Navigation

← Previous Changeset
Next Changeset →

Changeset 1027

Timestamp:

03/12/08 07:54:14 (7 months ago)

Author:

mbr

Message:

- Added more granular source IP and allowed IP tests so that access to
particular internal IP addresses can be excluded in --Forward-access
mode. A new keyword "INTERNAL_NET_ACCESS" is now parsed from the
access.conf file in order to implemented these restrictions.
- (SPAPICT Group) Added BLACKLIST functionality to allow source IP
addresses to easily be excluded from the authentication process.

Files:

fwknop/trunk/ChangeLog (modified) (2 diffs)
fwknop/trunk/fwknop.conf (modified) (2 diffs)
fwknop/trunk/fwknopd (modified) (19 diffs)
fwknop/trunk/test/conf/blacklist_fwknop.conf (added)
fwknop/trunk/test/conf/default_fwknop.conf (modified) (1 diff)
fwknop/trunk/test/conf/excluded_net_access.conf (added)
fwknop/trunk/test/conf/forward_chain_fwknop.conf (modified) (1 diff)
fwknop/trunk/test/conf/forward_internal_ip_access.conf (added)
fwknop/trunk/test/conf/gpg_access.conf (modified) (2 diffs)
fwknop/trunk/test/conf/md5_fwknop.conf (modified) (1 diff)
fwknop/trunk/test/conf/multi_source_access.conf (modified) (1 diff)
fwknop/trunk/test/conf/no_loopback_ip_match_access.conf (modified) (1 diff)
fwknop/trunk/test/conf/no_promisc_fwknop.conf (modified) (1 diff)
fwknop/trunk/test/conf/output_access.conf (modified) (2 diffs)
fwknop/trunk/test/conf/output_chain_fwknop.conf (modified) (1 diff)
fwknop/trunk/test/conf/pcap_file_fwknop.conf (modified) (1 diff)
fwknop/trunk/test/conf/sha1_fwknop.conf (modified) (1 diff)
fwknop/trunk/test/conf/sha256_fwknop.conf (modified) (1 diff)
fwknop/trunk/test/conf/spa_aging_fwknop.conf (modified) (1 diff)
fwknop/trunk/test/fwknop_test.pl (modified) (11 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

fwknop/trunk/ChangeLog

r1026	r1027
1		fwknop-1.9.2 (02//2008):
	1	fwknop-1.9.2 (03/12/2008):
2	2	- Crypt::CBC adds the string "Salted__" to the beginning of the encrypted
3	3	text (at least for how fwknop interfaces with Crypt::CBC), so the fwknop
…	…
9	9	which would work for fwknop clients < 1.9.2 (as long as the port number
10	10	is not changed with --Server-port).
	11	- Added more granular source IP and allowed IP tests so that access to
	12	particular internal IP addresses can be excluded in --Forward-access
	13	mode. A new keyword "INTERNAL_NET_ACCESS" is now parsed from the
	14	access.conf file in order to implemented these restrictions.
	15	- (SPAPICT Group) Added BLACKLIST functionality to allow source IP
	16	addresses to easily be excluded from the authentication process.
11	17	- (Grant Ferley) Submitted patch to handle SIGCHLD in IPTables::ChainMgr.
12	18	- (Grant Ferley) Submitted patch to handle Linux "cooked" interfaces for

fwknop/trunk/fwknop.conf

r1009	r1027
127	127	### writer).
128	128	PCAP_PKT_FILE /var/log/sniff.pcap;
	129
	130	### Define a comma-separated set of IP addresses and/or networks that should
	131	### be globally blacklisted. That is, any SPA packet that is from a source
	132	### IP (or has an internal --allow-ip) within a blacklisted network will be
	133	### ignored.
	134	BLACKLIST NONE;
129	135
130	136	### Defines interval fwknop will use to check for more iptables
…	…
212	218	### To_chain.
213	219	IPT_INPUT_ACCESS ACCEPT, src, filter, INPUT, 1, FWKNOP_INPUT, 1;
214		### The IPT_OUTPUT_ACCESS variable is only use if ENABLE_IPT_OUTPUT is enabled
	220	### The IPT_OUTPUT_ACCESS variable is only used if ENABLE_IPT_OUTPUT is enabled
215	221	IPT_OUTPUT_ACCESS ACCEPT, dst, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1;
216		### The IPT_FORWARD_ACCESS variable is only use if ENABLE_IPT_FORWARDING is enabled
	222	### The IPT_FORWARD_ACCESS variable is only used if ENABLE_IPT_FORWARDING is enabled
217	223	IPT_FORWARD_ACCESS ACCEPT, src, filter, FORWARD, 1, FWKNOP_FORWARD, 1;
218	224	IPT_DNAT_ACCESS DNAT, src, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1;

