root/fwknop/tags/fwknop-1.9.8/ChangeLog

fwknop-1.9.8 (09/30/2008):
    - Made the updated UI from Sean Greven available on cipherdyne.org.  This
      update fixes the timezone problem so that SPA packets generated by the
      UI will be properly handled by an fwknopd server.
    - Added GPG_NO_REQUIRE_PREFIX to access.conf to control whether the GnuPG
      'hQ' prefix is added before base64 decoding and decrypting.  Normally
      this is not needed, but if there appear to be communications issues
      between the fwknop client and the fwknopd server then this option can be
      useful to ensure that encrypted SPA data is sent through the GnuPG
      decryption routine.  The 'hQ' prefix is a heuristic derived from the
      file 'magic' database for describing data encrypted with GnuPG, and the
      fwknop client normally strips this data from outgoing SPA packets
      (unless the --Include-gpg-prefix option is used).
    - Added 'GPG_PATH <path>' to fwknopd (via access.conf) so that different
      paths to the gpg binary can be specified on a per-SOURCE basis.  This
      allows one SOURCE stanza to apply one gpg binary to decrypt incoming SPA
      packets (say /usr/bin/gpg), and another SOURCE stanza to apply to another
      gpg binary (say /usr/bin/gpg2).  In this way, fwknop/fwknopd now
      supports gpg2 in addition to gpg.
    - Bugfix to make sure that neither fwknop nor fwknopd reference any
      options file in GnuPG mode, and this is now the default (which overrides
      the now unnecessary --gpg-no-options arg).  There is a new option
      --gpg-use-options and GPG_USE_OPTIONS to restore the usage of an options
      file by GnuPG by fwknop and fwknopd (not normally needed).
    - Added '--gpg-prefix <bytes>' to the fwknop client so that the
      predictable prefix for GnuPG encrypted data can be changed.  Normally
      this prefix is 'hQ' (base64 encoded), or the raw bytes 0x8502.
    - Added the ability to control the path used for the gpg binary on the
      client side with a new argument '--gpg-path <path>', and on the server
      side with gpgCmd in the fwknop.conf file.  The GnuPG::Interface module
      normally just takes the first instance of gpg that is the current path,
      but this new feature allows the path to the binary to be explicitly set.
    - Added --Save-packet-append to allow SPA packets to be appended to the
      --Save-packet-file in --Save-packet mode.  This allows multiple SPA
      packets to more easily be stored for closer examination (i.e. to make
      sure randomness is high or to test encryption properties over large
      sets of SPA packets).
    - Updated fwknopd to enforce the DIGEST_TYPE variable more strictly by not
      accepting SPA packets that do not include digest of the specified type.
      The DIGEST_TYPE default is 'ALL', so normally fwknopd accepts any
      supported digest.
    - Bugfix to make sure to apply BLACKLIST checks to IP addresses specified
      with -a (or derived via -R) in addition to the source IP in the IP
      header (which can be modified via --Spoof-src).  (Franck Joncourt
      submitted a patch for this.)
    - Bugfix to ensure that the permissions for the
      /var/run/fwknop/knopwatchd.pid file are set to 0600 (noticed by Franck
      Joncourt).
    - Bugfix to remove the Net::IPv4Addr dependency in the fwknop client and
      knoptm daemon (Franck Joncourt).
    - (Test suite) Added the base64_byte_frequency.pl script to the test/
      directory.  This script parses files that contain base64 encoded data
      (one record per line), and produces data files that can be graphed with
      Gnuplot in order to visualize SPA packets.  The new --Save-packet-append
      argument makes it easy to generate large collections of SPA packets with
      the fwknop client, and this data can then be parsed by
      base64_byte_frequency.pl to look for features that are common across SPA
      packets (this should be minimized because every fwknop SPA packet contains
      16 bytes of random data).  Some analysis of randomness in SPA packets
      generated by fwknop is presented in this blog post:

      http://www.cipherdyne.org/blog/2008/09/visualizing-spa-packet-randomness.html

    - (Test suite) Added tests for GPG_NO_REQUIRE_PREFIX functionality and for
      the expected GnuPG prefix.
    - (Test suite) Added tests for GnuPG version 2 (a check is made to see if
      it is installed before these tests are run).

fwknop-1.9.7 (08/24/2008):
    - Mirek Trmac from Red Hat contributed several patches so that fwknop can
      be bundled within the Fedora Linux distribution.  These patches
      implemented the following changes:

        Updates to fwknopd to remove the NetPacket module as a dependency
      (this is a particularly important update since it assists with getting
      fwknop bundled with Debian as well).  The patch manually decodes the
      network and transport layer headers.
        A patch to make the fwknop init script not start fwknopd by default
      on Red Hat systems.  This patch also supports Fedora init script
      conventions better (i.e. fwknop instead of the fwknopd name for the lock
      file in /var/lock/subsys).
        Updated the fwknop Makefile to respect the OPTS variable which is used
      in the RPM spec file.
        Bugfix in fwknop_serv to support the variable expansion code from
      fwknopd.  This was important for the TCPSERV_PID_FILE file which is
      defined as $FWKNOP_RUN_DIR/fwknop_serv.pid.
        Updated fwknopd to use the Net::Pcap API valid in Net::Pcap-0.14 for
      the datalink() function (used to detect the datalink layer type).

