File: fwknop.conf

package info (click to toggle)
fwknop 1.9.12-2
  • links: PTS, VCS
  • area: main
  • in suites: squeeze
  • size: 1,696 kB
  • ctags: 604
  • sloc: perl: 14,617; ansic: 1,258; sh: 462; makefile: 88
file content (454 lines) | stat: -rw-r--r-- 22,747 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
#
#############################################################################
#
#         [+] fwknop - Firewall Knock Operator [+]
#
# This is the configuration file for fwknop, the Firewall Knock Operator.
# The primary authentication and authorization mechanism offered by fwknop
# is known as Single Packet Authorization (SPA).  More information about
# SPA can be found at: http://www.cipherdyne.org/fwknop/docs/SPA.html
#
# Note there are no access control directives in this file.  All access
# control directives are located in the file
# /etc/fwknop/access.conf.  You will need to edit the access.conf file in
# order for fwknop to function correctly.
#
#############################################################################
#
# $Id: fwknop.conf 1517 2009-08-10 04:09:06Z mbr $
#

### Supports multiple email addresses (as a comma separated
### list).
EMAIL_ADDRESSES             root@localhost;

### Machine hostname
HOSTNAME                    _CHANGEME_;

### Define the firewall type.  The default is "iptables" for Linux systems,
### but this can be set to "ipfw" for *BSD systems.  Also supported is
### "external_cmd" to allow fwknop to invoke an external command instead of
### interfacing with the firewall at all
FIREWALL_TYPE               iptables;

### This defines the general strategy fwknop uses to authenticate remote
### clients.  Possible values are "PCAP" (authenticate via regular pcap; this
### is the default and puts the interface in promiscuous mode unless
### ENABLE_PCAP_PROMISC is turned off) FILE_PCAP (authenticate via a pcap file
### that is built by a sniffer), ULOG_PCAP (authenticate via the ulogd pcap
### writer).  This variable can also be set to "KNOCK" if you really want to
### use the legacy port knocking mode.
AUTH_MODE                   PCAP;

### Define the ethernet interface on which we will sniff packets.  Note
### that this is only used if the AUTH_MODE keyword above is set to
### "PCAP"
PCAP_INTF                   eth0;

### Define whether put the pcap interface in promiscuous mode.
ENABLE_PCAP_PROMISC         Y;

### Define the filter used for PCAP modes; we default to udp port 62201.
### However, if an fwknop client uses the --rand-port option to send the
### SPA packet over a random port, then this variable should be updated to
### something like "udp dst portrange 10000-65535";
PCAP_FILTER                 udp port 62201;

### This instructs fwknopd to not honor SPA packets that have an old time
### stamp.  The value for "old" is defined by the MAX_SPA_PACKET_AGE variable.
### If ENABLE_SPA_PACKET_AGING is set to "N", fwknopd will not use the client
### time stamp at all.
ENABLE_SPA_PACKET_AGING     Y;

### Defines the maximum age (in seconds) that an SPA packet will be accepted.
### This requires that the client system is in relatively close time
### synchronization with the fwknopd server system (NTP is good).  The default
### age is two minutes.
MAX_SPA_PACKET_AGE          120;

### Track digest sums associated with previous fwknop process.  This allows
### digest sums to remain persistent across executions of fwknop.
ENABLE_DIGEST_PERSISTENCE   Y;

### Default to using all three of SHA256, SHA1, and MD5 for SPA replay attack
### detection.  This is overkill, but performance is not usually a concern.
### Further, the variable can also be set to "SHA1" or "MD5".
DIGEST_TYPE                 ALL;

### This variable controls whether fwknopd includes the source IP of each SPA
### packet in the DIGEST store. If a replayed SPA message is detected, then
### having this information can provide information about which networks have
### people sniffing your SPA packets.
ENABLE_DIGEST_INCLUDE_SRC   Y;