fwknop/trunk/fwknopd

r1026	r1027
71	71	my %p0f = ();
72	72	my @access = ();
	73	my $blacklist_ar = [];
	74	my $blacklist_exclude_ar = [];
73	75	my %p0f_sigs = ();
74	76	my %pid_files = ();
…	…
199	201
200	202	my %access_keys = (
201		'SOURCE' => '',
202		'TYPE' => '',
	203	'SOURCE' => [],
203	204	'KEY' => '',
204	205	'OPEN_PORTS' => '',
…	…
222	223	'ENABLE_CMD_EXEC' => '',
223	224	'DISABLE_FW_ACCESS' => '',
224		'REQUIRE_SOURCE_ADDRESS' => '',
	225	'REQUIRE_SOURCE_ADDRESS' => [],
	226	'require_src_addr_exceptions' => [],
	227	'INTERNAL_NET_ACCESS' => [], ### for --Forward-access IP restrictions
	228	'internal_net_exceptions' => [],
225	229	'CMD_REGEX' => '',
226	230	'FW_ACCESS_TIMEOUT' => '',
…	…
408	412	}
409	413
410		### get the source IP address
	414	### get the source IP address from the IP header
411	415	$src_ip = $ip->{'src_ip'} or return;
412	416
…	…
607	611	} else {
608	612	print STDERR localtime() . " [-] Failed decrypt for SOURCE block ",
609		"$access_hr->{'~~SOURCE~~'}\n" if $debug;
	613	"$access_hr->{'src_str'}\n" if $debug;
610	614	}
611	615
…	…
780	784
781	785	if ($allow_src eq '0.0.0.0') {
782		if ($config{'REQUIRE_SOURCE_ADDRESS'} eq 'Y'
783		or (defined $access_hr->{'REQUIRE_SOURCE_ADDRESS'}
784		and $access_hr->{'REQUIRE_SOURCE_ADDRESS'})) {
	786	if ($config{'REQUIRE_SOURCE_ADDRESS'} eq 'Y' or not
	787	&is_ip_included($src_ip,
	788	$access_hr->{'REQUIRE_SOURCE_ADDRESS'},
	789	$access_hr->{'require_src_addr_exceptions'})) {
785	790	&logr('[-]', "IP: $src_ip sent SPA packet that " .
786	791	"contained 0.0.0.0 (-s on the client side) " .
…	…
872	877	'external_port' => $2,
873	878	);
	879
	880	### check to see if access is allowed to internal IP
	881	unless (&is_ip_included($forward_info{'internal_ip'},
	882	$access_hr->{'INTERNAL_NET_ACCESS'},
	883	$access_hr->{'internal_net_exceptions'})) {
	884	&logr('[-]', "FORWARD access to $forward_info{'internal_ip'} " .
	885	"restricted (SOURCE line num: ".
	886	"$access_hr->{'src_line_num'})", $NO_MAIL);
	887	return 0;
	888	}
874	889	my $port_ctr = 0;
875	890	for my $proto (keys %open_ports) {
…	…
961	976	### pre-1.0 versions did not prepend command string with "<ip>,"
962	977	if ($cmd_ip eq '0.0.0.0') {
963		if ($config{'REQUIRE_SOURCE_ADDRESS'} eq 'Y'
964		or (defined $access_hr->{'REQUIRE_SOURCE_ADDRESS'}
965		and $access_hr->{'REQUIRE_SOURCE_ADDRESS'})) {
	978	if ($config{'REQUIRE_SOURCE_ADDRESS'} eq 'Y' or not
	979	&is_ip_included($cmd_ip,
	980	$access_hr->{'REQUIRE_SOURCE_ADDRESS'},
	981	$access_hr->{'require_src_addr_exceptions'})) {
966	982	&logr('[-]', "IP: $src_ip sent SPA packet that " .
967	983	"contained 0.0.0.0 (-s on the client side) " .
968		"but REQUIRE_SOURCE_ADDRESS is enabled", $SEND_MAIL);
	984	"but REQUIRE_SOURCE_ADDRESS is enabled " .
