root/fwknop/tags/fwknop-1.8.4-pre2/ChangeLog

fwknop-1.8.4 (11//2007):
    - Added the ability to force the fwknopd and knoptm daemons to restart
      themselves (via knopwatchd) after a configurable timeout (see the
      ENABLE_VOLUNTARY_EXITS and EXIT_INTERVAL variables in the
      /etc/fwknop/fwknop.conf file). This feature is for those that want
      fwknopd to go through its initialization routine periodically just in
      case there is a logic (or other) bug that might result in fwknopd not
      accepting a valid SPA packet. NOTE: This feature is disabled by default,
      and is not normally needed since fwknopd is quite stable in most
      deployments.
    - Minor bugfix to have knopwatchd generate syslog messages whenever an
      fwknop daemon needs to be restarted.
    - Added --interface command line argument to install.pl to allow the
      sniffing interface to be specified from the command line. Also updated
      install.pl to enforce a 10-try maximum for attempting to accept a valid
      interface name from the command line (LANG env issues can exist
      sometimes).
    - Major update to start working on forwarding access through an iptables
      policy in SPA mode.
    - Updated SPA packet format for server_auth and forward_info elements;
      the internal MD5 sum is now always the last field in an SPA packet. This
      makes extensions of the SPA protocol much easier, and the generation of
      SPA packets more elegant. Also, SPA packet validation has been improved
      to ensure that fields that are supposed to be digits really only contain
      integer data.
    - Added FORWARD_ACCESS variable to the access.conf file, and added
      ENABLE_IPT_FORWARDING to the fwknop.conf file.
    - Replaced the IPT_AUTO_CHAIN1 variable with IPT_INPUT_ACCESS and
      IPT_FORWARD_ACCESS in fwknop.conf.
    - Added --Forward-access argument to the fwknop client.

fwknop-1.8.3 (11/17/2007):
    - Updated external IP resolution to point to http://www.whatismyip.org,
      and added http://www.cipherdyne.org/cgi/clientip.cgi as a backup site
      for fwknop IP resolution.
    - Added storage of source IP along with SPA MD5 sum. This allows the user
      to infer which networks are more hostile if an SPA packet is replayed.
    - Added SPA packet hex dumps in 'fwknopd --debug' mode so that the
      integration of third-party encryption algorithms is easier to
      troubleshoot. Sean Greven contributed a patch for this.
    - Reinstated the legacy port knocking mode. It appears that all encrypted
      output from the updated Crypt::Rijndael module is at least 32 bytes
      long, so port knocking sequences are now 32 bytes long as well (they
      were previously 16 bytes long in old versions of fwknop).
    - Bugfix to ensure the key length is at least 8 chars in --get-key mode.
    - Minor update to remove init message on OS X install.
    - Updated install.pl to set the LANG environmental variable to
      "en_US.UTF-8". This should fix the problem where the output of ifconfig
      was not interpreted correctly if the locale LANG setting is not English.
    - Implemented verbose email alerting by setting the ALERTING_METHODS
      variable to "verbose". This instructs fwknopd to generate a new email
      message for each message that it normally logs vis syslog (this feature
      is not the default, and must be manually enabled).