### Allow SPA clients to request access to services through an iptables
### firewall instead of just to it (i.e. access through the FWKNOP_FORWARD
### chain instead of the INPUT chain). This also requires the
### ENABLE_FORWARD_ACCESS variable to be set in the access.conf file for the
### specific SOURCE stanzas that should be allowed for forwarding access.
ENABLE_IPT_FORWARDING       N;

### Allow SPA clients to request access to a local socket via NAT.  This still
### puts an ACCEPT rule into the FWKNOP_INPUT chain, but a different port is
### translated via DNAT rules to the real one.  So, the user would do
### "ssh -p <port>" to access the local service (see the --NAT-local and
### --NAT-rand-port on the fwknop client command line).
ENABLE_IPT_LOCAL_NAT        Y;

### By default, if forwarding access is enabled (see the ENABLE_IPT_FORWARDING
### variable above), then fwknop creates DNAT rules for incoming connections,
### but does not also complement these rules with SNAT rules at the same time.
### In some situations, internal systems may not have a route back out for the
### source address of the incoming connection, so it is necessary to also
### apply SNAT rules so that the internal systems see the IP of the internal
### interface where fwknopd is running.  This functionality is only enabled
### when ENABLE_IPT_SNAT is set to "Y", and by default SNAT rules are built
### with the MASQUERADE target (since then the internal IP does not have to be
### defined here in the fwknop.conf file), but if you want fwknopd to use the
### SNAT target then also defined an IP address with the SNAT_TRANSLATE_IP
### variable.
ENABLE_IPT_SNAT             N;
SNAT_TRANSLATE_IP           _CHANGEME_;

### If ENABLE_IPT_FORWARDING is enabled, but the /proc/sys/net/ipv4/ip_forward
### disables forwarding, then by default enable forwarding
ENABLE_PROC_IP_FORWARD      Y;

### Add ACCEPT rules to the FWKNOP_OUTPUT chain. This is usually only useful
### if there are no state tracking rules to allow connection responses out and
### the OUTPUT chain has a default-drop stance.
ENABLE_IPT_OUTPUT           N;

### Force all SPA packets to contain a real IP address within the encrypted
### data.  This makes it impossible to use the -s command line argument on
### the fwknop client command line, so either -R has to be used to
### automatically resolve the external address (if the client behind a NAT) or
### the client must know the external IP.
REQUIRE_SOURCE_ADDRESS      N;

### Config variable to force fwknopd to always treat the sniffing interface as
### the "cooked" interface type on Linux.
ENABLE_COOKED_INTF          N;

### This pair of variables controls whether fwknopd voluntarily exits and over
### what time interval. When fwknopd exits, knopwatchd will restart it.
### Because fwknop controls the accessibility of services, this feature can be
### used to make sure that the fwknop rules are flushed (see the
### FLUSH_IPT_AT_INIT variable), and the effects of any potential logic (or
### other) bugs are minimized since fwknopd will start "fresh" when knopwatchd
### kicks it off. NOTE: This feature is almost never required since fwknopd is
### generally quite stable, and is mostly offered for the extra paranoid.
ENABLE_VOLUNTARY_EXITS      N;
EXIT_INTERVAL               1440;  ### minutes (1 day)

### These variables control whether special checks are run against the
### interface that fwknopd sniffs to acquire SPA packets.  The basic strategy
### is for the knoptm daemon to make sure that the sniffing interface exists
### is in the "RUNNING" state, and always has increasing numbers of received
### and transmitted bytes (Linux only).  If not then knoptm stops fwknopd once
### the error condition has been cleared (and not before, since fwknopd cannot
### receive packets anyway until then).  Then, knopwatchd will restart fwknopd
### so that it can once again receive SPA packets from the interface.  The
### typical example for where this become important is when fwknopd has been
### deployed against a ppp interface that is shut down and then restarted.
### Note that usually the RUNNING check is not needed because fwknopd can once
### again receive packet data if the interface is brought back into the RUNNING
### state, but there is little harm in enabling it by default.  Another check
### that is enabled by default is to ensure that the number of bytes received
### and transmitted does not decrease.
ENABLE_INTF_CHECKS          Y;
INTF_CHECKS_INTERVAL        20;  ### seconds
ENABLE_INTF_EXISTS_CHECK    Y;
ENABLE_INTF_RUNNING_CHECK   Y;  ### looks for the string "RUNNING"
ENABLE_INTF_BYTES_CHECK     Y;  ### checks for resets in bytes RX/TX counters