	985	"(SOURCE line num: $access_hr->{'src_line_num'})",
	986	$SEND_MAIL);
969	987	return 0;
970	988	}
…	…
1150	1168	unless (&check_digest($msg, \%msg_hsh)) {
1151	1169	print STDERR localtime() . " [-] Key mis-match or broken message ",
1152		"checksum for SOURCE $access_hr->{'~~SOURCE~~'} ",
	1170	"checksum for SOURCE $access_hr->{'src_str'} ",
1153	1171	"(# $source_block_num in access.conf)\n"
1154	1172	if $debug;
…	…
1852	1870	my @access_nums = ();
1853	1871
	1872	if (&is_ip_included($src, $blacklist_ar, $blacklist_exclude_ar)) {
	1873	print STDERR localtime() . " [+] check_src() ",
	1874	"$src in BLACKLIST" if $debug;
	1875	return \@access_nums;
	1876	}
	1877
	1878	### now process the SOURCE stanzas
1854	1879	for (my $i=0; $i<=$#access; $i++) {
1855	1880	my $access_hr = $access[$i];
1856		my $type = $access_hr->{'TYPE'};
1857		if ($type eq 'ip') {
1858		if ($src eq $access_hr->{'SOURCE'}) {
1859		print STDERR localtime() . " [+] Packet from $src matched IP ",
1860		"SOURCE: $src ",
1861		"(line $access_hr->{'src_line_num'})\n" if $debug;
1862		push @access_nums, $i;
1863		}
1864		} elsif ($type eq 'net') {
1865		if (ipv4_in_network($access_hr->{'SOURCE'}, $src)) {
1866		print STDERR localtime() . " [+] Packet from $src matched ",
1867		"NET SOURCE: ",
1868		"$access_hr->{'SOURCE'} (line $access_hr->{'src_line_num'})\n"
	1881	my $matched_src = 0;
	1882	if (&is_ip_included($src, $access_hr->{'SOURCE'},
	1883	$access_hr->{'exclude_nets'})) {
	1884	print STDERR localtime() . " [+] Packet from $src matched ",
	1885	"$access_hr->{'src_str'} (line: ",
	1886	"$access_hr->{'src_line_num'})\n"
	1887	if $debug;
	1888	push @access_nums, $i;
	1889	}
	1890	}
	1891	return \@access_nums;
	1892	}
	1893
	1894	sub is_ip_included() {
	1895	my ($ip, $include_ar, $exclude_ar) = @_;
	1896
	1897	my $is_included = 0;
	1898
	1899	### check the include criteria
	1900	for my $net (@$include_ar) {
	1901	if (ipv4_in_network($net, $ip)) {
	1902	print STDERR localtime() . " [+] $ip included by $net\n"
	1903	if $debug;
	1904	$is_included = 1;
	1905	last;
	1906	}
	1907	}
	1908
	1909	if ($is_included) {
	1910	### check the exclude criteria
	1911	for my $net (@$exclude_ar) {
	1912	if (ipv4_in_network($net, $ip)) {
	1913	print STDERR localtime() . " [-] $ip excluded by ! $net\n"
1869	1914	if $debug;
1870		push @access_nums, $i;
1871		}
1872		} elsif ($type eq 'any') {
1873		print STDERR localtime() . " [+] Packet from $src matched ",
1874		"SOURCE: ANY ",
1875		"(line $access_hr->{'src_line_num'})\n" if $debug;
1876		push @access_nums, $i;
1877		} elsif ($type eq 'multisrc') {
1878		for my $access_src (keys %{$access_hr->{'SOURCE'}}) {
1879		if ($access_src =~ m\|/\|) { ### it is a network
1880		if (ipv4_in_network($access_src, $src)) {
1881		print STDERR localtime() . " [+] Packet from $src ",