    - Updated fwknop, fwknopd, and knoptm to import perl modules out of the
      /usr/lib/fwknop/ directory if it exists.  This allows the perl module
      path to be manipulated via the --Lib-dir command line argument and
      'require' statements instead of the old 'use module' strategy.
    - Added module version output for each non-core perl module used by fwknop
      and fwknopd in --debug mode.  This is mostly useful for the test suite
      to see which versions of the modules are being used.
    - Added the ability to ignore any local GnuPG 'options' file with a new
      command line argument --gpg-no-options (for the fwknop client) and a new
      access.conf config variable GPG_NO_OPTIONS (for the fwknopd daemon).
      This fixes a problem reported by Mike Holzmann where the 'encrypt-to'
      option in the default options file was causing SPA packets to exceed
      1500 bytes when encrypted with a 2048-bit GnuPG key.  Also added the
      MAX_SNIFF_BYTES to the fwknop.conf file and --Max-packet-size to the
      fwknop command line to alter the default of 1500 bytes if needed (but
      this shouldn't really be necessary).
    - Bugfix for 'Premature end of base64 data' and 'Premature padding of
      base64 data' warning messages from MIME::Base64 errors.  Now fwknopd
      applies more rigorous checks for base64 encoded characters, and either
      of these two messages above will result in the packet data being
      discarded before it is sent through any decryption function.  Mike
      Holzmann reported this issue.
    - (Test suite) Added --test-system-fwknop to allow any installed version
      of fwknop to be installed instead of the scripts bundled within the
      local source distribution.

fwknop-1.9.6 (07/18/2008):
    - SPA packets are base64-encoded by the fwknop client, and this encoding
      pads data with '=' chars until the total length of the encoded data is a
      multiple of four.  This characteristic can be used within a Snort rule
      to assist in the detection of SPA communications.  The 1.9.6 release of
      fwknop strips out these padding characters before the client sends an
      SPA packet, and the fwknopd server adds them back in (to form a multiple
      of four) before base64 decoding the packet data.  This reduces the level
      of identifying information in SPA packets and therefore makes it more
      difficult to detect the usage of SPA for service access.  For reference,
      a Snort rule that would detect SPA packets via the trailing '=' chars
      (previous to this release) would be:

        alert udp any any -> any 62201 (msg:"fwknop SPA traffic"; \
        dsize:>150; pcre:"/==$/"; sid:20080001; rev:1;)

    - According to the 'file' command (via it's 'magic') database, files that
      are encrypted with GnuPG begin with 0x8502, and this is true for SPA
      packets generated by fwknop (previous to this release).  In
      fwknop-1.9.6, the "hQ" prefix is removed by the fwknop client and added
      back in by the fwknopd server if it doesn't exist.  This measure is
      another effort to make SPA packets more difficult to detect on the wire,
      such as with the following Snort rule:

        alert udp any any -> any 62201 (msg:"fwknop GnuPG encrypted SPA
        traffic"; content:"hQ"; depth:2; dsize:>1000; sid:20080003; rev:1;)

    - Updated the fwknop client to randomize the UDP source port for default
      SPA packet generation.  There is also a new command line argument
      --Source-port <port> to allow the user to manually set the source port
      on the fwknop client command line.  A lot more attention is given now to
      source ports after the Dan Kaminsky DNS caching exploit, and it turns
      out that even on Linux that the kernel did not randomize UDP source
      ports until the 2.6.24 kernel.  Of course, any userspace process is free
      to request a random port itself, but if a userspace application did not
      build this in then it would be up to the kernel to assign a source port.
      In the case of Linux, here are two links that show the change to the
      kernel code as well as the ChangeLog entry for UDP source port
      randomization:

        http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;\
        a=commit;h=32c1da70810017a98aa6c431a5494a302b6b9a30
        http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24

    - (Test suite): Added the ability to explicitly run major classes of tests
      with two new command line arguments to the fwknop_test.pl script:
      --test-include <test>, and --test-exclude <test>.  In each case the
      <test> string is used as a sub-string match against the main identifying
      string for the name of the test.  For example, to run all tests for
      replay attacks, use "--test-include Replay", and for all port
      randomization tests use "--test-include random".  To see all possible
      classes of tests, run the test suite without any command line arguments
      and examine the test.log file.
    - (Test suite): Added tests for the legacy shared and encrypted port
      knocking modes.
    - (Legacy port knocking mode): Updated to not require iptables log
      messages to be written to the fwknopfifo named pipe and just parse the
      /var/log/messages file directly by default.  This can be configured via
      two new variables ENABLE_SYSLOG_FILE and IPT_SYSLOG_FILE (similarly to
      the psad project).  In support of this feature, install.pl now does not
      create the fwknopfifo or reconfigure the syslog daemon unless the
      --install-syslog-fifo argument is used, and the knopmd does not have to
      run.
    - (Legacy port knocking mode): Added the ability to re-open the
      /var/log/messages file if it is rotated by an external program such as
      logrotate.
    - (Test suite): Bugfix to use --fw-type argument on fwknopd command line.
      This fixes various tests on Mac OS X and FreeBSD systems running ipfw.
    - Minor bugfix to require a space character after variable names when
      parsing the fwknop.conf file via knopmd and knopwatchd (implemented in
      fwknop_funcs.c)

fwknop-1.9.5 (06/08/2008):
    - Updated to Class::MethodMaker 2.11 from CPAN.  This helps with systems
      running perl-5.10.0 and greater (such as Fedora 9).
    - Added the LOCALE variable to fwknop.conf and made the "C" locale set by
      default so that gpg process output would always be correctly
      interpreted.
    - Updated to Net::RawIP 0.23 from 0.21_03 and removed List::MoreUtils
      since Net::RawIP no longer requires it
    - Updated to Crypt::Rijndael 1.06 from 1.04.
    - Updated to Crypt::CBC 2.29 from 2.19.
    - Updated to GnuPG::Interface 0.36 from 0.34.
    - Removed legacy knopmd.conf file since knopmd uses the fwknop.conf file
      instead.  Also, note that knopmd only runs in the legacy port knocking
      mode to collect iptables log information from syslog.  The default
      authentication/authorization method used by fwknop is SPA which exhibits
      far better security properties than port knocking (see
      http://www.cipherdyne.org/fwknop/docs/SPA.html).

fwknop-1.9.4 (06/01/2008):
    - Added two new port randomization options.  The first instructs the
      fwknop client to select a random port between 10,000 and 65,535 as the
      destination port over which to send an SPA packet.  This feature is
      enabled with a new command line argument "--rand-port" like so:

      $ fwknop -A tcp/22 --rand-port -R -D 11.1.1.1

      On the fwknopd server side, the default PCAP_FILTER setting of "udp port
      62201" should be changed to "udp dst portrange 10000-65535" so that
      fwknopd can sniff SPA packets that are sent over randomized destination
      ports.  Randomizing the destination port makes it more difficult to
      write IDS signatures to detect fwknop SPA communications.