fwknop-1.8.2 (09/15/2007):
    - Added fwknopd server support for Mac OS X. The Darwin uname return
      string is detected and this enables Darwin-specific installation code in
      install.pl.
    - Updated to not print sensitive key/password information in --debug mode
      with fwknopd.
    - Bugfix for install.pl on Windows 2003 Server running under Cygwin where
      'uname -o' output is reported 'Gygwin' for some reason.
    - Added --Cygwin-install command line argument to install.pl to force
      client-only fwknop install on Cygwin systems.
    - Added --OS-type command line argument to install.pl to allow the user to
      force the installation type.
    - Updated to version 1.04 of Crypt::Rijndael. This fixes incompatibilities
      between SPA packets between 64-bit and 32-bit platorms.
    - Bugfix to enforce a maximum of 20 tries to read a password from stdin.
    - Applied TCP options parsing fix from psad for invalid zero or one length
      fields that break TLV encoding (this is for fwknopd, and only applies to
      the legacy port knocking mode).
    - Added code to fwknopd to check to see if there are any state tracking
      rules in place within the local iptables or ipfw policy.
    - Made syslog identity, facility, and priority configurable (applied code
      from the psad project).
    - Implemented --fw-list for ipfw firewalls.
    - Bugfix for knoptm removing ipfw rules too quickly after not timing out
      previously instantiated rules properly.
    - Implemented smarter cache removal strategy in knoptm so that rules that
      are manually removed from the running iptables or ipfw policy are also
      removed from the cache.
    - Added /var/log/fwknop/errs/fwknopd.{warn,die} tracking to the fwknopd
      daemon for the PCAP modes of collecting packet data. Added
      knoptm{warn,die} files for knoptm as well.
    - Bugfix to import the GnuPG::Interface module in --get-key mode.
    - Bugfix to send source IP as a part of the command message in command
      mode so that REQUIRE_SOURCE_ADDRESS controls can be applied.
    - Added --Test-mode to fwknop client so that SPA packets can be built but
      never sent over the network.

fwknop-1.8.1 (06/06/2007):
    - Bugfix to ensure that the "keep-state" directive is added to firewall
      rules on systems running the ipfw firewall.
    - Added the --Save-packet and --Save-packet-file command line arguments
      to the fwknop client. These options instruct fwknop to save a copy of
      an encrypted SPA packet before it is sent across the network.
    - Bugfix to find minimal unused ipfw rule number for ipfw firewalls. This
      fixes an issue where ipfw rules added by fwknopd could be inserted at
      the same position as rules from an existing ipfw policy. While ipfw
      allows duplicate rules, whenever such a rule is deleted by its rule
      number all matching rules are deleted.

fwknop-1.8 (06/03/2007):
    - Added support for ipfw firewalls (found on *BSD systems).  The
      IPTables::Parse and IPTables::ChainMgr modules are not installed on
      such systems.
    - Added gpg-agent support for both the fwknop client and fwknopd SPA
      server.
    - Updated client-only installation mode to restrict perl module
      installation to those module that are actually required by the fwknop
      client. This results in clean installs of the fwknop client on Windows
      systems running Cygwin.
    - Added --Defaults to install.pl so that fwknop can be installed without
      prompting the user to answer any questions. This is to make it easier
      to install fwknop on the Source Mage Linux distro.
    - Consolidated daemon config files into the fwknop.conf file (except for
      the access.conf file). This simplifies the configuration of fwknop.
    - Added recursive variable resolution in the parsing routines for the
      fwknop.conf file. This allows variable values to contain embedded
      variables.
    - Added init script for FreeBSD systems.
    - Added --BSD-install command line argument to install.pl. This is not
      normally necessary since the installer should detect installations on
      *BSD systems, but this option can force this behavior.
    - Updated knopmd and knopwatchd to use safe_malloc() instead of malloc().
    - Bugfix to never time out rules from SOURCE blocks with FW_ACCESS_TIMEOUT
      set to zero

fwknop-1.0.1 (01/09/2007):
    - Updated fwknopd to allow the GPG_REMOTE_ID variable to have the value
      "ANY" to allow a SOURCE block to match on arbitrary remote gpg signing
      keys (Leland Weathers).
    - Bugfix to allow OPEN_PORTS to be omitted in access.conf in favor of
      having only PERMIT_CLIENT_PORTS enabled (reported by Raul Siles).
    - Added the cd_rpmbuilder script to make it easy to build RPM's out of
      CipherDyne projects by automatically downloading the project .tar.gz and
      .spec files from http://www.cipherdyne.org/.