### If this feature is enabled, then knoptm will not time out any rules added
### by fwknopd if any connection is in the ESTBALISHED state involving the IP
### that was granted access and a destination port that is specified by the
### CONNTRACK_ESTAB_PORTS variable (which supports comma-separated lists of
### ports).
ENABLE_CONNTRACK_PERSIST    N;
CONNTRACK_ESTAB_PORTS       0;  ### can be "80, 6997, 22", etc.
IPT_CONNTRACK_FILE          /proc/net/ip_conntrack;

### Specify the the maximum number of bytes to sniff per frame - 1500
### is a good default
MAX_SNIFF_BYTES             1500;

### Flush all existing rules in the fwknop chains at fwknop start time.
FLUSH_IPT_AT_INIT           Y;

### If running on ipfw firewalls, this variable defines the rule number that
### fwknopd uses to insert an ipfw pass rule.
IPFW_RULE_NUM               1;

### If running on ipfw firewalls, this variable defines the rule set that will
### be used to store expired rules that still have a dynamic rule associated
### to them. That set will be disabled by fwknop and should not be enabled
### while fwknop is running. Not used when ipfw isn't using dynamic rules.
IPFW_SET_NUM                1;

### For ipfw firewalls set the interval (in seconds) over which rules that
### have no remaining dynamic rules associated with them will be removed.
IPFW_DYNAMIC_INTERVAL       60;  ### seconds

### Define the timeout for running a command
PCAP_CMD_TIMEOUT            10;

### If GPG keys are used instead of a Rijndael symmetric key, this is
### the default GPG keys directory.  Note that each access block in
### /etc/fwknop/access.conf can specify its own GPG directory to override
### this default.
GPG_DEFAULT_HOME_DIR        /root/.gnupg;

### This gets used if AUTH_MODE is set to "FILE_PCAP".  This file must
### be created by a sniffer process (or something like the ulogd pcap
### writer).
PCAP_PKT_FILE               /var/log/sniff.pcap;

### By default fwknopd tests to see if the FKO module has been installed, and
### if so all SPA operations are performed via FKO functions.  If this
### variable is set to "N", then fwknopd will fall back to the original perl
### SPA implementation.  It is recommended to leave this as "Y" and install
### the libfko library and associated FKO perl module.
ENABLE_FKO_MODULE           Y;

### Define a comma-separated set of IP addresses and/or networks that should
### be globally blacklisted.  That is, any SPA packet that is from a source
### IP (or has an internal --allow-ip) within a blacklisted network will be
### ignored.
BLACKLIST                   NONE;

### Defines interval fwknop will use to check for more iptables
### messages (this is only used in the legacy port knocking mode).
SLEEP_INTERVAL              2;  ### seconds

### TTL values are decremented depending on the number of hops the packet
### has taken before it hits the firewall.  We will assume packets will not
### jump through more than 20 hops on average.
MAX_HOPS                    20;

### Allow fwknopd to acquire SPA data from HTTP requests (generated with the
### fwknop client in --HTTP mode).  Note that the PCAP_FILTER variable would
### need to be updated when this is enabled to sniff traffic over TCP/80
### connections
ENABLE_SPA_OVER_HTTP        N;

### Note that fwknopd still only gets its data via pcap (unless AUTH_MODE is
### set to 'SOCKET'), so the filter defined by PCAP_FILTER needs to be updated
### to include the tcp or udp port if either of these variables are enabled.
ENABLE_TCP_SERVER           N;
ENABLE_UDP_SERVER           N;