1882		"matched NET SOURCE: ",
1883		"$access_hr->{'SOURCE'} in $config{'ACCESS_CONF'}\n" if $debug;
1884		push @access_nums, $i;
1885		}
1886		} else {
1887		if ($src eq $access_src) {
1888		print STDERR localtime() . " [+] Packet from $src ",
1889		"matched IP SOURCE: $src in ",
1890		"$config{'ACCESS_CONF'}\n" if $debug;
1891		push @access_nums, $i;
1892		}
1893		}
1894		}
1895		}
1896		}
1897		return \@access_nums;
	1915	$is_included = 0;
	1916	last;
	1917	}
	1918	}
	1919	}
	1920	return $is_included;
1898	1921	}
1899	1922
…	…
2211	2234	### address) so open the firewall for the source of the
2212	2235	### encrypted sequence.
2213		if ($config{'REQUIRE_SOURCE_ADDRESS'} eq 'Y') {
	2236	if ($config{'REQUIRE_SOURCE_ADDRESS'} eq 'Y' or not
	2237	&is_ip_included($allow_src,
	2238	$access_hr->{'REQUIRE_SOURCE_ADDRESS'},
	2239	$access_hr->{'require_src_addr_exceptions'})) {
2214	2240	### we require the source address to be contained within
2215	2241	### the encrypted packet.
…	…
3015	3041	$source_block_num++;
3016	3042	$access_hsh{'block_num'} = $source_block_num;
3017		if ($line =~ m\|^\sSOURCE:\s($ip_re)\s*;\|) {
3018		$access_hsh{'SOURCE'} = $1;
3019		$access_hsh{'TYPE'} = 'ip';
3020		} elsif ($line =~ m\|^\sSOURCE:\s($ip_re/\d+)\s*;\|) { ### CIDR
3021		$access_hsh{'SOURCE'} = $1;
3022		$type = 'net';
3023		$access_hsh{'TYPE'} = 'net';
3024		} elsif ($line =~ m\|^\sSOURCE:\s($ip_re/$ip_re)\s*;\|) {
3025		$access_hsh{'SOURCE'} = $1;
3026		$access_hsh{'TYPE'} = 'net';
3027		} elsif ($line =~ m\|^\sSOURCE:\sANY\s*;\|) {
3028		$access_hsh{'SOURCE'} = 'ANY';
3029		$access_hsh{'TYPE'} = 'any';
3030		} elsif ($line =~ m\|^\sSOURCE:\s($ip_re.)\s;\|) {
3031		my @arr = split /\s,\s*/, $1;
3032		my %ip_net = ();
3033		for my $src (@arr) {
3034		if ($src =~ m\|$ip_re/\d+\|
3035		or $src =~ m\|$ip_re/$ip_re\|
3036		or $src =~ m\|$ip_re\|) {
3037		$ip_net{$src} = '';
3038		} else {
3039		die "[*] Invalid SOURCE block: $line";
3040		}
3041		}
3042		if (%ip_net) {
3043		$access_hsh{'SOURCE'} = \%ip_net;
3044		$access_hsh{'TYPE'} = 'multisrc';
3045		} else {
3046		die "[*] Invalid SOURCE block: $line";
3047		}
	3043
	3044	my $src_str = '';
	3045	if ($line =~ m\|^\sSOURCE:\s(.)\s;\|) {
	3046	$src_str = $1;
	3047	($access_hsh{'SOURCE'}, $access_hsh{'exclude_nets'})
	3048	= &parse_nets($src_str);
3048	3049	}
3049	3050	$i++;
3050	3051	$access_hsh{'src_line_num'} = $i;
	3052	$access_hsh{'src_str'} = $src_str;
3051	3053	while (defined $lines[$i] and $lines[$i] !~ /^\s*SOURCE:/) {
3052	3054	my $line = $lines[$i];
…	…
3194	3196	$access_hsh{'DISABLE_FW_ACCESS'} = 0;
3195	3197	}
3196		} elsif ($line =~ /^\sREQUIRE_SOURCE_ADDRESS:\s(~~\S+)~~;/) {
3197		my $~~val~~ = $1;
3198		if ($~~val~~ =~ /y/i) {
3199		$~~access_hsh{'REQUIRE_SOURCE_ADDRESS'} = 1;~~
3200		} else {