fwknop-1.0 (11/05/2006):
    - Bugfix for OpenSSH-4.3p2 patch to make sure to include the spa.h header
      file.
    - Bugfix for access hashes accumluating when multiple ports are requested
      to be opened by a client.
    - Better validation of IPT_AUTO_CHAIN variable so that the from_chain
      cannot be identical to the to_chain.
    - Bugfix in RPM to install List::MoreUtils.
    - Bugfix so that the MD5 sum for an SPA packet is not examined for each
      SOURCE block.  This fixes a problem where an SPA packet could appear to
      be replayed if multiple SOURCE blocks are defined in
      /etc/fwknop/access.conf.
    - Refactored main SPA access loop so that it is clearer how and when SPA
      clients are granted access.
    - Better handling of GnuPG key identifier strings (they can now contain
      spaces, and syslog messages wrap the identifiers with double quotes).
    - Added source IP address to command string in the SPA packet so that
      the REQUIRE_SOURCE_ADDRESS criteria can be applied by the fwknopd
      server.
    - Added --Show-last-cmd and --Show-host-cmd args to fwknop so that the
      last fwknop command and the last fwknop host commands can be viewed.
    - Added the svn revision number to --Version and --help output.

fwknop-0.9.9 (10/15/2006):
    - Added REQUIRE_SOURCE_ADDRESS (disabled by default) to force fwknop
      clients to know their source IP address (i.e. -s cannot be used).  So,
      either fwknop clients have to use -R to resolve their externally
      routable address, or they must just know what it is.
    - Updated to Net-RawIP-0.21_03 for compatibility with gcc-4.x compilers.
    - Added List-MoreUtils-0.22 which is a dependency of the new Net::RawIP
      module.
    - Bugfix to restore "start" functionality in Gentoo init script.
    - Bugfix to use the IPT_OUTPUT_FILE and IPT_ERROR_FILE configuration
      variables in fwknopd.
    - Added KNOPTM_IPT_OUTPUT_FILE and KNOPTM_IPT_ERROR_FILE variables
      specifically for the knoptm daemon so that it can use IPTables::ChainMgr
      completely independently of fwknopd (this removes a potential race
      condition between fwknopd and knoptm).

fwknop-0.9.8 (09/17/2006):
    - Added the ability to ignore old SPA packets through use of the
      client-side time stamp.  This means that an attacker cannot intercept an
      SPA packet, prevent it from being forwarded to its intended destination,
      and then put the packet on the wire at some time outside of the allowed
      time window.  There are two new configuration options in fwknop.conf
      "ENABLE_SPA_PACKET_AGING" and "MAX_SPA_PACKET_AGE" that control the
      length of the acceptable time window (2 minutes by default).  This
      requires some level of synchronization between the fwknop client and the
      fwknopd server, but this is not onerous through the use of NTP.  This
      feature is enabled by default, and the idea for it was contributed by
      Sebastien J.
    - Completely re-worked IPTables::ChainMgr to support the return of
      iptables error messages that are collected via stderr.  This is critical
      to fixing any bugs where fwknopd could die as a result of a poorly
      crafted iptables command.
      but no information would be returned to the user.
    - Added the ability to specify the position for both the jump rule into
      the fwknopd chains as well as the position for new rules within the
      fwknopd chains via the -I argument to iptables.  This fixes a bug where
      the user was given the impression that the IPTABLES_AUTO_RULENUM would
      accomplish this (IPTABLES_AUTO_RULENUM has been removed).
    - Updated fwknopd to require < 1500 byte payload length before attempting
      to decrypt.  Also, GnuPG decrypts are not attempted unless the encrypted
      payload is at least 400 bytes long (this is conservative since even
      encrypting a single byte with a 1024-bit key will result in about 340
      bytes of encrypted data).
    - Added the --gpg-default-key option to have fwknop use the default GnuPG
      key that is defined in the ~/.gnupg/options file.
    - Added the --URL command line argument so that a URL other than the
      default http://www.whatismyip.com/ can be provided by the user for
      external IP resolution (suggested by Sebastien J.).
    - Updated to be more rigorous with md5 sums; we now require that the
      md5_base64() function actually returns a non-null result.
    - Bugfix to make sure that only the users associated with the a specific
      REQUIRE_USERNAME value (in a specific SOURCE block in access.conf) are
      granted the appropriate access even if a valid encrypted packet is
      constructed from a different user name (by an fwknop client).
    - Populated the _debug option in the IPTables::ChainMgr module, and also
      added a _verbose option so that the specific iptables commands can
      actually be seen as IPTables::ChainMgr functions are called.
    - Added code to install.pl to update command paths in fwknop.conf and
      knopwatchd.conf if any of the paths are broken (i.e. the local system
      does not conform to the default paths).  By default this only happens if
      the user does not want old configs to be merged, but to override this
      use the new --path-update command line argument to install.pl.
    - Added the --Skip-mod-install command line argument to install.pl to
      allow all perl module installs to be skipped.
    - Added the --force-mod-regex command line argument to install.pl to allow
      a regex match on perl module names to force matching modules to be
      installed.
    - Minor bugfix to generate better (i.e. closer to those that Firefox
      generates) http requests to http://www.whatismyip.com/).
    - Adapted Mate Wierdl's RPM patch from the psad project so that the fwknop
      RPM builds on x86_64 systems.
    - Removed iptables requirement in RPM spec file because fwknop may be
      installed on a system just to run the fwknop client.
    - Updated to email username mismatch errors.

