root/fwknop/tags/fwknop-1.0/ChangeLog

fwknop-1.0 (11//2006):
    - Bugfix for OpenSSH-4.3p2 patch to make sure to include the spa.h header
      file.
    - Bugfix for access hashes accumluating when multiple ports are requested
      to be opened by a client.
    - Better validation of IPT_AUTO_CHAIN variable so that the from_chain
      cannot be identical to the to_chain.
    - Bugfix in RPM to install List::MoreUtils.
    - Bugfix so that the MD5 sum for an SPA packet is not examined for each
      SOURCE block.  This fixes a problem where an SPA packet could appear to
      be replayed if multiple SOURCE blocks are defined in
      /etc/fwknop/access.conf.
    - Refactored main SPA access loop so that it is clearer how and when SPA
      clients are granted access.
    - Better handling of GnuPG key identifier strings (they can now contain
      spaces, and syslog messages wrap the identifiers with double quotes).
    - Added source IP address to command string in the SPA packet so that
      the REQUIRE_SOURCE_ADDRESS criteria can be applied by the fwknopd
      server.
    - Added --Show-last-cmd and --Show-host-cmd args to fwknop so that the
      last fwknop command and the last fwknop host commands can be viewed.
    - Added the svn revision number to --Version and --help output.

fwknop-0.9.9 (10/15/2006):
    - Added REQUIRE_SOURCE_ADDRESS (disabled by default) to force fwknop
      clients to know their source IP address (i.e. -s cannot be used).  So,
      either fwknop clients have to use -R to resolve their externally
      routable address, or they must just know what it is.
    - Updated to Net-RawIP-0.21_03 for compatibility with gcc-4.x compilers.
    - Added List-MoreUtils-0.22 which is a dependency of the new Net::RawIP
      module.
    - Bugfix to restore "start" functionality in Gentoo init script.
    - Bugfix to use the IPT_OUTPUT_FILE and IPT_ERROR_FILE configuration
      variables in fwknopd.
    - Added KNOPTM_IPT_OUTPUT_FILE and KNOPTM_IPT_ERROR_FILE variables
      specifically for the knoptm daemon so that it can use IPTables::ChainMgr
      completely independently of fwknopd (this removes a potential race
      condition between fwknopd and knoptm).

fwknop-0.9.8 (09/17/2006):
    - Added the ability to ignore old SPA packets through use of the
      client-side time stamp.  This means that an attacker cannot intercept an
      SPA packet, prevent it from being forwarded to its intended destination,
      and then put the packet on the wire at some time outside of the allowed
      time window.  There are two new configuration options in fwknop.conf
      "ENABLE_SPA_PACKET_AGING" and "MAX_SPA_PACKET_AGE" that control the
      length of the acceptable time window (2 minutes by default).  This
      requires some level of synchronization between the fwknop client and the
      fwknopd server, but this is not onerous through the use of NTP.  This
      feature is enabled by default, and the idea for it was contributed by
      Sebastien J.
    - Completely re-worked IPTables::ChainMgr to support the return of
      iptables error messages that are collected via stderr.  This is critical
      to fixing any bugs where fwknopd could die as a result of a poorly
      crafted iptables command.
      but no information would be returned to the user.
    - Added the ability to specify the position for both the jump rule into
      the fwknopd chains as well as the position for new rules within the
      fwknopd chains via the -I argument to iptables.  This fixes a bug where
      the user was given the impression that the IPTABLES_AUTO_RULENUM would
      accomplish this (IPTABLES_AUTO_RULENUM has been removed).
    - Updated fwknopd to require < 1500 byte payload length before attempting
      to decrypt.  Also, GnuPG decrypts are not attempted unless the encrypted
      payload is at least 400 bytes long (this is conservative since even
      encrypting a single byte with a 1024-bit key will result in about 340
      bytes of encrypted data).
    - Added the --gpg-default-key option to have fwknop use the default GnuPG
      key that is defined in the ~/.gnupg/options file.
    - Added the --URL command line argument so that a URL other than the
      default http://www.whatismyip.com/ can be provided by the user for
      external IP resolution (suggested by Sebastien J.).
    - Updated to be more rigorous with md5 sums; we now require that the
      md5_base64() function actually returns a non-null result.
    - Bugfix to make sure that only the users associated with the a specific
      REQUIRE_USERNAME value (in a specific SOURCE block in access.conf) are
      granted the appropriate access even if a valid encrypted packet is
      constructed from a different user name (by an fwknop client).
    - Populated the _debug option in the IPTables::ChainMgr module, and also
      added a _verbose option so that the specific iptables commands can
      actually be seen as IPTables::ChainMgr functions are called.
    - Added code to install.pl to update command paths in fwknop.conf and
      knopwatchd.conf if any of the paths are broken (i.e. the local system
      does not conform to the default paths).  By default this only happens if
      the user does not want old configs to be merged, but to override this
      use the new --path-update command line argument to install.pl.
    - Added the --Skip-mod-install command line argument to install.pl to
      allow all perl module installs to be skipped.
    - Added the --force-mod-regex command line argument to install.pl to allow
      a regex match on perl module names to force matching modules to be
      installed.
    - Minor bugfix to generate better (i.e. closer to those that Firefox
      generates) http requests to http://www.whatismyip.com/).
    - Adapted Mate Wierdl's RPM patch from the psad project so that the fwknop
      RPM builds on x86_64 systems.
    - Removed iptables requirement in RPM spec file because fwknop may be
      installed on a system just to run the fwknop client.
    - Updated to email username mismatch errors.