3201		$~~access_hsh{'REQUIRE_SOURCE_ADDRESS'} = 0;~~
	3198	} elsif ($line =~ /^\sREQUIRE_SOURCE_ADDRESS:\s(.)\s;/) {
	3199	my $str = $1;
	3200	if ($str =~ /y/i) {
	3201	$str = ''; ### don't allow the client to set 0.0.0.0
	3202	} elsif ($str =~ /n/i) {
	3203	$str = '0.0.0.0'; ### allow the client to set 0.0.0.0
3202	3204	}
	3205	### we are setting specific allowed networks for the internal
	3206	### allow IP's (i.e. with -a or -R on the client side)
	3207	($access_hsh{'REQUIRE_SOURCE_ADDRESS'},
	3208	$access_hsh{'require_src_addr_exceptions'})
	3209	= &parse_nets($str);
	3210	} elsif ($line =~ /^\sINTERNAL_NET_ACCESS:\s(.)\s;/) {
	3211	### for --Forward-access restrictions to internal IP addresses
	3212	($access_hsh{'INTERNAL_NET_ACCESS'},
	3213	$access_hsh{'internal_net_exceptions'})
	3214	= &parse_nets($1);
3203	3215	} elsif ($line =~ /^\sCMD_REGEX:\s(.)\s;/) {
3204	3216	$access_hsh{'CMD_REGEX'} = qr\|$1\|;
…	…
3256	3268	}
3257	3269
	3270	sub parse_nets() {
	3271	my $net_str = shift;
	3272	my @include_nets = ();
	3273	my @exclude_nets = ();
	3274
	3275	$net_str =~ s\|\!\s+\|!\|g;
	3276
	3277	for my $str (split /\s,\s/, $net_str) {
	3278
	3279	if ($str =~ m\|$ip_re/$ip_re\|
	3280	or $str =~ m\|$ip_re/\d{1,2}\|
	3281	or $str =~ m\|$ip_re\|
	3282	or $str =~ m\|any\|i) {
	3283
	3284	if ($str =~ /any/i) {
	3285	if ($str =~ m\|!\|) {
	3286	### ipv4_in_network('0.0.0.0', $someip) always matches
	3287	push @exclude_nets, '0.0.0.0';
	3288	} else {
	3289	push @include_nets, '0.0.0.0';
	3290	}
	3291	} else {
	3292	if ($str =~ m\|!\|) {
	3293	push @exclude_nets, &ip_info_only($str);
	3294	} else {
	3295	push @include_nets, &ip_info_only($str);
	3296	}
	3297	}
	3298	} else {
	3299	### allow the string "NONE"
	3300	unless ($net_str =~ m\|none\|i) {
	3301	die qq\|[*] Improper "$str" in SOURCE line \|,
	3302	qq\|in $config{'ACCESS_CONF'}\|;
	3303	}
	3304	}
	3305	}
	3306	return \@include_nets, \@exclude_nets;
	3307	}
	3308
	3309	sub ip_info_only() {
	3310	my $str = shift;
	3311	my $ip_info = '';
	3312	if ($str =~ m\|($ip_re/$ip_re)\|) {
	3313	$ip_info = $1;
	3314	} elsif ($str =~ m\|($ip_re/\d{1,2})\|) {
	3315	$ip_info = $1;
	3316	} elsif ($str =~ m\|($ip_re)\|) {
	3317	$ip_info = $1;
	3318	}
	3319	die "[*] Could not parse IP information from: $str"
	3320	unless $ip_info;
	3321	return $ip_info;
	3322	}
	3323
3258	3324	sub dump_access() {
3259	3325	my ($access_hr, $num) = @_;
…	…
3275	3341	} elsif ($key eq 'GPG_REMOTE_ID') {
3276	3342	if ($include_all_config_data) {
3277		print STDERR ~~Dumper~~ "$key: $access_hr->{$key}\n";
	3343	print STDERR "$key: $access_hr->{$key}\n";
3278	3344	} else {
3279	3345	print STDERR "$key: (removed)\n";
…	…
3285	3351	print STDERR "$key: (removed)\n";
3286	3352	}
3287		} elsif ($key eq 'OPEN_PORTS') {
3288		print STDERR "OPEN_PORTS:\n";
