root/fwknop/tags/fwknop_0_9_0/ChangeLog

fwknop-0.9.0 (//2005):
    - Added new authorization mode that uses Net::Pcap to read packets
      out of a file that is written to by the ulogd pcap writer (also
      stubbed in code to sniff packets directly off the wire).  This
      authorization mode only requires single packets, and has many
      characteristics that are better than simple port knocking, including
      being non-replayable, and much more data can be sent.  This mode
      is now the default for both the server and the client.
    - Made the execution of knopmd optional depending on whether AUTH_MODE
      is a pcap mode (e.g. ULOG_PCAP or PCAP).
    - Added --Spoof-src argument so that encrypted packets can be spoofed
      via /usr/sbin/knopspoof.
    - Added /usr/sbin/knoptm so that firewall rules can be timed-out when
      the server is running in PCAP mode even if new packets don't appear
      on the wire.
    - Updated fwknop man page to talk about the new pcap-based
      authorization mode.

fwknop-0.5.0 (03/19/2005):
    - Added ALERTING_METHOD to allow syslog and/or email reporting to be
      disabled (there is a dedicated file /etc/fwknop/alert.conf that
      governs this behavior, and both fwknop and knopwatchd reference this
      file).
    - Bugfix for distinguishing OPT field associated with --log-tcp-options
      vs. --log-ip-options.
    - Added install_perl_module() install.pl from psad to provide a
      consistent installation interface.
    - Applied patch to only install perl modules that are not already
      installed (Blair Zajac).
    - Added --last-cmd option to allow fwknop to be executed with command
      line arguments from the previous execution (they are saved in
      ~/.fwknop.run).
    - Added --Home-dir option to allow the home directory to be manually
      specified.
    - Re-worked get_homedir() to be more friendly to systems that do not
      necessarily have /etc/passwd (e.g. OS X).
    - Added configuration preservation and querying for which syslog
      daemon is running to install.pl.  These features were adapted from the
      psad installer (http://www.cipherdyne.org/psad).
    - Added IPTables::ChainMgr.  Fwknop uses this module to maintain
      dedicated chains to which access rules are added.
    - Added IPTables::Parse, which is used internally by IPTables::ChainMgr.
    - Added __WARN__ and __DIE__ handlers so errors can easily be collected.

fwknop-0.4.2 (09/27/2004):
    - Added init script for Fedora systems.
    - Added --Kill, --Restart, and --Status modes (this fixes the generic
      init script which depends on these arguments).

fwknop-0.4.1 (09/14/2004):
    - Bugfix for legacy posf code in fwknop and variable in fwknop.conf.

fwknop-0.4 (09/10/2004):
    - Added ability to specify multiple IPs/networks in a single SOURCE
      definition.
    - Better examples section in the fwknop manpage.
    - Bugfix to make sure EMAIL_ADDRESSES variable does not contain commas
      (any commas are translated into spaces).
    - Added LICENSE file.

fwknop-0.3 (08/21/2004):
    - Bugfix for tracking knock sequences by source IP address.
    - Bugfix for knock sequence timeouts.
    - Removed old passive OS fingerprinting code in favor of the p0f
      strategy.
    - Added support for taking encryption keys from a file specified on
      the command line.
    - Update to send "sequence decrypt failed" email message only if
      decryption failed for all encrypt sequence SOURCE blocks.

fwknop-0.2 (07/31/2004):
    - Implemented remote username checking in encrypted sequences.
    - Added support for icmp in knock sequences.
    - Added protocol rotation option for encrypted sequences.
    - Added code for multiple SOURCE access blocks with the same source
      net/IP.
    - Added KNOCK_LIMIT access control variable to limit the number of
      times a particular knock sequence is honored.
    - Added email alerts.

fwknop-0.1 (07/08/2004):
    - Initial release.