fwknop-0.9.7 (08/04/2006):
    - Added fwknop_serv to function as minimal TCP server over which SPA
      packets can be sent.  This allows SPA to be compatible with the Tor
      network, which requires that a virtual circuit is established before
      traffic can be sent.
    - Updated to Crypt::CBC-2.18 after a vulnerability was discovered in
      previous versions of Crypt::CBC that caused weak ciphertext to be
      generated for algorithms that have blocksizes greater than 8 bytes (such
      as Rijndael used by fwknop).  Manually specifying initialization vectors
      is not necessary now.
    - Updated SSH patch to support OpenSSH-4.3p2.
    - Bugfix to make sure to create /var/* directories if they don't exist
      (such as when /var is a tmpfs).
    - Bugfix (Dwayne Rightler) to restore -w IP lookup functionality after
      format change on data returned by whatismyip.com.
    - Bugfix to wrap SPA Rijndael decryption with eval{} so that fwknopd does
      not die if there are problems trying to decrypt data.  This is necessary
      because of the security vulnerability fix in Crypt::CBC that creates
      some incompatibilities in different versions of Crypt::CBC.
    - Added "--L-host" command line argument so that the arguments used for
      multiple hosts are preserved and can be recalled.
    - Changed default user-agent setting for whatismyip.com lookups to
      Firefox/1.0.5.4; there is no need to gratuitously advertise fwknop
      traffic.
    - Updated GunPG HOWTO to provide a step-by-step guide to getting fwknop
      Single Packet Authorization working with GnuPG.
    - Updated to derive perl module versions from the VERSION files within
      each of the perl module source directories.