3289		print STDERR Dumper $access_hr->{$key};
3290		} else {
3291		print STDERR "$key: $access_hr->{$key}\n";
	3353	} elsif ($key eq 'OPEN_PORTS'
	3354	or $key eq 'SOURCE'
	3355	or $key eq 'REQUIRE_SOURCE_ADDRESS'
	3356	or $key eq 'require_src_addr_exceptions'
	3357	or $key eq 'INTERNAL_NET_ACCESS'
	3358	or $key eq 'internal_net_exceptions'
	3359	or $key eq 'REQUIRE_SOURCE_ADDRESS') {
	3360	print STDERR "$key: ", Dumper $access_hr->{$key};
3292	3361	}
3293	3362	}
…	…
3319	3388
3320	3389	sub validate_src_access_hsh() {
3321		my $src_href = shift;
3322		my $src = '';
	3390	my $access_hr = shift;
3323	3391	my $src_line = 0;
3324	3392	my $gpg_mode = 0;
3325		if (defined $src_href->{'SOURCE'}) {
3326		$src = $src_href->{'SOURCE'};
3327		$src_line = $src_href->{'src_line_num'};
	3393	if (defined $access_hr->{'SOURCE'}) {
	3394	$src_line = $access_hr->{'src_line_num'};
3328	3395	} else {
3329	3396	die "[*] $config{'ACCESS_CONF'}: missing SOURCE variable.";
3330	3397	}
3331	3398
3332		if (not defined $~~src_href~~->{'OPEN_PORTS'} and
3333		not $~~src_href~~->{'PERMIT_CLIENT_PORTS'}) {
3334		die "[*] $config{'ACCESS_CONF'}: SOURCE~~: $src~~ (line: $src_line) ",
	3399	if (not defined $access_hr->{'OPEN_PORTS'} and
	3400	not $access_hr->{'PERMIT_CLIENT_PORTS'}) {
	3401	die "[*] $config{'ACCESS_CONF'}: SOURCE (line: $src_line) ",
3335	3402	"missing\n OPEN_PORTS and PERMIT_CLIENT_PORTS is disabled.";
3336	3403	}
3337	3404
	3405	if (not defined $access_hr->{'REQUIRE_SOURCE_ADDRESS'}) {
	3406	### allow 0.0.0.0
	3407	($access_hr->{'REQUIRE_SOURCE_ADDRESS'},
	3408	$access_hr->{'require_src_addr_exceptions'})
	3409	= &parse_nets('0.0.0.0');
	3410	}
	3411
	3412	if (not defined $access_hr->{'INTERNAL_NET_ACCESS'}) {
	3413	### allow 0.0.0.0
	3414	($access_hr->{'INTERNAL_NET_ACCESS'},
	3415	$access_hr->{'internal_net_exceptions'})
	3416	= &parse_nets('0.0.0.0');
	3417	}
	3418
3338	3419	### default to SPA mode via standard pcap
3339		$~~src_href~~->{'DATA_COLLECT_MODE'} = $PCAP
3340		unless defined $~~src_href~~->{'DATA_COLLECT_MODE'};
	3420	$access_hr->{'DATA_COLLECT_MODE'} = $PCAP
	3421	unless defined $access_hr->{'DATA_COLLECT_MODE'};
3341	3422
3342	3423	### only allow forwarding access if ENABLE_IPT_FORWARDING is enabled
3343		if ($~~src_href~~->{'ENABLE_FORWARD_ACCESS'}
	3424	if ($access_hr->{'ENABLE_FORWARD_ACCESS'}
3344	3425	and $config{'ENABLE_IPT_FORWARDING'} eq 'N') {
3345		die "[*] $config{'ACCESS_CONF'}: SOURCE: ~~$src~~ (line: $src_line) ",
	3426	die "[*] $config{'ACCESS_CONF'}: SOURCE: (line: $src_line) ",
3346	3427	"ENABLE_FORWARD_ACCESS\n enabled, but ",
3347	3428	"ENABLE_IPT_FORWARDING disabled in fwknop.conf.";
3348	3429	}
3349	3430
3350		if ($~~src_href~~->{'DATA_COLLECT_MODE'} == $ENCRYPT_SEQUENCE) {
3351		unless (defined $~~src_href~~->{'KEY'}) {