fwknop-0.9.7 (08/04/2006):
    - Added fwknop_serv to function as minimal TCP server over which SPA
      packets can be sent.  This allows SPA to be compatible with the Tor
      network, which requires that a virtual circuit is established before
      traffic can be sent.
    - Updated to Crypt::CBC-2.18 after a vulnerability was discovered in
      previous versions of Crypt::CBC that caused weak ciphertext to be
      generated for algorithms that have blocksizes greater than 8 bytes (such
      as Rijndael used by fwknop).  Manually specifying initialization vectors
      is not necessary now.
    - Updated SSH patch to support OpenSSH-4.3p2.
    - Bugfix to make sure to create /var/* directories if they don't exist
      (such as when /var is a tmpfs).
    - Bugfix (Dwayne Rightler) to restore -w IP lookup functionality after
      format change on data returned by whatismyip.com.
    - Bugfix to wrap SPA Rijndael decryption with eval{} so that fwknopd does
      not die if there are problems trying to decrypt data.  This is necessary
      because of the security vulnerability fix in Crypt::CBC that creates
      some incompatibilities in different versions of Crypt::CBC.
    - Added "--L-host" command line argument so that the arguments used for
      multiple hosts are preserved and can be recalled.
    - Changed default user-agent setting for whatismyip.com lookups to
      Firefox/1.0.5.4; there is no need to gratuitously advertise fwknop
      traffic.
    - Updated GunPG HOWTO to provide a step-by-step guide to getting fwknop
      Single Packet Authorization working with GnuPG.
    - Updated to derive perl module versions from the VERSION files within
      each of the perl module source directories.