fwknop-0.9.6 (01/13/2006):
    - Added GPG based authentication capability for SPA packets.  This new
      mode can be configured to require that a GPG message be signed with a
      particular key or set of keys.
    - In GPG mode, the fwknop client now prints GPG errors to stdout if not
      running with --gpg-no-batch-mode.
    - Added the ability to require that the client know the UNIX crypt()
      password associated with a username on the server side.  This
      functionality is enabled on the fwknop client with the "--Server-auth
      crypt" command line argument, and the REQUIRE_AUTH_METHOD variable in
      /etc/fwknop/access.conf on the fwknopd server.
    - Added patch against OpenSSH-4.2p1 to integrate SPA mode.  This patch
      adds a "-K <fwknop cmd line>" argument to the SSH client so that
      fwknop can be executed directly before an SSH connection is made.
    - Separated server and client portions of fwknop into "fwknopd" and
      fwknop repectively.  This will allow better portability to be
      developed since the client and server pieces can be developed more
      independently.  NOTE: With so many changes, it is probably a good idea
      to not preserve old fwknop configs via install.pl.
    - Renamed all relevant fwknopd command and file paths to support new
      fwknopd server component.
    - Added --quiet mode (this is used by default in the OpenSSH patch).
    - Removed legacy port knocking installation in install.pl (fwknopfifo,
      and fwdata file) unless the data collection mode is set to syslog or
      syslog-ng for legacy iptables log messages.
    - Added inode checking for PCAP_PKT_FILE. This helps to ensure that log
      rotation schemes don't interfere with reading packets out of the file
      since this check is size independent.
    - Bugfix for Makefile debug mode.
    - Added compilation check for perl programs in install.pl before
      installation into the filesystem.
    - Bugfix for knopwatchd to make sure it can actually restart all running
      daemons properly.
    - Added --force-mod command line argument to install.pl to allow the user
      to force all perl modules to be be installed regardless of whether a
      module exists in the system perl lib tree.
    - Added --no-save-args to fwknop so that existing .fwknop.run file can
      be preserved (helps to testing new features of fwknop client).
    - Removed useless --encrypt command line argument (only the old shared
      port knock sequences are not encrypted).

fwknop-0.9.5 (10/02/2005):
    - Added the ability to resolve the external IP associated with the
      local network via http://www.whatismyip.com.  This is a more secure
      method of accomplishing what the -s option performs.  The new
      command line option is --whatismyip (or just -w).
    - Updated fwknop to communicate with knoptm via a UNIX domain socket
      instead of the previous file-based communication.
    - Updated to flush the fwknop iptables chains at start time.
    - Bugfix for removing the wrong hash key in the knoptm IP cache.

fwknop-0.9.4 (09/17/2005):
    - Bugfix for knoptm timing out new entries based on old time values
      (this caused new rules to timed out too quickly).
    - Added support for multiple users in REQUIRE_USERNAME keyword in
      access.conf.
    - Added the ability to display raw encrypted packet data in client
      mode with --verbose.
    - Created fwknop RPM for RPM-based Linux distributions.
    - Bugfix for inappropriate redirects in command mode where the command
      already contained a redirect.

fwknop-0.9.3 (08/27/2005):
    - Added an on-disk cache of md5 sums so that the md5 sum check can
      survive restarts of fwknop.
    - Updated install.pl to be more friendly to Mac OS X (Blair Zajac).
    - Updated to allow access.conf variables to have values instead of just
      being defined.
    - Started on additional server authentication mode code (re-worked MD5
      sum calculation to allow packet format to be extended by taking into
      account the fwknop version number).

fwknop-0.9.2 (08/06/2005):
    - Added FILE_PCAP data collection method when running in server mode.
      This is a more general way of getting packets than the ULOG_PCAP
      mode since then a normal ethernet sniffer can be used to build the
      file.
    - Added the ability to re-open a pcap file if its size shrinks (i.e.
      it gets rotated out or something).
    - Bugfix for multiple rules with the same timestamp not being timed out
      by knoptm.
    - Integrated spoofing capability directly within fwknop (instead of
      using the knopspoof command) through the use of "require Net::RawIP".
    - Better multi-protocol support in server mode.  Tcp and icmp packets
      are properly decoded now.

fwknop-0.9.1 (07/29/2005):
    - Added the ability to specify multiple ports/protocols to access on a
      server with the --Access command line option.
    - Added the ability to spoof SPA packets over icmp and tcp protocols.
    - Added the ability to restrict access at the server to only those
      ports defined in the OPEN_PORTS keyword.  This option is controled by
      a new keyword "PERMIT_CLIENT_PORTS".
    - Bugfix for MD5 sum not being properly calculated over decrypted data.
      This allowed old packets that contained additional garbage data to
      be replayed against an fwknop server.
    - Updated to fall back to getpwuid() if getlogin() fails (Blair Zajac).
    - Added --ipt-list to list all current rules in the FWKNOP iptables
      chains.
    - Added --ipt-flush to flush all current rules in the FWKNOP iptables
      chains.
    - Bugfix for the installer dying if ~/lib already exists (Blair Zajac).
    - Updated to delay the loading of server perl modules (Net::Pcap, etc.)
      only if we are running in server mode.
    - Bugfix for module directory paths in install.pl.