      The second port randomization technique uses a new SPA message type to
      tell the fwknopd daemon to create a NAT rule for access to a local
      socket via the iptables INPUT chain.  This allows an SSH client to meet
      the local SSHD daemon running on the fwknopd server system by SSH'ing to
      the random port.  This functionality is implemented via two new command
      line arguments on the fwknop client command line: "--NAT-rand-port" to
      instruct fwknop to select a random port over which the follow-on
      connection will be made), and "--NAT-local" (to instruct the fwknopd
      server that new firewall rules should NAT an incoming connection to the
      randomly selected port).  Here is an example:

      $ fwknop -A tcp/22 --NAT-rand-port --NAT-local -R -D 11.1.1.1

      Now the fwknop client will select a random port to NAT the incoming
      connection.  So say it selects port 31001 (as indicated by the output of
      fwknop on the command line as displayed below) - then you would SSH to
      this port to access the real SSH daemon on the system where fwknopd is
      running:

      [+] Sending 206 byte message to 127.0.0.1 over udp/46245...
      Requesting NAT access to tcp/22 on 127.0.0.1 via port 31001

      $ ssh -p 31001 <user>@11.1.1.1

      Note that in this case it is not necessary to use --NAT-access since the
      fwknopd daemon knows that access is requested to a local service (so an
      internal IP address does not have to be specified).

    - Added the ability to specify the port that SPA packets are sent over
      with the fwknop client by using the syntax "<host|IP>:<port>".  So, for
      example, to have the client send an SPA packet to 11.1.1.1 over UDP port
      12345 (instead of the default of 62201), one could use the following
      command:

      $ fwknop -A tcp/22 -R -D 11.1.1.1:12345

    - Bugfix to add a check for "keep-state" in ipfw policies in addition to
      the existing "check-state" check (noticed by Sebastien Jeanquier).
    - Updated the install.pl script to try to determine the OS type as early
      as possible during the install process.
    - Added the MIN_SPA_PKT_LEN variable with 150 (bytes) as the default.
      This allows fwknopd to ignore packets that are not at least this many
      bytes (including packet headers) before any decryption attempt is made.
    - Added --time-offset-plus and --time-offset-minus args to the fwknop
      client command line.  This allows the time stamp within an SPA packet to
      be influenced without setting the system clock (which normal users
      cannot usually do).  This is useful for when the client and server
      systems have clocks that are out of sync.
    - Bugfix on Ubuntu systems to make sure that the fwknop init script is
      installed with a priority of 99 instead of 20 - this puts fwknop as late
      as possible within the boot sequence so that the system is ready to run
      fwknop.
    - Bugfix to not open ports that are not specifically requested in an SPA
      packet even if those ports are listed in the OPEN_PORTS variable in the
      access.conf file.
    - Updated to version 5.47 of the Digest::SHA module.
    - Updated to version 0.7 of the IPTables::ChainMgr module (includes
      perldoc documentation).
    - Updated to version 0.6 of the IPTables::Parse module (includes perldoc
      documentation).
    - Added NAT, port randomization, and and time offset option discussions to
      fwknop(8) man page.

fwknop-1.9.3 (04/05/2008):
    - Added MASQUERADE and SNAT support to complement inbound DNAT connections
      for SPA packets that request --Forward-access to internal systems.  This
      functionality is only enabled when both ENABLE_IPT_FORWARDING and
      ENABLE_IPT_SNAT are set, and is configured by two new variables
      IPT_MASQUERADE_ACCESS and IPT_SNAT_ACCESS which define the iptables
      interface to creating SNAT rules.  The SNAT supplements of DNAT rules
      are not usually necessary because internal systems usually have a route
      back out to the Internet, but this feature accommodates those systems
      that do not have such a route.  By default, the MASQUERADE target is
      used if ENABLE_IPT_SNAT is enabled because this means that the external
      IP does not have to be manually defined.  However, the external IP can
      be defined by the SNAT_TRANSLATE_IP variable.
    - Added hex_dump() feature for fwknop client so that raw encrypted SPA
      packet data can be displayed in --verbose mode.
    - When ENABLE_IPT_FORWARDING is set, added a check for the value of the
      /proc/sys/net/ipv4/ip_forward file to ensure that the local system
      allows packets to be forwarded.  Unless ENABLE_PROC_IP_FORWARD is
      disabled, then fwknopd will automatically set the ip_forward file to "1"
      if it is set to "0" (again, only if ENABLE_IPT_FORWARDING is enabled).
    - Minor bugfix to remove sys_log() call in legacy port knocking mode.
    - Minor bugfix to expand both the Id and Revision tags via the
      svn:keywords directive.

fwknop-1.9.2 (03/12/2008):
    - Crypt::CBC adds the string "Salted__" to the beginning of the encrypted
      text (at least for how fwknop interfaces with Crypt::CBC), so the fwknop
      client was updated to delete the encoded version of this string
      "U2FsdGVkX1" before sending a Rijndael-encrypted SPA packet on the wire.
      The fwknopd server will add this string back in before decrypting.  This
      makes it harder to write an IDS signature that looks for fwknop traffic;
      e.g. look for the default prefix string "U2FsdGVkX1" over UDP port 62201,
      which would work for fwknop clients < 1.9.2 (as long as the port number
      is not changed with --Server-port).
    - Added more granular source IP and allowed IP tests so that access to
      particular internal IP addresses can be excluded in --Forward-access
      mode.  A new keyword "INTERNAL_NET_ACCESS" is now parsed from the
      access.conf file in order to implemented these restrictions.
    - (SPAPICT Group) Added BLACKLIST functionality to allow source IP
      addresses to easily be excluded from the authentication process.
    - (Grant Ferley) Submitted patch to handle SIGCHLD in IPTables::ChainMgr.
    - (Grant Ferley) Submitted patch to handle Linux "cooked" interfaces for
      packet capture (e.g. PPPoE interfaces).
    - (SPAPICT Group) Applied modified version of the client-defined access
      timeout patches submitted by the PICT SPA Group.  There are two new
      message types to facilitate client timeouts; one for normal access mode,
      and the other for the FORWARD access mode.  In the access.conf file,
      there is also a new variable "PERMIT_CLIENT_TIMEOUT" to allow each
      SOURCE stanza to allow client-defined timeouts or not.
    - (SPAPICT Group) Submitted patches to include support for the SHA1 digest
      algorithm for SPA packet replay attack detection.  I modified these
      patches for maximum configurability (see the --digest-alg argument on
      the fwknop command line), and the ability to use the SHA256 algorithm as
      well.  The default path to the /var/log/fwknop/md5sums file has been
      changed to /var/log/fwknop/digest.cache, and the default digest
      algorithm is now SHA256 (but this is tunable via the DIGEST_TYPE
      variable in the fwknop.conf file).
    - Added the Digest::SHA perl module in support of the SHA1 and SHA256
      digest algorithms for replay attack detection and SPA message integrity.
    - Added full packet hex dumps (including packet headers) to fwknopd in
      --debug --verbose mode.  This is to help diagnose packet sniffing issues
      over the loopback interface on Mac OS X (first reported by Sebastien
      Jeanquier).
    - (Test suite) Bugfix to ensure that the FWKNOP_DIR variable is set to the
      local output/ directory in several of the test config files in the
      test/conf/ directory.
    - (Test suite) Added several tests for configurable digest algorithms in
      support for the SHA256, SHA1, and MD5 digest changes made by the SPAPICT
      Group.
    - Updated the fwknop client to always call encode_base64() with the string
      to encode along with a second null-string argument to force all encoded
      data to not include line breaks.
    - Bugfix in install.pl to not test for the iptable command on non-Linux
      systems, and to not test for the ipfw command on systems that are Linux.
    - (Test suite) Updated to include the /proc/config.gz file so that the
      kernel config can be reviewed (not all Netfilter hooks are necessarily
      compiled in).

