security/knock/files/patch-doc__knockd.1.in


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

--- ./doc/knockd.1.in.orig	2005-06-29 20:45:17.000000000 +0200
+++ ./doc/knockd.1.in	2011-08-17 13:29:55.000000000 +0200
@@ -60,13 +60,13 @@
 	sequence    = 7000,8000,9000
 	seq_timeout = 10
 	tcpflags    = syn
-	command     = /usr/sbin/iptables -A INPUT -s %IP% -j ACCEPT
+	command     = /usr/sbin/iptables -A INPUT -s %IP% --dport 22 -j ACCEPT
 
 [closeSSH]
 	sequence    = 9000,8000,7000
 	seq_timeout = 10
 	tcpflags    = syn
-	command     = /usr/sbin/iptables -D INPUT -s %IP% -j ACCEPT
+	command     = /usr/sbin/iptables -D INPUT -s %IP% --dport 22 -j ACCEPT
 
 .fi
 .RE
@@ -115,7 +115,7 @@
 	start_command      = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 25 -j ACCEPT
 	cmd_timeout        = 5
 	stop_command       = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 25 -j ACCEPT
-	
+
 .fi
 .RE
 .SH CONFIGURATION: GLOBAL DIRECTIVES
@@ -132,7 +132,7 @@
 .TP
 .B "Interface = <interface_name>"
 Network interface to listen on. Only its name has to be given, not the path to
-the device (eg, "eth0" and not "/dev/eth0"). Default: eth0.
+the device (eg, "fxp0" and not "/dev/fxp0"). Default: fxp0.
 .SH CONFIGURATION: KNOCK/EVENT DIRECTIVES
 .TP
 .B "Sequence = <port1>[:<tcp|udp>][,<port2>[:<tcp|udp>] ...]"
@@ -158,7 +158,7 @@
 \fBNote\fP: Do not edit the file while knockd is running!
 .TP
 .B "Seq_Timeout = <timeout>"
-Time to wait for a sequence to complete in seconds. If the time elapses
+Time to wait (in seconds) for a sequence to complete in seconds. If the time elapses
 before the knock is complete, it is discarded.
 .TP
 .B "TCPFlags = fin|syn|rst|psh|ack|urg"
@@ -183,10 +183,10 @@
 directive is optional, only required if \fBStop_Command\fP is used.
 .TP
 .B "Stop_Command = <command>"
-Specify the command to be executed when \fBCmd_Timeout\fP seconds have passed 
+Specify the command to be executed when \fBCmd_Timeout\fP seconds have passed
 since \fBStart_Command\fP has been executed.  All instances of \fB%IP%\fP will
 be replaced with the knocker's IP address.  This directive is optional.
-.SH SECURITY NOTES 
+.SH SECURITY NOTES
 Using the \fB-l\fP or \fB--lookup\fP commandline option to resolve DNS names
 for log entries may be a security risk!  An attacker may find out the first port
 of a sequence if he can monitor the DNS traffic of the host running knockd.