fwknop-0.9.0 (05/29/2005):
    - Added new authorization mode that uses Net::Pcap to read packets
      out of a file that is written to by the ulogd pcap writer (also
      stubbed in code to sniff packets directly off the wire).  This
      authorization mode only requires single packets, and has many
      characteristics that are better than simple port knocking, including
      being non-replayable, and much more data can be sent.  This mode
      is now the default for both the server and the client.
    - Made the execution of knopmd optional depending on whether AUTH_MODE
      is a pcap mode (e.g. ULOG_PCAP or PCAP).
    - Added --Spoof-src argument so that encrypted packets can be spoofed
      via /usr/sbin/knopspoof.
    - Added /usr/sbin/knoptm so that firewall rules can be timed-out when
      the server is running in PCAP mode even if new packets don't appear
      on the wire.
    - Updated fwknop man page to talk about the new pcap-based
      authorization mode.

fwknop-0.5.0 (03/19/2005):
    - Added ALERTING_METHOD to allow syslog and/or email reporting to be
      disabled (there is a dedicated file /etc/fwknop/alert.conf that
      governs this behavior, and both fwknop and knopwatchd reference this
      file).
    - Bugfix for distinguishing OPT field associated with --log-tcp-options
      vs. --log-ip-options.
    - Added install_perl_module() install.pl from psad to provide a
      consistent installation interface.
    - Applied patch to only install perl modules that are not already
      installed (Blair Zajac).
    - Added --last-cmd option to allow fwknop to be executed with command
      line arguments from the previous execution (they are saved in
      ~/.fwknop.run).
    - Added --Home-dir option to allow the home directory to be manually
      specified.
    - Re-worked get_homedir() to be more friendly to systems that do not
      necessarily have /etc/passwd (e.g. OS X).
    - Added configuration preservation and querying for which syslog
      daemon is running to install.pl.  These features were adapted from the
      psad installer (http://www.cipherdyne.org/psad).
    - Added IPTables::ChainMgr.  Fwknop uses this module to maintain
      dedicated chains to which access rules are added.
    - Added IPTables::Parse, which is used internally by IPTables::ChainMgr.
    - Added __WARN__ and __DIE__ handlers so errors can easily be collected.

fwknop-0.4.2 (09/27/2004):
    - Added init script for Fedora systems.
    - Added --Kill, --Restart, and --Status modes (this fixes the generic
      init script which depends on these arguments).

fwknop-0.4.1 (09/14/2004):
    - Bugfix for legacy posf code in fwknop and variable in fwknop.conf.

fwknop-0.4 (09/10/2004):
    - Added ability to specify multiple IPs/networks in a single SOURCE
      definition.
    - Better examples section in the fwknop manpage.
    - Bugfix to make sure EMAIL_ADDRESSES variable does not contain commas
      (any commas are translated into spaces).
    - Added LICENSE file.

fwknop-0.3 (08/21/2004):
    - Bugfix for tracking knock sequences by source IP address.
    - Bugfix for knock sequence timeouts.
    - Removed old passive OS fingerprinting code in favor of the p0f
      strategy.
    - Added support for taking encryption keys from a file specified on
      the command line.
    - Update to send "sequence decrypt failed" email message only if
      decryption failed for all encrypt sequence SOURCE blocks.

fwknop-0.2 (07/31/2004):
    - Implemented remote username checking in encrypted sequences.
    - Added support for icmp in knock sequences.
    - Added protocol rotation option for encrypted sequences.
    - Added code for multiple SOURCE access blocks with the same source
      net/IP.
    - Added KNOCK_LIMIT access control variable to limit the number of
      times a particular knock sequence is honored.
    - Added email alerts.

fwknop-0.1 (07/08/2004):
    - Initial release.