| 1 |
fwknop-0.9.1 (07//2005): |
|---|
| 2 |
- Added the ability to specify multiple ports/protocols to access on a |
|---|
| 3 |
server with the --Access command line option. |
|---|
| 4 |
- Added the ability to spoof SPA packets over icmp and tcp protocols. |
|---|
| 5 |
- Added the ability to restrict access at the server to only those |
|---|
| 6 |
ports defined in the OPEN_PORTS keyword. This option is controled by |
|---|
| 7 |
a new keyword "PERMIT_CLIENT_PORTS". |
|---|
| 8 |
- Updated to fall back to getpwuid() if getlogin() fails (Blair Zajac). |
|---|
| 9 |
- Added --ipt-list to list all current rules in the FWKNOP Netfilter |
|---|
| 10 |
chains. |
|---|
| 11 |
- Added --ipt-flush to flush all current rules in the FWKNOP Netfilter |
|---|
| 12 |
chains. |
|---|
| 13 |
- Bugfix for the installer dying if ~/lib already exists (Blair Zajac). |
|---|
| 14 |
- Updated to delay the loading of server perl modules (Net::Pcap, etc.) |
|---|
| 15 |
only if we are running in server mode. |
|---|
| 16 |
- Bugfix for module directory paths in install.pl. |
|---|
| 17 |
|
|---|
| 18 |
fwknop-0.9.0 (05/29/2005): |
|---|
| 19 |
- Added new authorization mode that uses Net::Pcap to read packets |
|---|
| 20 |
out of a file that is written to by the ulogd pcap writer (also |
|---|
| 21 |
stubbed in code to sniff packets directly off the wire). This |
|---|
| 22 |
authorization mode only requires single packets, and has many |
|---|
| 23 |
characteristics that are better than simple port knocking, including |
|---|
| 24 |
being non-replayable, and much more data can be sent. This mode |
|---|
| 25 |
is now the default for both the server and the client. |
|---|
| 26 |
- Made the execution of knopmd optional depending on whether AUTH_MODE |
|---|
| 27 |
is a pcap mode (e.g. ULOG_PCAP or PCAP). |
|---|
| 28 |
- Added --Spoof-src argument so that encrypted packets can be spoofed |
|---|
| 29 |
via /usr/sbin/knopspoof. |
|---|
| 30 |
- Added /usr/sbin/knoptm so that firewall rules can be timed-out when |
|---|
| 31 |
the server is running in PCAP mode even if new packets don't appear |
|---|
| 32 |
on the wire. |
|---|
| 33 |
- Updated fwknop man page to talk about the new pcap-based |
|---|
| 34 |
authorization mode. |
|---|
| 35 |
|
|---|
| 36 |
fwknop-0.5.0 (03/19/2005): |
|---|
| 37 |
- Added ALERTING_METHOD to allow syslog and/or email reporting to be |
|---|
| 38 |
disabled (there is a dedicated file /etc/fwknop/alert.conf that |
|---|
| 39 |
governs this behavior, and both fwknop and knopwatchd reference this |
|---|
| 40 |
file). |
|---|
| 41 |
- Bugfix for distinguishing OPT field associated with --log-tcp-options |
|---|
| 42 |
vs. --log-ip-options. |
|---|
| 43 |
- Added install_perl_module() install.pl from psad to provide a |
|---|
| 44 |
consistent installation interface. |
|---|
| 45 |
- Applied patch to only install perl modules that are not already |
|---|
| 46 |
installed (Blair Zajac). |
|---|
| 47 |
- Added --last-cmd option to allow fwknop to be executed with command |
|---|
| 48 |
line arguments from the previous execution (they are saved in |
|---|
| 49 |
~/.fwknop.run). |
|---|
| 50 |
- Added --Home-dir option to allow the home directory to be manually |
|---|
| 51 |
specified. |
|---|
| 52 |
- Re-worked get_homedir() to be more friendly to systems that do not |
|---|
| 53 |
necessarily have /etc/passwd (e.g. OS X). |
|---|
| 54 |
- Added configuration preservation and querying for which syslog |
|---|
| 55 |
daemon is running to install.pl. These features were adapted from the |
|---|
| 56 |
psad installer (http://www.cipherdyne.org/psad). |
|---|
| 57 |
- Added IPTables::ChainMgr. Fwknop uses this module to maintain |
|---|
| 58 |
dedicated chains to which access rules are added. |
|---|
| 59 |
- Added IPTables::Parse, which is used internally by IPTables::ChainMgr. |
|---|
| 60 |
- Added __WARN__ and __DIE__ handlers so errors can easily be collected. |
|---|
| 61 |
|
|---|
| 62 |
fwknop-0.4.2 (09/27/2004): |
|---|
| 63 |
- Added init script for Fedora systems. |
|---|
| 64 |
- Added --Kill, --Restart, and --Status modes (this fixes the generic |
|---|
| 65 |
init script which depends on these arguments). |
|---|
| 66 |
|
|---|
| 67 |
fwknop-0.4.1 (09/14/2004): |
|---|
| 68 |
- Bugfix for legacy posf code in fwknop and variable in fwknop.conf. |
|---|
| 69 |
|
|---|
| 70 |
fwknop-0.4 (09/10/2004): |
|---|
| 71 |
- Added ability to specify multiple IPs/networks in a single SOURCE |
|---|
| 72 |
definition. |
|---|
| 73 |
- Better examples section in the fwknop manpage. |
|---|
| 74 |
- Bugfix to make sure EMAIL_ADDRESSES variable does not contain commas |
|---|
| 75 |
(any commas are translated into spaces). |
|---|
| 76 |
- Added LICENSE file. |
|---|
| 77 |
|
|---|
| 78 |
fwknop-0.3 (08/21/2004): |
|---|
| 79 |
- Bugfix for tracking knock sequences by source IP address. |
|---|
| 80 |
- Bugfix for knock sequence timeouts. |
|---|
| 81 |
- Removed old passive OS fingerprinting code in favor of the p0f |
|---|
| 82 |
strategy. |
|---|
| 83 |
- Added support for taking encryption keys from a file specified on |
|---|
| 84 |
the command line. |
|---|
| 85 |
- Update to send "sequence decrypt failed" email message only if |
|---|
| 86 |
decryption failed for all encrypt sequence SOURCE blocks. |
|---|
| 87 |
|
|---|
| 88 |
fwknop-0.2 (07/31/2004): |
|---|
| 89 |
- Implemented remote username checking in encrypted sequences. |
|---|
| 90 |
- Added support for icmp in knock sequences. |
|---|
| 91 |
- Added protocol rotation option for encrypted sequences. |
|---|
| 92 |
- Added code for multiple SOURCE access blocks with the same source |
|---|
| 93 |
net/IP. |
|---|
| 94 |
- Added KNOCK_LIMIT access control variable to limit the number of |
|---|
| 95 |
times a particular knock sequence is honored. |
|---|
| 96 |
- Added email alerts. |
|---|
| 97 |
|
|---|
| 98 |
fwknop-0.1 (07/08/2004): |
|---|
| 99 |
- Initial release. |
|---|