fwknop-0.9.6 (01/13/2006):
    - Added GPG based authentication capability for SPA packets.  This new
      mode can be configured to require that a GPG message be signed with a
      particular key or set of keys.
    - In GPG mode, the fwknop client now prints GPG errors to stdout if not
      running with --gpg-no-batch-mode.
    - Added the ability to require that the client know the UNIX crypt()
      password associated with a username on the server side.  This
      functionality is enabled on the fwknop client with the "--Server-auth
      crypt" command line argument, and the REQUIRE_AUTH_METHOD variable in
      /etc/fwknop/access.conf on the fwknopd server.
    - Added patch against OpenSSH-4.2p1 to integrate SPA mode.  This patch
      adds a "-K <fwknop cmd line>" argument to the SSH client so that
      fwknop can be executed directly before an SSH connection is made.
    - Separated server and client portions of fwknop into "fwknopd" and
      fwknop repectively.  This will allow better portability to be
      developed since the client and server pieces can be developed more
      independently.  NOTE: With so many changes, it is probably a good idea
      to not preserve old fwknop configs via install.pl.
    - Renamed all relevant fwknopd command and file paths to support new
      fwknopd server component.
    - Added --quiet mode (this is used by default in the OpenSSH patch).
    - Removed legacy port knocking installation in install.pl (fwknopfifo,
      and fwdata file) unless the data collection mode is set to syslog or
      syslog-ng for legacy Netfilter log messages.
    - Added inode checking for PCAP_PKT_FILE. This helps to ensure that log
      rotation schemes don't interfere with reading packets out of the file
      since this check is size independent.
    - Bugfix for Makefile debug mode.
    - Added compilation check for perl programs in install.pl before
      installation into the filesystem.
    - Bugfix for knopwatchd to make sure it can actually restart all running
      daemons properly.
    - Added --force-mod command line argument to install.pl to allow the user
      to force all perl modules to be be installed regardless of whether a
      module exists in the system perl lib tree.
    - Added --no-save-args to fwknop so that existing .fwknop.run file can
      be preserved (helps to testing new features of fwknop client).
    - Removed useless --encrypt command line argument (only the old shared
      port knock sequences are not encrypted).

fwknop-0.9.5 (10/02/2005):
    - Added the ability to resolve the external IP associated with the
      local network via http://www.whatismyip.com.  This is a more secure
      method of accomplishing what the -s option performs.  The new
      command line option is --whatismyip (or just -w).
    - Updated fwknop to communicate with knoptm via a UNIX domain socket
      instead of the previous file-based communication.
    - Updated to flush the fwknop Netfilter chains at start time.
    - Bugfix for removing the wrong hash key in the knoptm IP cache.

fwknop-0.9.4 (09/17/2005):
    - Bugfix for knoptm timing out new entries based on old time values
      (this caused new rules to timed out too quickly).
    - Added support for multiple users in REQUIRE_USERNAME keyword in
      access.conf.
    - Added the ability to display raw encrypted packet data in client
      mode with --verbose.
    - Created fwknop RPM for RPM-based Linux distributions.
    - Bugfix for inappropriate redirects in command mode where the command
      already contained a redirect.

fwknop-0.9.3 (08/27/2005):
    - Added an on-disk cache of md5 sums so that the md5 sum check can
      survive restarts of fwknop.
    - Updated install.pl to be more friendly to Mac OS X (Blair Zajac).
    - Updated to allow access.conf variables to have values instead of just
      being defined.
    - Started on additional server authentication mode code (re-worked MD5
      sum calculation to allow packet format to be extended by taking into
      account the fwknop version number).

fwknop-0.9.2 (08/06/2005):
    - Added FILE_PCAP data collection method when running in server mode.
      This is a more general way of getting packets than the ULOG_PCAP
      mode since then a normal ethernet sniffer can be used to build the
      file.
    - Added the ability to re-open a pcap file if its size shrinks (i.e.
      it gets rotated out or something).
    - Bugfix for multiple rules with the same timestamp not being timed out
      by knoptm.
    - Integrated spoofing capability directly within fwknop (instead of
      using the knopspoof command) through the use of "require Net::RawIP".
    - Better multi-protocol support in server mode.  Tcp and icmp packets
      are properly decoded now.

fwknop-0.9.1 (07/29/2005):
    - Added the ability to specify multiple ports/protocols to access on a
      server with the --Access command line option.
    - Added the ability to spoof SPA packets over icmp and tcp protocols.
    - Added the ability to restrict access at the server to only those
      ports defined in the OPEN_PORTS keyword.  This option is controled by
      a new keyword "PERMIT_CLIENT_PORTS".
    - Bugfix for MD5 sum not being properly calculated over decrypted data.
      This allowed old packets that contained additional garbage data to
      be replayed against an fwknop server.
    - Updated to fall back to getpwuid() if getlogin() fails (Blair Zajac).
    - Added --ipt-list to list all current rules in the FWKNOP Netfilter
      chains.
    - Added --ipt-flush to flush all current rules in the FWKNOP Netfilter
      chains.
    - Bugfix for the installer dying if ~/lib already exists (Blair Zajac).
    - Updated to delay the loading of server perl modules (Net::Pcap, etc.)
      only if we are running in server mode.
    - Bugfix for module directory paths in install.pl.