### Set the default port number for a "dummy" tcp or udp server (udp is
### best to use since nothing will be sent back to the client, so as far as a
### scanner can tell the port is 'filtered').  The server is only spawned when
### ENABLE_TCP_SERVER or ENABLE_UDP_SERVER is set to "Y".
TCPSERV_PORT                62201;
UDPSERV_PORT                62201;

### Set the locale (via the LC_ALL variable).  This can be set to NONE to
### have fwknopd honor the default system locale.
LOCALE                      C;

### Set the type of syslog daemon that is used.  The SYSLOG_DAEMON variable
### accepts three possible values: syslogd, syslog-ng, or metalog.
SYSLOG_DAEMON               syslogd;

### syslog facility and priority (the defaults are usually ok)
### The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}, and
### SYSLOG_PRIORITY can be set to one of LOG_INFO, LOG_DEBUG, LOG_NOTICE,
### LOG_WARNING, LOG_ERR, LOG_CRIT, LOG_ALERT, or LOG_EMERG
SYSLOG_IDENTITY             fwknopd;
SYSLOG_FACILITY             LOG_LOCAL7;
SYSLOG_PRIORITY             LOG_INFO;

### syslog config for knoptm
KNOPTM_SYSLOG_IDENTITY      fwknop(knoptm);
KNOPTM_SYSLOG_FACILITY      LOG_LOCAL7;
KNOPTM_SYSLOG_PRIORITY      LOG_INFO;

### syslog config for fwknop_serv
FWSERV_SYSLOG_IDENTITY             fwknop(fwknop_serv);
FWSERV_SYSLOG_FACILITY             LOG_LOCAL7;
FWSERV_SYSLOG_PRIORITY             LOG_INFO;

### Allow reporting methods to be enabled/restricted.  This keyword can
### accept values of "nosyslog" (don't write any messages to syslog),
### "noemail" (don't send any email messages), or "ALL" (to generate both
### syslog and email messages).  "ALL" is the default.  Both "nosyslog"
### and "noemail" can be combined with a comma to disable all logging
### and alerting.
ALERTING_METHODS            ALL;

### (Legacy port knocking mode)
### The following variable can be modified to look for logging messages
### that are specific to your firewall configuration (specified by the
### "--log-prefix" for iptables firewalls).  For example, if your firewall
### uses the string "Audit" for packets that have been blocked, then you
### could set FW_MSG_SEARCH = "Audit";
FW_MSG_SEARCH               DROP;

### (Legacy port knocking mode)
### This variable controls whether fwknopd parses the /var/log/messages
### file for port knock sequences, or if it assumes that the local syslog
### daemon has been configured to write iptables log messages to the
### fwknopfifo named pipe
ENABLE_SYSLOG_FILE          Y;
IPT_SYSLOG_FILE             /var/log/messages;

### This variable defines the number of seconds that the IPTables::ChainMgr
### module should wait for running iptables commands.  Normally iptables
### runs extremely fast from the command line (at least for the commands
### that fwknopd executes), so the default of 30 seconds is plenty.
IPT_CMD_ALARM               30;

### Set the strategy that the IPTables::ChainMgr module will use for executing
### iptables commands.  The default of "waitpid" means that IPTables::ChainMgr
### will use fork(), exec(), and waitpid(), whereas "system" means that
### "system()" will used, and finally "popen" means that iptables will be
### executed via popen().
IPT_EXEC_STYLE              waitpid;

### Define the number of seconds that the IPTables::ChainMgr policy uses to
### sleep between successive iptables commands.  Zero is the default.
IPT_EXEC_SLEEP              0;

### Define the number of times that fwknopd or knoptm will run certain
### critical iptables commands (such as adding a new access rule) if any
### problems are encountered.
IPT_EXEC_TRIES              1;

