cipherdyne.org

Michael Rash, Security Researcher



Software Release - fwknop-1.9.0

fwknop-1.9.0 release The 1.9.0 release of fwknop is ready for download. This release introduces major new functionality including inbound NAT support for authenticated connections (iptables firewalls only for now), iptables OUTPUT chain support, a test suite for SPA communications, the ability of the fwknopd daemons to restart themselves after a configurable length of time, and more.

Below is the output of the new test suite running on a Linux system: # ./fwknop_test.pl

[+] ==> Running fwknop test suite; firewall: iptables <==

[+] perl program compilation.........................................pass (0)
[+] C program compilation............................................pass (1)
[+] Stopping any running fwknopd processes...........................pass (2)
[+] Flushing all fwknop iptables rules...............................pass (3)
[+] Testing Rijndael key validity....................................pass (4)
[+] Generating SPA access packet with fwknop client..................pass (5)
[+] Sniffing SPA access packet to acquire access.....................pass (6)
[+] Firewall access rules exist......................................pass (7)
(Sleeping for 10 (+5) seconds for firewall rule timeout)
15 10 5 0
[+] Firewall access rules removed....................................pass (8)
[+] Stopping all running fwknopd processes...........................pass (9)
[+] Replay attack detection..........................................pass (10)
[+] SPA packet randomness............................................pass (11)
[+] Generating SPA packet with 0.0.0.0 src addr......................pass (12)
[+] Sniffing packet source address with 0.0.0.0 src addr.............pass (13)
[+] Generating SPA packet with invalid user..........................pass (14)
[+] Invalid user detection...........................................pass (15)
[+] Generating SPA command packet....................................pass (16)
[+] Sniffing SPA command packet and executing........................pass (17)
[+] Making sure firewall rules have been removed.....................pass (18)
[+] Generating SPA command packet with non-matching regex............pass (19)
[+] SPA command packet filtered......................................pass (20)
[+] Making sure firewall rules do not exist..........................pass (21)
[+] Stopping all running fwknopd processes...........................pass (22)
[+] Generating FORWARD chain access packet...........................pass (23)
[+] FORWARD request detection........................................pass (24)
[+] FORWARD and DNAT access..........................................pass (25)
(Sleeping for 10 (+5) seconds for firewall rule timeout)
15 10 5 0
[+] Making sure firewall rules have been removed.....................pass (26)
[+] Stopping all running fwknopd processes...........................pass (27)
[+] Generating SPA access packet with fwknop client..................pass (28)
[+] SPA communications via tcpdump capture file......................pass (29)
[+] Firewall access rules exist......................................pass (30)
(Sleeping for 10 (+5) seconds for firewall rule timeout)
15 10 5 0
[+] Firewall access rules removed....................................pass (31)
[+] Stopping all running fwknopd processes...........................pass (32)
[+] Deleting all fwknopd iptables chains.............................pass (33)

[+] ==> Passed 34 tests against fwknop. <==
For those interested in the changes in the fwknop-1.9.0 release, here is the complete ChangeLog:
  • Added a test suite so that fwknop and fwknopd functionality can be automatically tested over the loopback interface (see the fwknop_test.pl script in the test/ directory).
  • Major update to allow SPA packets to create DNAT connections to internal systems through the FORWARD chain (iptables only). This is useful to connect through to internal systems (that may be running on non-routable IP addresses) via a border firewall or router that is running fwknopd to create inbound DNAT rules.
  • Added support for the iptables OUTPUT chain via two new variable in the fwknop.conf file: ENABLE_IPT_OUTPUT and IPT_OUTPUT_ACCESS. This is useful for iptables firewalls that are not running the conntrack modules and that have a restrictive OUTPUT chain (so SYN/ACK responses are not allowed out without an explicit ACCEPT rule).
  • Added the ability to force the fwknopd and knoptm daemons to restart themselves (via knopwatchd) after a configurable timeout (see the ENABLE_VOLUNTARY_EXITS and EXIT_INTERVAL variables in the /etc/fwknop/fwknop.conf file). This feature is for those that want fwknopd to go through its initialization routine periodically just in case there is a logic (or other) bug that might result in fwknopd not accepting a valid SPA packet. NOTE: This feature is disabled by default, and is not normally needed since fwknopd is quite stable in most deployments.
  • Major update to perform all firewall rule expirations with knoptm, which is now started in all data collection modes. Older versions of fwknopd maintained its own firewall rule expiration code for the FILE_PCAP, ULOG_PCAP, and KNOCK modes, so two mechanisms were being maintained for the same purpose. The 1.9.0 release fixes this oversight.
  • Minor bugfix to have knopwatchd generate syslog messages whenever an fwknop daemon needs to be restarted.
  • Added --interface command line argument to install.pl to allow the sniffing interface to be specified from the command line. Also updated install.pl to enforce a 10-try maximum for attempting to accept a valid interface name from the command line (LANG env issues can exist sometimes).
  • Updated SPA packet format for server_auth and forward_info elements; the internal MD5 sum is now always the last field in an SPA packet. This makes extensions of the SPA protocol much easier, and the generation of SPA packets more elegant. Also, SPA packet validation has been improved to ensure that fields that are supposed to be digits really only contain integer data.
  • Added ENABLE_FORWARD_ACCESS variable to the access.conf file, and added ENABLE_IPT_FORWARDING to the fwknop.conf file. These variables provide the per-SOURCE ability to create DNAT connnections through the FORWARD chain.
  • Replaced the IPT_AUTO_CHAIN1 variable with IPT_INPUT_ACCESS and IPT_FORWARD_ACCESS in fwknop.conf.
  • Added --Forward-access argument to the fwknop client.
  • Added client version number to syslog messages generated by fwknopd when a valid SPA packet is received.
  • Added human readable timestamp to MD5 cache. Here is an example of the update format: 127.0.0.1 X6WF2C29kEgAv4aDJ8TDeQ [Wed Nov 28 09:24:46 2007]
  • Added --Count argument to fwknopd so that it calls exit() when the specified number of packets is monitored.
  • Added --no-logs argument to knoptm in support of the test suite so that no emails are generated.
  • Bugfix in fwknopd to account for non-Ethernet link layer header over *BSD loopback interfaces.
  • Added --Save-dst argument to the fwknop client to add a priority file to store client command line arguments (~/.fwknop.save). This file is only overwritten when --Save-dst is used.
  • Added fwknopd --fw-del-chains to allow the fwknopd iptables chains to easily be deleted.
  • Minor fwknopd bugfix to set process exit status to 0 when --Kill is used.