| 1 |
fwknop-0.9.3 (08//2005): |
|---|
| 2 |
- Added an on-disk cache of md5 sums so that the md5 sum check can |
|---|
| 3 |
survive restarts of fwknop. |
|---|
| 4 |
- Updated install.pl to be more friendly to Mac OS X (Blair Zajac). |
|---|
| 5 |
- Updated to allow access.conf variables to have values instead of just |
|---|
| 6 |
being defined. |
|---|
| 7 |
- Started on additional server authentication mode code (re-worked MD5 |
|---|
| 8 |
sum calculation to allow packet format to be extended by taking into |
|---|
| 9 |
account the fwknop version number). |
|---|
| 10 |
|
|---|
| 11 |
fwknop-0.9.2 (08/06/2005): |
|---|
| 12 |
- Added FILE_PCAP data collection method when running in server mode. |
|---|
| 13 |
This is a more general way of getting packets than the ULOG_PCAP |
|---|
| 14 |
mode since then a normal ethernet sniffer can be used to build the |
|---|
| 15 |
file. |
|---|
| 16 |
- Added the ability to re-open a pcap file if its size shrinks (i.e. |
|---|
| 17 |
it gets rotated out or something). |
|---|
| 18 |
- Bugfix for multiple rules with the same timestamp not being timed out |
|---|
| 19 |
by knoptm. |
|---|
| 20 |
- Integrated spoofing capability directly within fwknop (instead of |
|---|
| 21 |
using the knopspoof command) through the use of "require Net::RawIP". |
|---|
| 22 |
- Better multi-protocol support in server mode. Tcp and icmp packets |
|---|
| 23 |
are properly decoded now. |
|---|
| 24 |
|
|---|
| 25 |
fwknop-0.9.1 (07/29/2005): |
|---|
| 26 |
- Added the ability to specify multiple ports/protocols to access on a |
|---|
| 27 |
server with the --Access command line option. |
|---|
| 28 |
- Added the ability to spoof SPA packets over icmp and tcp protocols. |
|---|
| 29 |
- Added the ability to restrict access at the server to only those |
|---|
| 30 |
ports defined in the OPEN_PORTS keyword. This option is controled by |
|---|
| 31 |
a new keyword "PERMIT_CLIENT_PORTS". |
|---|
| 32 |
- Bugfix for MD5 sum not being properly calculated over decrypted data. |
|---|
| 33 |
This allowed old packets that contained additional garbage data to |
|---|
| 34 |
be replayed against an fwknop server. |
|---|
| 35 |
- Updated to fall back to getpwuid() if getlogin() fails (Blair Zajac). |
|---|
| 36 |
- Added --ipt-list to list all current rules in the FWKNOP Netfilter |
|---|
| 37 |
chains. |
|---|
| 38 |
- Added --ipt-flush to flush all current rules in the FWKNOP Netfilter |
|---|
| 39 |
chains. |
|---|
| 40 |
- Bugfix for the installer dying if ~/lib already exists (Blair Zajac). |
|---|
| 41 |
- Updated to delay the loading of server perl modules (Net::Pcap, etc.) |
|---|
| 42 |
only if we are running in server mode. |
|---|
| 43 |
- Bugfix for module directory paths in install.pl. |
|---|
| 44 |
|
|---|
| 45 |
fwknop-0.9.0 (05/29/2005): |
|---|
| 46 |
- Added new authorization mode that uses Net::Pcap to read packets |
|---|
| 47 |
out of a file that is written to by the ulogd pcap writer (also |
|---|
| 48 |
stubbed in code to sniff packets directly off the wire). This |
|---|
| 49 |
authorization mode only requires single packets, and has many |
|---|
| 50 |
characteristics that are better than simple port knocking, including |
|---|
| 51 |
being non-replayable, and much more data can be sent. This mode |
|---|
| 52 |
is now the default for both the server and the client. |
|---|
| 53 |
- Made the execution of knopmd optional depending on whether AUTH_MODE |
|---|
| 54 |
is a pcap mode (e.g. ULOG_PCAP or PCAP). |
|---|
| 55 |
- Added --Spoof-src argument so that encrypted packets can be spoofed |
|---|
| 56 |
via /usr/sbin/knopspoof. |
|---|
| 57 |
- Added /usr/sbin/knoptm so that firewall rules can be timed-out when |
|---|
| 58 |
the server is running in PCAP mode even if new packets don't appear |
|---|
| 59 |
on the wire. |
|---|