### The following four variables control whether a global set of "open" and
### "close" commands are executed after receving a valid SPA packet.  These
### variables are used only if FIREWALL_TYPE is set to "external_cmd", but
### the same variables can also exist within the access.conf file so that
### mixed deployments are possible - that is, some SPA packets will operate
### as usual and result in firewall commands being executed, but others will
### result in the commands defined by these variables (in access.conf) being
### executed.
###     The "open" and "close" commands might be manually supplied firewall
### commands, and both support variable substitution of any of the variables
### in the access.conf file with "$VAR".  Also, three special variables are
### supported: $SRC, $PORT, and $PROTO, which are derived from actual values
### from within valid SPA packets (as opposed to $SOURCE from access.conf
### which may contain a list of networks instead of a single IP address).
### Here are some examples:
###     - Execute a specific iptables command on behalf of the source IP
###     in a valid SPA packet to add a new ACCEPT rule, and execute
###     another command (to delete the same rule after a timeout):
###         EXTERNAL_CMD_OPEN       iptables -A INPUT -s $SRC -j ACCEPT
###         EXTERNAL_CMD_CLOSE      iptables -D INPUT -s $SRC -j ACCEPT
###     - Execute a custom binary with the SOURCE and OPEN_PORTS variables
###     from the access.conf file as input on the command line, and after
###     a timeout execute a different program but use the real SPA source
###     IP:
###         EXTERNAL_CMD_OPEN       /path/someprog $SOURCE $OPEN_PORTS
###         EXTERNAL_CMD_OPEN       /path/otherprog $SRC
ENABLE_EXTERNAL_CMDS        N;
EXTERNAL_CMD_OPEN           __NONE__;
EXTERNAL_CMD_CLOSE          __NONE__;
EXTERNAL_CMD_ALARM          30;

### if EXTERNAL_CMD_OPEN is used above, then the following two variables can
### be used to enforce a prefix on variable substitutions - useful if there
### are any naming conflicts with the external script and command line
### arguments that are named the same as the variables to be substituted.
ENABLE_EXT_CMD_PREFIX       N;
EXT_CMD_PREFIX              FWKNOP_;

### For knopwatchd
KNOPWATCHD_CHECK_INTERVAL   5;  ### seconds
KNOPWATCHD_MAX_RETRIES      10;

### Default minimum for any SPA packet (including both the data link,
### network, and transport layer headers)
MIN_SPA_PKT_LEN             150;

### Default minimum message size SPA messages encrypted with GnuPG. The
### fwknopd daemon will not attempt to decrypt any packet with gpg that is not
### at least as large as this value.
MIN_GNUPG_MSG_SIZE          400;

### fwknop uses the IPTables::ChainMgr module to add allow rules to a
### custom iptables chain "FWKNOP_INPUT".  This chain is called from
### the INPUT chain, and by default no other iptables chains are used.
### However, additional chains can be added (say, if access needs to
### be allowed through the local system via the FORWARD chain) by
### altering the IPT_FORWARD_ACCESS variable below.  For a discussion of
### the format followed by these keywords, read on:
###     Specify chain names to which iptables blocking rules will be
### added with the IPT_INPUT_ACCESS and IPT_FORWARD_ACCESS keyword.
### The format for these variables is:
###     <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \
###              <To_chain>,<Rule_position>.
### "Target": Can be any legitimate iptables target, but should usually
###           just be "DROP".
### "Direction": Can be "src", "dst", or "both", which correspond to the
###              INPUT, OUTPUT, and FORWARD chains.
### "Table": Can be any iptables table, but the default is "filter".
### "From_chain": Is the chain from which packets will be jumped.
### "Jump_rule_position": Defines the position within the From_chain where
###                       the jump rule is added.
### "To_chain": Is the chain to which packets will be jumped. This is the
###             main chain where fwknop rules are added.
### "Rule_position": Defines the position where rule are added within the
###                  To_chain.
IPT_INPUT_ACCESS            ACCEPT, src, filter, INPUT, 1, FWKNOP_INPUT, 1;
### The IPT_OUTPUT_ACCESS variable is only used if ENABLE_IPT_OUTPUT is enabled
IPT_OUTPUT_ACCESS           ACCEPT, dst, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1;
### The IPT_FORWARD_ACCESS variable is only used if ENABLE_IPT_FORWARDING is enabled
IPT_FORWARD_ACCESS          ACCEPT, src, filter, FORWARD, 1, FWKNOP_FORWARD, 1;
IPT_DNAT_ACCESS             DNAT, src, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1;
### The IPT_SNAT_ACCESS variable is not used unless both ENABLE_IPT_SNAT and
### ENABLE_IPT_FORWARDING are enabled.  Also, the external static IP must be
### set with the SNAT_TRANSLATE_IP variable.  The default is to use the
### IPT_MASQUERADE_ACCESS variable.
IPT_SNAT_ACCESS             SNAT, src, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
IPT_MASQUERADE_ACCESS       MASQUERADE, src, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;

