1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
# letmeind daemon configuration.
[GENERAL]
# This config section holds general options.
# Enable debugging.
# This will print verbose syslog messages while modifying the firewall.
#
# Possible values: true, false
debug = true
# The control port that letmeind will listen on.
# This is the public internet facing port of the daemon.
#
# Possible values: Any valid TCP/IP port.
port = 5800
# Timeout (in seconds) for receiving and sending messages on the control port.
# If the timeout is exceeded, the TCP connection will be aborted.
#
# Possible values: A positive number of seconds.
control-timeout = 5.0
# Control port error policy.
#
# If the policy is set to 'always', then error messages will always
# be transmitted to the connected client.
# If the policy is set to 'basic-auth', then error messages are suppressed
# unless the connected client has passed basic authentication.
# If the policy is set to 'full-auth', then error messages are suppressed
# unless the connected client has passed full authentication.
#
# Possible values: always, basic-auth, full-auth
# The recommended value is: basic-auth
# The default value is: always
control-error-policy = always
# Turn the Linux seccomp feature on.
#
# Possible values: off, log, kill
#
# off: Seccomp turned off.
# log: Seccomp turned off, but access of prohibited syscalls will be logged to syslog.
# kill: Seccomp turned on. Letmeind will be killed if prohibited syscalls are called.
seccomp = off
[NFTABLES]
# This config section holds the nftables firewall configuration.
# nftables chain that letmeinfwd will modity.
family = inet
table = filter
chain-input = LETMEIN-INPUT
# Timeout of installed knock-open rules.
# Knocked-open ports will be closed again this many seconds after the knocking.
timeout = 600
[KEYS]
# This config section holds the table of users with their corresponding keys.
#
# Use command to generate new keys:
# letmein gen-key
# User 00000001:
#00000001 = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
# User 00000002:
#00000002 = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[RESOURCES]
# This config section holds the table of knock-able ports.
# Resource ID '1A' maps to TCP port 2000:
#0000001A = port: 2000
# Resource ID '1B' maps to TCP port 3500:
#0000001B = port: 3500
# A resource can be restricted to one or more users.
# Restricted to users 1 and 2:
#0000001C = port: 4500 / users: 00000001, 00000002
# Restricted to user 1:
#0000001D = port: 5500 / users: 00000001
# Open port 6500 for TCP and UDP.
#0000001E = port: 6500 / tcp,udp
|