| 60 |
- Updated fwknop man page to talk about the new pcap-based |
|---|
| 61 |
authorization mode. |
|---|
| 62 |
|
|---|
| 63 |
fwknop-0.5.0 (03/19/2005): |
|---|
| 64 |
- Added ALERTING_METHOD to allow syslog and/or email reporting to be |
|---|
| 65 |
disabled (there is a dedicated file /etc/fwknop/alert.conf that |
|---|
| 66 |
governs this behavior, and both fwknop and knopwatchd reference this |
|---|
| 67 |
file). |
|---|
| 68 |
- Bugfix for distinguishing OPT field associated with --log-tcp-options |
|---|
| 69 |
vs. --log-ip-options. |
|---|
| 70 |
- Added install_perl_module() install.pl from psad to provide a |
|---|
| 71 |
consistent installation interface. |
|---|
| 72 |
- Applied patch to only install perl modules that are not already |
|---|
| 73 |
installed (Blair Zajac). |
|---|
| 74 |
- Added --last-cmd option to allow fwknop to be executed with command |
|---|
| 75 |
line arguments from the previous execution (they are saved in |
|---|
| 76 |
~/.fwknop.run). |
|---|
| 77 |
- Added --Home-dir option to allow the home directory to be manually |
|---|
| 78 |
specified. |
|---|
| 79 |
- Re-worked get_homedir() to be more friendly to systems that do not |
|---|
| 80 |
necessarily have /etc/passwd (e.g. OS X). |
|---|
| 81 |
- Added configuration preservation and querying for which syslog |
|---|
| 82 |
daemon is running to install.pl. These features were adapted from the |
|---|
| 83 |
psad installer (http://www.cipherdyne.org/psad). |
|---|
| 84 |
- Added IPTables::ChainMgr. Fwknop uses this module to maintain |
|---|
| 85 |
dedicated chains to which access rules are added. |
|---|
| 86 |
- Added IPTables::Parse, which is used internally by IPTables::ChainMgr. |
|---|
| 87 |
- Added __WARN__ and __DIE__ handlers so errors can easily be collected. |
|---|
| 88 |
|
|---|
| 89 |
fwknop-0.4.2 (09/27/2004): |
|---|
| 90 |
- Added init script for Fedora systems. |
|---|
| 91 |
- Added --Kill, --Restart, and --Status modes (this fixes the generic |
|---|
| 92 |
init script which depends on these arguments). |
|---|
| 93 |
|
|---|
| 94 |
fwknop-0.4.1 (09/14/2004): |
|---|
| 95 |
- Bugfix for legacy posf code in fwknop and variable in fwknop.conf. |
|---|
| 96 |
|
|---|
| 97 |
fwknop-0.4 (09/10/2004): |
|---|
| 98 |
- Added ability to specify multiple IPs/networks in a single SOURCE |
|---|
| 99 |
definition. |
|---|
| 100 |
- Better examples section in the fwknop manpage. |
|---|
| 101 |
- Bugfix to make sure EMAIL_ADDRESSES variable does not contain commas |
|---|
| 102 |
(any commas are translated into spaces). |
|---|
| 103 |
- Added LICENSE file. |
|---|
| 104 |
|
|---|
| 105 |
fwknop-0.3 (08/21/2004): |
|---|
| 106 |
- Bugfix for tracking knock sequences by source IP address. |
|---|
| 107 |
- Bugfix for knock sequence timeouts. |
|---|
| 108 |
- Removed old passive OS fingerprinting code in favor of the p0f |
|---|
| 109 |
strategy. |
|---|
| 110 |
- Added support for taking encryption keys from a file specified on |
|---|
| 111 |
the command line. |
|---|
| 112 |
- Update to send "sequence decrypt failed" email message only if |
|---|
| 113 |
decryption failed for all encrypt sequence SOURCE blocks. |
|---|
| 114 |
|
|---|
| 115 |
fwknop-0.2 (07/31/2004): |
|---|
| 116 |
- Implemented remote username checking in encrypted sequences. |
|---|
| 117 |
- Added support for icmp in knock sequences. |
|---|
| 118 |
- Added protocol rotation option for encrypted sequences. |
|---|
| 119 |
- Added code for multiple SOURCE access blocks with the same source |
|---|
| 120 |
net/IP. |
|---|
| 121 |
- Added KNOCK_LIMIT access control variable to limit the number of |
|---|
| 122 |
times a particular knock sequence is honored. |
|---|
| 123 |
- Added email alerts. |
|---|
| 124 |
|
|---|
| 125 |
fwknop-0.1 (07/08/2004): |
|---|
| 126 |
- Initial release. |
|---|