### Directories
FWKNOP_DIR                  /var/log/fwknop;
FWKNOP_RUN_DIR              /var/run/fwknop;
FWKNOP_LIB_DIR              /var/lib/fwknop; # for legacy port knocking mode
FWKNOP_MOD_DIR              /usr/lib/fwknop;
FWKNOP_CONF_DIR             /etc/fwknop;
FWKNOP_ERR_DIR              $FWKNOP_DIR/errs;

### Files
FW_DATA_FILE                $FWKNOP_DIR/fwdata; # legacy port knocking mode
ACCESS_CONF                 $FWKNOP_CONF_DIR/access.conf;
P0F_FILE                    $FWKNOP_CONF_DIR/pf.os;   ### p0f-based fingerprints
DIGEST_FILE                 $FWKNOP_DIR/digest.cache;
FWKNOP_PID_FILE             $FWKNOP_RUN_DIR/fwknopd.pid;
FWKNOP_CMDLINE_FILE         $FWKNOP_RUN_DIR/fwknopd.cmd;
TCPSERV_PID_FILE            $FWKNOP_RUN_DIR/fwknop_serv.pid;
KNOPWATCHD_PID_FILE         $FWKNOP_RUN_DIR/knopwatchd.pid;
KNOPMD_PID_FILE             $FWKNOP_RUN_DIR/knopmd.pid;
KNOPTM_PID_FILE             $FWKNOP_RUN_DIR/knoptm.pid;
KNOPTM_IP_TIMEOUT_SOCK      $FWKNOP_RUN_DIR/knoptm_ip_timeout.sock;
FWKNOP_SERV_SOCK            $FWKNOP_RUN_DIR/fwknop_serv.sock;
KNOPMD_FIFO                 $FWKNOP_LIB_DIR/fwknopfifo;
PROC_IP_FORWARD_FILE        /proc/sys/net/ipv4/ip_forward;

### iptables command output and error collection files; these are
### used by IPTables::ChainMgr
IPT_OUTPUT_FILE             $FWKNOP_DIR/fwknopd.iptout;
IPT_ERROR_FILE              $FWKNOP_DIR/fwknopd.ipterr;
KNOPTM_IPT_OUTPUT_FILE      $FWKNOP_DIR/knoptm.iptout;
KNOPTM_IPT_ERROR_FILE       $FWKNOP_DIR/knoptm.ipterr;

### system binaries
gpgCmd           /usr/bin/gpg;
mailCmd          /bin/mail;
sendmailCmd      /usr/sbin/sendmail;
shCmd            /bin/sh;
ifconfigCmd      /sbin/ifconfig;
mknodCmd         /bin/mknod;
iptablesCmd      /sbin/iptables;
ipfwCmd          /sbin/ipfw;  ### BSD and Mac OS X only
fwknopdCmd       /usr/sbin/fwknopd;
fwknop_servCmd   /usr/sbin/fwknop_serv;
knopmdCmd        /usr/sbin/knopmd;
knoptmCmd        /usr/sbin/knoptm;
knopwatchdCmd    /usr/sbin/knopwatchd;