fwknop-1.9.1 (01/26/2008):
    - Added ENABLE_OUTPUT_ACCESS keyword to access.conf file parsing. This
      provides a similar configuration gate for the iptables OUTPUT chain to
      the ENABLE_FORWARD_ACCESS keyword, and adds the abiliy to control which
      access.conf SOURCE blocks interface to the OUTPUT chain.
    - Better installation support for various Linux distributions including
      Fedora 8 and Ubuntu.  The current runlevel is now acquired via the
      "runlevel" command instead of attempting to read /etc/inittab (which
      does not even exist on Ubuntu 7.10), and there are new command line
      arguments --init-dir, --init-name, and --runlevel to allow the init
      directory, init script name, and the runlevel to be manually specified
      on the install.pl command line.
    - Added command line argument display to fwknop client --verbose mode.
    - Updated the test suite to include OUTPUT chain tests, reference
      access.conf files in the test/conf/ directory, and perform SPA packet
      format validation tests by parsing fwknopd output.
    - Updated fwknopd to use always use the -c argument on the knoptm command
      line (this makes sure that the test suite usage of fwknopd causes knoptm
      to reference the correct configuration).
    - Updated IPTables::ChainMgr to print iptables command output to stdout or
      stderr if running in debug or verbose mode.
    - Added --Exclude-mod-regex to install.pl so that the installation of
      particular perl modules that match the supplied regex can be skipped.
    - Added SIGALRM wrapper to the test suite since some libpcap and system
      combinations break the ability of fwknopd to sniff packets.
    - Added srand() call to the fwknop client (this is useful for older
      versions of perl which do not automatically call srand() at the first
      rand() call if srand() was not already called).
    - Added a test to the test suite for sniffing packets over the loopback
      interface.
    - Added SPA packet aging test to the test suite to ensure that packet
      expirations work properly (this feature protects against MITM attacks
      where a valid SPA packet is stopped by an inline attacker and
      retransmitted at a later time to acquire access).
    - Added a file (test.log) to collect test suite console output.
    - Added --Prepare-results argument to test suite to anonymize test results
      and create a tarball that can be emailed to a third party to assist in
    - Added full firewall policy dumps and the collection of system specifics
      to the test suite. This makes it easy to send the output directory and
      the test.log file to developers to assist in debugging (no information
      is sent anywhere except as part of a manual process of course, and
      addresses can be anonymized with --Prepare-results - loopback addresses
      are not modified).
    - Added --fw-del-ip <IP> argument to fwknopd so that a specific IP address
      can be removed from the local firewall policy (this is used by the test
      suite to ensure that if a test for removed firewall rules fails then
      subsequent tests will not also fail because they are no longer tracked
      by a running knoptm instance).
    - Added a test to the test suite to collect fwknopd syslog output.  This
      is useful to see if a mechanism such as SELinux is deployed in a manner
      that prevents normal fwknop communications.
    - Bugfix to track MD5 digest for SPA command mode packets.
    - Bugfix in fwknopd to not open ports listed in OPEN_PORTS in the absence
      of the PERMIT_CLIENT_PORTS directive when an SPA packet contains a
      request for access to a port not listed in OPEN_PORTS.
      debugging fwknop if there are any issues.
    - Added --verbose flag to fwknopd commands issued by the test suite so
      that more data is collected for debugging analysis.
    - Added GnuPG tests to the test suite with dedicated keys (for use only
      with the test suite) in the test/conf/client-gpg and
      test/conf/server-gpg directories.
    - Added digest file validation to test suite to make sure that fwknopd
      correctly tracks SPA packet MD5 digests.
    - Updated to search state tracking rule in any iptables chain (many
      iptables policies have user-defined chains that can be a bit complicated
      to parse).
    - Updated install.pl to be more strict in stopping any running fwknopd
      processes.