fwknop-0.9.0 (05/29/2005):
    - Added new authorization mode that uses Net::Pcap to read packets
      out of a file that is written to by the ulogd pcap writer (also
      stubbed in code to sniff packets directly off the wire).  This
      authorization mode only requires single packets, and has many
      characteristics that are better than simple port knocking, including
      being non-replayable, and much more data can be sent.  This mode
      is now the default for both the server and the client.
    - Made the execution of knopmd optional depending on whether AUTH_MODE
      is a pcap mode (e.g. ULOG_PCAP or PCAP).
    - Added --Spoof-src argument so that encrypted packets can be spoofed
      via /usr/sbin/knopspoof.
    - Added /usr/sbin/knoptm so that firewall rules can be timed-out when
      the server is running in PCAP mode even if new packets don't appear
      on the wire.
    - Updated fwknop man page to talk about the new pcap-based
      authorization mode.

fwknop-0.5.0 (03/19/2005):
    - Added ALERTING_METHOD to allow syslog and/or email reporting to be
      disabled (there is a dedicated file /etc/fwknop/alert.conf that
      governs this behavior, and both fwknop and knopwatchd reference this
      file).
    - Bugfix for distinguishing OPT field associated with --log-tcp-options
      vs. --log-ip-options.
    - Added install_perl_module() install.pl from psad to provide a
      consistent installation interface.
    - Applied patch to only install perl modules that are not already
      installed (Blair Zajac).
    - Added --last-cmd option to allow fwknop to be executed with command
      line arguments from the previous execution (they are saved in
      ~/.fwknop.run).
    - Added --Home-dir option to allow the home directory to be manually
      specified.
    - Re-worked get_homedir() to be more friendly to systems that do not
      necessarily have /etc/passwd (e.g. OS X).
    - Added configuration preservation and querying for which syslog
      daemon is running to install.pl.  These features were adapted from the
      psad installer (http://www.cipherdyne.org/psad).
    - Added IPTables::ChainMgr.  Fwknop uses this module to maintain
      dedicated chains to which access rules are added.
    - Added IPTables::Parse, which is used internally by IPTables::ChainMgr.
    - Added __WARN__ and __DIE__ handlers so errors can easily be collected.

fwknop-0.4.2 (09/27/2004):
    - Added init script for Fedora systems.
    - Added --Kill, --Restart, and --Status modes (this fixes the generic
      init script which depends on these arguments).

fwknop-0.4.1 (09/14/2004):
    - Bugfix for legacy posf code in fwknop and variable in fwknop.conf.

fwknop-0.4 (09/10/2004):
    - Added ability to specify multiple IPs/networks in a single SOURCE
      definition.
    - Better examples section in the fwknop manpage.
    - Bugfix to make sure EMAIL_ADDRESSES variable does not contain commas
      (any commas are translated into spaces).
    - Added LICENSE file.

fwknop-0.3 (08/21/2004):
    - Bugfix for tracking knock sequences by source IP address.
    - Bugfix for knock sequence timeouts.
    - Removed old passive OS fingerprinting code in favor of the p0f
      strategy.
    - Added support for taking encryption keys from a file specified on
      the command line.
    - Update to send "sequence decrypt failed" email message only if
      decryption failed for all encrypt sequence SOURCE blocks.

fwknop-0.2 (07/31/2004):
    - Implemented remote username checking in encrypted sequences.
    - Added support for icmp in knock sequences.
    - Added protocol rotation option for encrypted sequences.
    - Added code for multiple SOURCE access blocks with the same source
      net/IP.
    - Added KNOCK_LIMIT access control variable to limit the number of
      times a particular knock sequence is honored.
    - Added email alerts.

fwknop-0.1 (07/08/2004):
    - Initial release.