root/fwknop/tags/fwknop_0_9_4/ChangeLog

Revision 363, 6.7 kB (checked in by anonymous, 3 years ago)

This commit was manufactured by cvs2svn to create tag 'fwknop_0_9_4'.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
Line 
1 fwknop-0.9.4 (09/17/2005):
2     - Bugfix for knoptm timing out new entries based on old time values
3       (this caused new rules to timed out too quickly).
4     - Added support for multiple users in REQUIRE_USERNAME keyword in
5       access.conf.
6     - Added the ability to display raw encrypted packet data in client
7       mode with --verbose.
8     - Created fwknop RPM for RPM-based Linux distributions.
9     - Bugfix for inappropriate redirects in command mode where the command
10       already contained a redirect.
11
12 fwknop-0.9.3 (08/27/2005):
13     - Added an on-disk cache of md5 sums so that the md5 sum check can
14       survive restarts of fwknop.
15     - Updated install.pl to be more friendly to Mac OS X (Blair Zajac).
16     - Updated to allow access.conf variables to have values instead of just
17       being defined.
18     - Started on additional server authentication mode code (re-worked MD5
19       sum calculation to allow packet format to be extended by taking into
20       account the fwknop version number).
21
22 fwknop-0.9.2 (08/06/2005):
23     - Added FILE_PCAP data collection method when running in server mode.
24       This is a more general way of getting packets than the ULOG_PCAP
25       mode since then a normal ethernet sniffer can be used to build the
26       file.
27     - Added the ability to re-open a pcap file if its size shrinks (i.e.
28       it gets rotated out or something).
29     - Bugfix for multiple rules with the same timestamp not being timed out
30       by knoptm.
31     - Integrated spoofing capability directly within fwknop (instead of
32       using the knopspoof command) through the use of "require Net::RawIP".
33     - Better multi-protocol support in server mode.  Tcp and icmp packets
34       are properly decoded now.
35
36 fwknop-0.9.1 (07/29/2005):
37     - Added the ability to specify multiple ports/protocols to access on a
38       server with the --Access command line option.
39     - Added the ability to spoof SPA packets over icmp and tcp protocols.
40     - Added the ability to restrict access at the server to only those
41       ports defined in the OPEN_PORTS keyword.  This option is controled by
42       a new keyword "PERMIT_CLIENT_PORTS".
43     - Bugfix for MD5 sum not being properly calculated over decrypted data.
44       This allowed old packets that contained additional garbage data to
45       be replayed against an fwknop server.
46     - Updated to fall back to getpwuid() if getlogin() fails (Blair Zajac).
47     - Added --ipt-list to list all current rules in the FWKNOP Netfilter
48       chains.
49     - Added --ipt-flush to flush all current rules in the FWKNOP Netfilter
50       chains.
51     - Bugfix for the installer dying if ~/lib already exists (Blair Zajac).
52     - Updated to delay the loading of server perl modules (Net::Pcap, etc.)
53       only if we are running in server mode.
54     - Bugfix for module directory paths in install.pl.
55
56 fwknop-0.9.0 (05/29/2005):
57     - Added new authorization mode that uses Net::Pcap to read packets
58       out of a file that is written to by the ulogd pcap writer (also
59       stubbed in code to sniff packets directly off the wire).  This
60       authorization mode only requires single packets, and has many
61       characteristics that are better than simple port knocking, including
62       being non-replayable, and much more data can be sent.  This mode
63       is now the default for both the server and the client.
64     - Made the execution of knopmd optional depending on whether AUTH_MODE
65       is a pcap mode (e.g. ULOG_PCAP or PCAP).
66     - Added --Spoof-src argument so that encrypted packets can be spoofed
67       via /usr/sbin/knopspoof.
68     - Added /usr/sbin/knoptm so that firewall rules can be timed-out when
69       the server is running in PCAP mode even if new packets don't appear
70       on the wire.
71     - Updated fwknop man page to talk about the new pcap-based
72       authorization mode.
73
74 fwknop-0.5.0 (03/19/2005):
75     - Added ALERTING_METHOD to allow syslog and/or email reporting to be
76       disabled (there is a dedicated file /etc/fwknop/alert.conf that
77       governs this behavior, and both fwknop and knopwatchd reference this
78       file).
79     - Bugfix for distinguishing OPT field associated with --log-tcp-options
80       vs. --log-ip-options.
81     - Added install_perl_module() install.pl from psad to provide a
82       consistent installation interface.
83     - Applied patch to only install perl modules that are not already
84       installed (Blair Zajac).
85     - Added --last-cmd option to allow fwknop to be executed with command
86       line arguments from the previous execution (they are saved in
87       ~/.fwknop.run).
88     - Added --Home-dir option to allow the home directory to be manually
89       specified.
90     - Re-worked get_homedir() to be more friendly to systems that do not
91       necessarily have /etc/passwd (e.g. OS X).
92     - Added configuration preservation and querying for which syslog
93       daemon is running to install.pl.  These features were adapted from the
94       psad installer (http://www.cipherdyne.org/psad).
95     - Added IPTables::ChainMgr.  Fwknop uses this module to maintain
96       dedicated chains to which access rules are added.
97     - Added IPTables::Parse, which is used internally by IPTables::ChainMgr.
98     - Added __WARN__ and __DIE__ handlers so errors can easily be collected.
99
100 fwknop-0.4.2 (09/27/2004):
101     - Added init script for Fedora systems.
102     - Added --Kill, --Restart, and --Status modes (this fixes the generic
103       init script which depends on these arguments).
104
105 fwknop-0.4.1 (09/14/2004):
106     - Bugfix for legacy posf code in fwknop and variable in fwknop.conf.
107
108 fwknop-0.4 (09/10/2004):
109     - Added ability to specify multiple IPs/networks in a single SOURCE
110       definition.
111     - Better examples section in the fwknop manpage.
112     - Bugfix to make sure EMAIL_ADDRESSES variable does not contain commas
113       (any commas are translated into spaces).
114     - Added LICENSE file.
115
116 fwknop-0.3 (08/21/2004):
117     - Bugfix for tracking knock sequences by source IP address.
118     - Bugfix for knock sequence timeouts.
119     - Removed old passive OS fingerprinting code in favor of the p0f
120       strategy.
121     - Added support for taking encryption keys from a file specified on
122       the command line.
123     - Update to send "sequence decrypt failed" email message only if
124       decryption failed for all encrypt sequence SOURCE blocks.
125
126 fwknop-0.2 (07/31/2004):
127     - Implemented remote username checking in encrypted sequences.
128     - Added support for icmp in knock sequences.
129     - Added protocol rotation option for encrypted sequences.
130     - Added code for multiple SOURCE access blocks with the same source
131       net/IP.
132     - Added KNOCK_LIMIT access control variable to limit the number of
133       times a particular knock sequence is honored.
134     - Added email alerts.
135
136 fwknop-0.1 (07/08/2004):
137     - Initial release.
Note: See TracBrowser for help on using the browser.