fwknop-1.9.0 (12/15/2007):
    - Added a test suite so that fwknop and fwknopd functionality can be
      automatically tested over the loopback interface (see the fwknop_test.pl
      script in the test/ directory).
    - Major update to allow SPA packets to create DNAT connections to internal
      systems through the FORWARD chain (iptables only).  This is useful to
      connect through to internal systems (that may be running on non-routable
      IP addresses) via a border firewall or router that is running fwknopd to
      create inbound DNAT rules.
    - Added support for the iptables OUTPUT chain via two new variable in the
      fwknop.conf file: ENABLE_IPT_OUTPUT and IPT_OUTPUT_ACCESS. This is
      useful for iptables firewalls that are not running the conntrack modules
      and that have a restrictive OUTPUT chain (so SYN/ACK responses are not
      allowed out without an explicit ACCEPT rule).
    - Added the ability to force the fwknopd and knoptm daemons to restart
      themselves (via knopwatchd) after a configurable timeout (see the
      ENABLE_VOLUNTARY_EXITS and EXIT_INTERVAL variables in the
      /etc/fwknop/fwknop.conf file). This feature is for those that want
      fwknopd to go through its initialization routine periodically just in
      case there is a logic (or other) bug that might result in fwknopd not
      accepting a valid SPA packet. NOTE: This feature is disabled by default,
      and is not normally needed since fwknopd is quite stable in most
      deployments.
    - Major update to perform all firewall rule expirations with knoptm, which
      is now started in all data collection modes.  Older versions of fwknopd
      maintained its own firewall rule expiration code for the FILE_PCAP,
      ULOG_PCAP, and KNOCK modes, so two mechanisms were being maintained for
      the same purpose.  The 1.9.0 release fixes this oversight.
    - Minor bugfix to have knopwatchd generate syslog messages whenever an
      fwknop daemon needs to be restarted.
    - Added --interface command line argument to install.pl to allow the
      sniffing interface to be specified from the command line. Also updated
      install.pl to enforce a 10-try maximum for attempting to accept a valid
      interface name from the command line (LANG env issues can exist
      sometimes).
    - Updated SPA packet format for server_auth and forward_info elements;
      the internal MD5 sum is now always the last field in an SPA packet. This
      makes extensions of the SPA protocol much easier, and the generation of
      SPA packets more elegant. Also, SPA packet validation has been improved
      to ensure that fields that are supposed to be digits really only contain
      integer data.
    - Added ENABLE_FORWARD_ACCESS variable to the access.conf file, and added
      ENABLE_IPT_FORWARDING to the fwknop.conf file. These variables provide
      the per-SOURCE ability to create DNAT connnections through the FORWARD
      chain..
    - Replaced the IPT_AUTO_CHAIN1 variable with IPT_INPUT_ACCESS and
      IPT_FORWARD_ACCESS in fwknop.conf.
    - Added --Forward-access argument to the fwknop client.
    - Added client version number to syslog messages generated by fwknopd when
      a valid SPA packet is received.
    - Added human readable timestamp to MD5 cache. Here is an example of the
      update format:
        127.0.0.1 X6WF2C29kEgAv4aDJ8TDeQ [Wed Nov 28 09:24:46 2007]
    - Added --Count argument to fwknopd so that it calls exit() when the
      specified number of packets is monitored.
    - Added --no-logs argument to knoptm in support of the test suite so that
      no emails are generated.
    - Bugfix in fwknopd to account for non-Ethernet link layer header over
      *BSD loopback interfaces.
    - Added --Save-dst argument to the fwknop client to add a priority file to
      store client command line arguments (~/.fwknop.save). This file is only
      overwritten when --Save-dst is used.
    - Added fwknopd --fw-del-chains to allow the fwknopd iptables chains to
      easily be deleted.
    - Minor fwknopd bugfix to set process exit status to 0 when --Kill is
      used.

fwknop-1.8.3 (11/17/2007):
    - Updated external IP resolution to point to http://www.whatismyip.org,
      and added http://www.cipherdyne.org/cgi/clientip.cgi as a backup site
      for fwknop IP resolution.
    - Added storage of source IP along with SPA MD5 sum. This allows the user
      to infer which networks are more hostile if an SPA packet is replayed.
    - Added SPA packet hex dumps in 'fwknopd --debug' mode so that the
      integration of third-party encryption algorithms is easier to
      troubleshoot. Sean Greven contributed a patch for this.
    - Reinstated the legacy port knocking mode. It appears that all encrypted
      output from the updated Crypt::Rijndael module is at least 32 bytes
      long, so port knocking sequences are now 32 bytes long as well (they
      were previously 16 bytes long in old versions of fwknop).
    - Bugfix to ensure the key length is at least 8 chars in --get-key mode.
    - Minor update to remove init message on OS X install.
    - Updated install.pl to set the LANG environmental variable to
      "en_US.UTF-8". This should fix the problem where the output of ifconfig
      was not interpreted correctly if the locale LANG setting is not English.
    - Implemented verbose email alerting by setting the ALERTING_METHODS
      variable to "verbose". This instructs fwknopd to generate a new email
      message for each message that it normally logs vis syslog (this feature
      is not the default, and must be manually enabled).

fwknop-1.8.2 (09/15/2007):
    - Added fwknopd server support for Mac OS X. The Darwin uname return
      string is detected and this enables Darwin-specific installation code in
      install.pl.
    - Updated to not print sensitive key/password information in --debug mode
      with fwknopd.
    - Bugfix for install.pl on Windows 2003 Server running under Cygwin where
      'uname -o' output is reported 'Gygwin' for some reason.
    - Added --Cygwin-install command line argument to install.pl to force
      client-only fwknop install on Cygwin systems.
    - Added --OS-type command line argument to install.pl to allow the user to
      force the installation type.
    - Updated to version 1.04 of Crypt::Rijndael. This fixes incompatibilities
      between SPA packets between 64-bit and 32-bit platorms.
    - Bugfix to enforce a maximum of 20 tries to read a password from stdin.
    - Applied TCP options parsing fix from psad for invalid zero or one length
      fields that break TLV encoding (this is for fwknopd, and only applies to
      the legacy port knocking mode).
    - Added code to fwknopd to check to see if there are any state tracking
      rules in place within the local iptables or ipfw policy.
    - Made syslog identity, facility, and priority configurable (applied code
      from the psad project).
    - Implemented --fw-list for ipfw firewalls.
    - Bugfix for knoptm removing ipfw rules too quickly after not timing out
      previously instantiated rules properly.
    - Implemented smarter cache removal strategy in knoptm so that rules that
      are manually removed from the running iptables or ipfw policy are also
      removed from the cache.
    - Added /var/log/fwknop/errs/fwknopd.{warn,die} tracking to the fwknopd
      daemon for the PCAP modes of collecting packet data. Added
      knoptm{warn,die} files for knoptm as well.
    - Bugfix to import the GnuPG::Interface module in --get-key mode.
    - Bugfix to send source IP as a part of the command message in command
      mode so that REQUIRE_SOURCE_ADDRESS controls can be applied.
    - Added --Test-mode to fwknop client so that SPA packets can be built but
      never sent over the network.

