hi,
I am trying to use knock on my system.
I want to use knock that way, that knock opens the firewall for a couple of minutes and than closes it again. But this configuration does not work.
Here my config:
| Code: |
[opencloseFTP]
sequence = 5050,6060,7070
seq_timeout = 15
tcpflags = syn
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 21 -j ACCEPT
cmd_timeout = 120
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 21 -j ACCEPT
|
Here is the output of the log file (the IP is replaced by xxx):
| Quote: |
[2008-01-08 21:07] xxx: opencloseFTP: Stage 1
[2008-01-08 21:07] xxx: opencloseFTP: Stage 2
[2008-01-08 21:07] xxx: opencloseFTP: Stage 3
[2008-01-08 21:07] xxx: opencloseFTP: OPEN SESAME
[2008-01-08 21:07] opencloseFTP: running command: /sbin/iptables -D INPUT -s xxx -p tcp --dport 21 -j ACCEPT
[2008-01-08 21:07] opencloseFTP: command returned non-zero status code (1)
a[2008-01-08 21:07] waiting for child processes...
[2008-01-08 21:07] shutting down
[2008-01-08 21:07] starting up, listening on eth0
[2008-01-08 21:07] xxx: closeFTP: Stage 1
[2008-01-08 21:08] xxx: closeFTP: sequence timeout (stage 1)
[2008-01-08 21:08] xxx: closeFTP: Stage 1
[2008-01-08 21:09] waiting for child processes...
[2008-01-08 21:09] shutting down
[2008-01-08 21:09] starting up, listening on eth0
|
What is causing the error and the restart?
A configuration like this is working:
| Code: | [openFTP]
sequence = 4000,5000,6000
seq_timeout = 5
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 21 -j ACCEPT
tcpflags = syn
[closeFTP]
sequence = 6000,5000,4000
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 21 -j ACCEPT
tcpflags = syn
|
menschmeier
_________________
Please notice the back of this message.
Last edited by menschmeier on Wed Jan 09, 2008 12:08 pm; edited 1 time in total |
|
| Back to top |
|
 |
MostAwesomeDude
Guru
Joined: 12 Aug 2007
Posts: 373
|
| Posted: Tue Jan 08, 2008 10:24 pm Post subject: |
|
|
You need to use start_command and stop_command instead of command. Try this:
| Code: | [opencloseFTP]
sequence = 5050,6060,7070
seq_timeout = 15
tcpflags = syn
start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 21 -j ACCEPT
cmd_timeout = 120
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 21 -j ACCEPT |
|
|
| Back to top |
|
|
menschmeier
l33t
Joined: 15 Dec 2004
Posts: 727
|
| Posted: Wed Jan 09, 2008 3:17 am Post subject: |
|
|
Hi MostAwesomeDude,
thanks for the hint. I was too much in a hurry yesterday to see it ... 
menschmeier
_________________
Please notice the back of this message. |
|
| Back to top |
|
|
MostAwesomeDude
Guru
Joined: 12 Aug 2007
Posts: 373
|
| Posted: Wed Jan 09, 2008 9:40 am Post subject: |
|
|
Sure, no problem! (Please mark your topic title "[SOLVED]", so people know that a solution has been found.)
_________________
Don't believe the "n00b" under my name. |
|
| Back to top |
|
|
|
Networking & Security