fwknop-1.8.1 (06/06/2007):
    - Bugfix to ensure that the "keep-state" directive is added to firewall
      rules on systems running the ipfw firewall.
    - Added the --Save-packet and --Save-packet-file command line arguments
      to the fwknop client. These options instruct fwknop to save a copy of
      an encrypted SPA packet before it is sent across the network.
    - Bugfix to find minimal unused ipfw rule number for ipfw firewalls. This
      fixes an issue where ipfw rules added by fwknopd could be inserted at
      the same position as rules from an existing ipfw policy. While ipfw
      allows duplicate rules, whenever such a rule is deleted by its rule
      number all matching rules are deleted.

fwknop-1.8 (06/03/2007):
    - Added support for ipfw firewalls (found on *BSD systems).  The
      IPTables::Parse and IPTables::ChainMgr modules are not installed on
      such systems.
    - Added gpg-agent support for both the fwknop client and fwknopd SPA
      server.
    - Updated client-only installation mode to restrict perl module
      installation to those module that are actually required by the fwknop
      client. This results in clean installs of the fwknop client on Windows
      systems running Cygwin.
    - Added --Defaults to install.pl so that fwknop can be installed without
      prompting the user to answer any questions. This is to make it easier
      to install fwknop on the Source Mage Linux distro.
    - Consolidated daemon config files into the fwknop.conf file (except for
      the access.conf file). This simplifies the configuration of fwknop.
    - Added recursive variable resolution in the parsing routines for the
      fwknop.conf file. This allows variable values to contain embedded
      variables.
    - Added init script for FreeBSD systems.
    - Added --BSD-install command line argument to install.pl. This is not
      normally necessary since the installer should detect installations on
      *BSD systems, but this option can force this behavior.
    - Updated knopmd and knopwatchd to use safe_malloc() instead of malloc().
    - Bugfix to never time out rules from SOURCE blocks with FW_ACCESS_TIMEOUT
      set to zero

fwknop-1.0.1 (01/09/2007):
    - Updated fwknopd to allow the GPG_REMOTE_ID variable to have the value
      "ANY" to allow a SOURCE block to match on arbitrary remote gpg signing
      keys (Leland Weathers).
    - Bugfix to allow OPEN_PORTS to be omitted in access.conf in favor of
      having only PERMIT_CLIENT_PORTS enabled (reported by Raul Siles).
    - Added the cd_rpmbuilder script to make it easy to build RPM's out of
      CipherDyne projects by automatically downloading the project .tar.gz and
      .spec files from http://www.cipherdyne.org/.

fwknop-1.0 (11/05/2006):
    - Bugfix for OpenSSH-4.3p2 patch to make sure to include the spa.h header
      file.
    - Bugfix for access hashes accumluating when multiple ports are requested
      to be opened by a client.
    - Better validation of IPT_AUTO_CHAIN variable so that the from_chain
      cannot be identical to the to_chain.
    - Bugfix in RPM to install List::MoreUtils.
    - Bugfix so that the MD5 sum for an SPA packet is not examined for each
      SOURCE block.  This fixes a problem where an SPA packet could appear to
      be replayed if multiple SOURCE blocks are defined in
      /etc/fwknop/access.conf.
    - Refactored main SPA access loop so that it is clearer how and when SPA
      clients are granted access.
    - Better handling of GnuPG key identifier strings (they can now contain
      spaces, and syslog messages wrap the identifiers with double quotes).
    - Added source IP address to command string in the SPA packet so that
      the REQUIRE_SOURCE_ADDRESS criteria can be applied by the fwknopd
      server.
    - Added --Show-last-cmd and --Show-host-cmd args to fwknop so that the
      last fwknop command and the last fwknop host commands can be viewed.
    - Added the svn revision number to --Version and --help output.

fwknop-0.9.9 (10/15/2006):
    - Added REQUIRE_SOURCE_ADDRESS (disabled by default) to force fwknop
      clients to know their source IP address (i.e. -s cannot be used).  So,
      either fwknop clients have to use -R to resolve their externally
      routable address, or they must just know what it is.
    - Updated to Net-RawIP-0.21_03 for compatibility with gcc-4.x compilers.
    - Added List-MoreUtils-0.22 which is a dependency of the new Net::RawIP
      module.
    - Bugfix to restore "start" functionality in Gentoo init script.
    - Bugfix to use the IPT_OUTPUT_FILE and IPT_ERROR_FILE configuration
      variables in fwknopd.
    - Added KNOPTM_IPT_OUTPUT_FILE and KNOPTM_IPT_ERROR_FILE variables
      specifically for the knoptm daemon so that it can use IPTables::ChainMgr
      completely independently of fwknopd (this removes a potential race
      condition between fwknopd and knoptm).

fwknop-0.9.8 (09/17/2006):
    - Added the ability to ignore old SPA packets through use of the
      client-side time stamp.  This means that an attacker cannot intercept an
      SPA packet, prevent it from being forwarded to its intended destination,
      and then put the packet on the wire at some time outside of the allowed
      time window.  There are two new configuration options in fwknop.conf
      "ENABLE_SPA_PACKET_AGING" and "MAX_SPA_PACKET_AGE" that control the
      length of the acceptable time window (2 minutes by default).  This
      requires some level of synchronization between the fwknop client and the
      fwknopd server, but this is not onerous through the use of NTP.  This
      feature is enabled by default, and the idea for it was contributed by
      Sebastien J.
    - Completely re-worked IPTables::ChainMgr to support the return of
      iptables error messages that are collected via stderr.  This is critical
      to fixing any bugs where fwknopd could die as a result of a poorly
      crafted iptables command.
      but no information would be returned to the user.
    - Added the ability to specify the position for both the jump rule into
      the fwknopd chains as well as the position for new rules within the
      fwknopd chains via the -I argument to iptables.  This fixes a bug where
      the user was given the impression that the IPTABLES_AUTO_RULENUM would
      accomplish this (IPTABLES_AUTO_RULENUM has been removed).
    - Updated fwknopd to require < 1500 byte payload length before attempting
      to decrypt.  Also, GnuPG decrypts are not attempted unless the encrypted
      payload is at least 400 bytes long (this is conservative since even
      encrypting a single byte with a 1024-bit key will result in about 340
      bytes of encrypted data).
    - Added the --gpg-default-key option to have fwknop use the default GnuPG
      key that is defined in the ~/.gnupg/options file.
    - Added the --URL command line argument so that a URL other than the
      default http://www.whatismyip.com/ can be provided by the user for
      external IP resolution (suggested by Sebastien J.).
    - Updated to be more rigorous with md5 sums; we now require that the
      md5_base64() function actually returns a non-null result.
    - Bugfix to make sure that only the users associated with the a specific
      REQUIRE_USERNAME value (in a specific SOURCE block in access.conf) are
      granted the appropriate access even if a valid encrypted packet is
      constructed from a different user name (by an fwknop client).
    - Populated the _debug option in the IPTables::ChainMgr module, and also
      added a _verbose option so that the specific iptables commands can
      actually be seen as IPTables::ChainMgr functions are called.
    - Added code to install.pl to update command paths in fwknop.conf and
      knopwatchd.conf if any of the paths are broken (i.e. the local system
      does not conform to the default paths).  By default this only happens if
      the user does not want old configs to be merged, but to override this
      use the new --path-update command line argument to install.pl.
    - Added the --Skip-mod-install command line argument to install.pl to
      allow all perl module installs to be skipped.
    - Added the --force-mod-regex command line argument to install.pl to allow
      a regex match on perl module names to force matching modules to be
      installed.
    - Minor bugfix to generate better (i.e. closer to those that Firefox
      generates) http requests to http://www.whatismyip.com/).
    - Adapted Mate Wierdl's RPM patch from the psad project so that the fwknop
      RPM builds on x86_64 systems.
    - Removed iptables requirement in RPM spec file because fwknop may be
      installed on a system just to run the fwknop client.
    - Updated to email username mismatch errors.

fwknop-0.9.7 (08/04/2006):
    - Added fwknop_serv to function as minimal TCP server over which SPA
      packets can be sent.  This allows SPA to be compatible with the Tor
      network, which requires that a virtual circuit is established before
      traffic can be sent.
    - Updated to Crypt::CBC-2.18 after a vulnerability was discovered in
      previous versions of Crypt::CBC that caused weak ciphertext to be
      generated for algorithms that have blocksizes greater than 8 bytes (such
      as Rijndael used by fwknop).  Manually specifying initialization vectors
      is not necessary now.
    - Updated SSH patch to support OpenSSH-4.3p2.
    - Bugfix to make sure to create /var/* directories if they don't exist
      (such as when /var is a tmpfs).
    - Bugfix (Dwayne Rightler) to restore -w IP lookup functionality after
      format change on data returned by whatismyip.com.
    - Bugfix to wrap SPA Rijndael decryption with eval{} so that fwknopd does
      not die if there are problems trying to decrypt data.  This is necessary
      because of the security vulnerability fix in Crypt::CBC that creates
      some incompatibilities in different versions of Crypt::CBC.
    - Added "--L-host" command line argument so that the arguments used for
      multiple hosts are preserved and can be recalled.
    - Changed default user-agent setting for whatismyip.com lookups to
      Firefox/1.0.5.4; there is no need to gratuitously advertise fwknop
      traffic.
    - Updated GunPG HOWTO to provide a step-by-step guide to getting fwknop
      Single Packet Authorization working with GnuPG.
    - Updated to derive perl module versions from the VERSION files within
      each of the perl module source directories.

fwknop-0.9.6 (01/13/2006):
    - Added GPG based authentication capability for SPA packets.  This new
      mode can be configured to require that a GPG message be signed with a
      particular key or set of keys.
    - In GPG mode, the fwknop client now prints GPG errors to stdout if not
      running with --gpg-no-batch-mode.
    - Added the ability to require that the client know the UNIX crypt()
      password associated with a username on the server side.  This
      functionality is enabled on the fwknop client with the "--Server-auth
      crypt" command line argument, and the REQUIRE_AUTH_METHOD variable in
      /etc/fwknop/access.conf on the fwknopd server.
    - Added patch against OpenSSH-4.2p1 to integrate SPA mode.  This patch
      adds a "-K <fwknop cmd line>" argument to the SSH client so that
      fwknop can be executed directly before an SSH connection is made.
    - Separated server and client portions of fwknop into "fwknopd" and
      fwknop repectively.  This will allow better portability to be
      developed since the client and server pieces can be developed more
      independently.  NOTE: With so many changes, it is probably a good idea
      to not preserve old fwknop configs via install.pl.
    - Renamed all relevant fwknopd command and file paths to support new
      fwknopd server component.
    - Added --quiet mode (this is used by default in the OpenSSH patch).
    - Removed legacy port knocking installation in install.pl (fwknopfifo,
      and fwdata file) unless the data collection mode is set to syslog or
      syslog-ng for legacy iptables log messages.
    - Added inode checking for PCAP_PKT_FILE. This helps to ensure that log
      rotation schemes don't interfere with reading packets out of the file
      since this check is size independent.
    - Bugfix for Makefile debug mode.
    - Added compilation check for perl programs in install.pl before
      installation into the filesystem.
    - Bugfix for knopwatchd to make sure it can actually restart all running
      daemons properly.
    - Added --force-mod command line argument to install.pl to allow the user
      to force all perl modules to be be installed regardless of whether a
      module exists in the system perl lib tree.
    - Added --no-save-args to fwknop so that existing .fwknop.run file can
      be preserved (helps to testing new features of fwknop client).
    - Removed useless --encrypt command line argument (only the old shared
      port knock sequences are not encrypted).

fwknop-0.9.5 (10/02/2005):
    - Added the ability to resolve the external IP associated with the
      local network via http://www.whatismyip.com.  This is a more secure
      method of accomplishing what the -s option performs.  The new
      command line option is --whatismyip (or just -w).
    - Updated fwknop to communicate with knoptm via a UNIX domain socket
      instead of the previous file-based communication.
    - Updated to flush the fwknop iptables chains at start time.
    - Bugfix for removing the wrong hash key in the knoptm IP cache.

fwknop-0.9.4 (09/17/2005):
    - Bugfix for knoptm timing out new entries based on old time values
      (this caused new rules to timed out too quickly).
    - Added support for multiple users in REQUIRE_USERNAME keyword in
      access.conf.
    - Added the ability to display raw encrypted packet data in client
      mode with --verbose.
    - Created fwknop RPM for RPM-based Linux distributions.
    - Bugfix for inappropriate redirects in command mode where the command
      already contained a redirect.

fwknop-0.9.3 (08/27/2005):
    - Added an on-disk cache of md5 sums so that the md5 sum check can
      survive restarts of fwknop.
    - Updated install.pl to be more friendly to Mac OS X (Blair Zajac).
    - Updated to allow access.conf variables to have values instead of just
      being defined.
    - Started on additional server authentication mode code (re-worked MD5
      sum calculation to allow packet format to be extended by taking into
      account the fwknop version number).

fwknop-0.9.2 (08/06/2005):
    - Added FILE_PCAP data collection method when running in server mode.
      This is a more general way of getting packets than the ULOG_PCAP
      mode since then a normal ethernet sniffer can be used to build the
      file.
    - Added the ability to re-open a pcap file if its size shrinks (i.e.
      it gets rotated out or something).
    - Bugfix for multiple rules with the same timestamp not being timed out
      by knoptm.
    - Integrated spoofing capability directly within fwknop (instead of
      using the knopspoof command) through the use of "require Net::RawIP".
    - Better multi-protocol support in server mode.  Tcp and icmp packets
      are properly decoded now.

fwknop-0.9.1 (07/29/2005):
    - Added the ability to specify multiple ports/protocols to access on a
      server with the --Access command line option.
    - Added the ability to spoof SPA packets over icmp and tcp protocols.
    - Added the ability to restrict access at the server to only those
      ports defined in the OPEN_PORTS keyword.  This option is controled by
      a new keyword "PERMIT_CLIENT_PORTS".
    - Bugfix for MD5 sum not being properly calculated over decrypted data.
      This allowed old packets that contained additional garbage data to
      be replayed against an fwknop server.
    - Updated to fall back to getpwuid() if getlogin() fails (Blair Zajac).
    - Added --ipt-list to list all current rules in the FWKNOP iptables
      chains.
    - Added --ipt-flush to flush all current rules in the FWKNOP iptables
      chains.
    - Bugfix for the installer dying if ~/lib already exists (Blair Zajac).
    - Updated to delay the loading of server perl modules (Net::Pcap, etc.)
      only if we are running in server mode.
    - Bugfix for module directory paths in install.pl.

fwknop-0.9.0 (05/29/2005):
    - Added new authorization mode that uses Net::Pcap to read packets
      out of a file that is written to by the ulogd pcap writer (also
      stubbed in code to sniff packets directly off the wire).  This
      authorization mode only requires single packets, and has many
      characteristics that are better than simple port knocking, including
      being non-replayable, and much more data can be sent.  This mode
      is now the default for both the server and the client.
    - Made the execution of knopmd optional depending on whether AUTH_MODE
      is a pcap mode (e.g. ULOG_PCAP or PCAP).
    - Added --Spoof-src argument so that encrypted packets can be spoofed
      via /usr/sbin/knopspoof.
    - Added /usr/sbin/knoptm so that firewall rules can be timed-out when
      the server is running in PCAP mode even if new packets don't appear
      on the wire.
    - Updated fwknop man page to talk about the new pcap-based
      authorization mode.

fwknop-0.5.0 (03/19/2005):
    - Added ALERTING_METHOD to allow syslog and/or email reporting to be
      disabled (there is a dedicated file /etc/fwknop/alert.conf that
      governs this behavior, and both fwknop and knopwatchd reference this
      file).
    - Bugfix for distinguishing OPT field associated with --log-tcp-options
      vs. --log-ip-options.
    - Added install_perl_module() install.pl from psad to provide a
      consistent installation interface.
    - Applied patch to only install perl modules that are not already
      installed (Blair Zajac).
    - Added --last-cmd option to allow fwknop to be executed with command
      line arguments from the previous execution (they are saved in
      ~/.fwknop.run).
    - Added --Home-dir option to allow the home directory to be manually
      specified.
    - Re-worked get_homedir() to be more friendly to systems that do not
      necessarily have /etc/passwd (e.g. OS X).
    - Added configuration preservation and querying for which syslog
      daemon is running to install.pl.  These features were adapted from the
      psad installer (http://www.cipherdyne.org/psad).
    - Added IPTables::ChainMgr.  Fwknop uses this module to maintain
      dedicated chains to which access rules are added.
    - Added IPTables::Parse, which is used internally by IPTables::ChainMgr.
    - Added __WARN__ and __DIE__ handlers so errors can easily be collected.

fwknop-0.4.2 (09/27/2004):
    - Added init script for Fedora systems.
    - Added --Kill, --Restart, and --Status modes (this fixes the generic
      init script which depends on these arguments).

fwknop-0.4.1 (09/14/2004):
    - Bugfix for legacy posf code in fwknop and variable in fwknop.conf.

fwknop-0.4 (09/10/2004):
    - Added ability to specify multiple IPs/networks in a single SOURCE
      definition.
    - Better examples section in the fwknop manpage.
    - Bugfix to make sure EMAIL_ADDRESSES variable does not contain commas
      (any commas are translated into spaces).
    - Added LICENSE file.

fwknop-0.3 (08/21/2004):
    - Bugfix for tracking knock sequences by source IP address.
    - Bugfix for knock sequence timeouts.
    - Removed old passive OS fingerprinting code in favor of the p0f
      strategy.
    - Added support for taking encryption keys from a file specified on
      the command line.
    - Update to send "sequence decrypt failed" email message only if
      decryption failed for all encrypt sequence SOURCE blocks.

fwknop-0.2 (07/31/2004):
    - Implemented remote username checking in encrypted sequences.
    - Added support for icmp in knock sequences.
    - Added protocol rotation option for encrypted sequences.
    - Added code for multiple SOURCE access blocks with the same source
      net/IP.
    - Added KNOCK_LIMIT access control variable to limit the number of
      times a particular knock sequence is honored.
    - Added email alerts.

fwknop-0.1 (07/08/2004):
    - Initial release.