3352		die "[*] $config{'ACCESS_CONF'}: SOURCE: ~~$src~~ (line: $src_line) ",
	3431	if ($access_hr->{'DATA_COLLECT_MODE'} == $ENCRYPT_SEQUENCE) {
	3432	unless (defined $access_hr->{'KEY'}) {
	3433	die "[*] $config{'ACCESS_CONF'}: SOURCE: (line: $src_line) ",
3353	3434	"missing KEY\n variable for encrypt_seq collection mode.";
3354	3435	}
3355		unless (defined $~~src_href~~->{'PORT_OFFSET'}) {
3356		&logr('[-]', "$config{'ACCESS_CONF'}: SOURCE: ~~$src~~ (line: $src_line) " .
	3436	unless (defined $access_hr->{'PORT_OFFSET'}) {
	3437	&logr('[-]', "$config{'ACCESS_CONF'}: SOURCE: (line: $src_line) " .
3357	3438	"missing PORT_OFFSET, defaulting to $enc_port_offset.",
3358	3439	$NO_MAIL);
3359		$~~src_href~~->{'PORT_OFFSET'} = $enc_port_offset;
3360		}
3361		} elsif ($~~src_href~~->{'DATA_COLLECT_MODE'} == $SHARED_SEQUENCE) {
3362		unless (defined $~~src_href~~->{'OPEN_PORTS'}) {
3363		die "[*] $config{'ACCESS_CONF'}: SOURCE~~: $src~~ (line: $src_line) ",
	3440	$access_hr->{'PORT_OFFSET'} = $enc_port_offset;
	3441	}
	3442	} elsif ($access_hr->{'DATA_COLLECT_MODE'} == $SHARED_SEQUENCE) {
	3443	unless (defined $access_hr->{'OPEN_PORTS'}) {
	3444	die "[*] $config{'ACCESS_CONF'}: SOURCE (line: $src_line) ",
3364	3445	"missing\n OPEN_PORTS variable.";
3365	3446	}
3366		} elsif ($~~src_href~~->{'DATA_COLLECT_MODE'} == $PCAP
3367		or $~~src_href~~->{'DATA_COLLECT_MODE'} == $FILE_PCAP
3368		or $~~src_href~~->{'DATA_COLLECT_MODE'} == $ULOG_PCAP) {
3369
3370		if (defined $~~src_href~~->{'GPG_AGENT_INFO'}
3371		and not defined $~~src_href~~->{'GPG_DECRYPT_PW'}) {
3372		$~~src_href~~->{'GPG_DECRYPT_PW'} = '';
3373		}
3374		unless (defined $~~src_href~~->{'KEY'} or
3375		(defined $~~src_href~~->{'GPG_REMOTE_ID'}
3376		and defined $~~src_href~~->{'GPG_DECRYPT_ID'}
3377		and defined $~~src_href~~->{'GPG_DECRYPT_PW'})) {
3378		die "[*] $config{'ACCESS_CONF'}: SOURCE~~: $src~~ (line: $src_line) ",
	3447	} elsif ($access_hr->{'DATA_COLLECT_MODE'} == $PCAP
	3448	or $access_hr->{'DATA_COLLECT_MODE'} == $FILE_PCAP
	3449	or $access_hr->{'DATA_COLLECT_MODE'} == $ULOG_PCAP) {
	3450
	3451	if (defined $access_hr->{'GPG_AGENT_INFO'}
	3452	and not defined $access_hr->{'GPG_DECRYPT_PW'}) {
	3453	$access_hr->{'GPG_DECRYPT_PW'} = '';
	3454	}
	3455	unless (defined $access_hr->{'KEY'} or
	3456	(defined $access_hr->{'GPG_REMOTE_ID'}
	3457	and defined $access_hr->{'GPG_DECRYPT_ID'}
	3458	and defined $access_hr->{'GPG_DECRYPT_PW'})) {
	3459	die "[*] $config{'ACCESS_CONF'}: SOURCE (line: $src_line) ",
3379	3460	"missing KEY or\n (GPG_DECRYPT_ID, GPG_DECRYPT_PW, or ",
3380	3461	"GPG_REMOTE_ID) variable for pcap collection mode.";
3381	3462	}
3382		if (defined $~~src_href~~->{'GPG_DECRYPT_ID'}
3383		or defined $~~src_href~~->{'GPG_DECRYPT_PW'}
3384		or defined $~~src_href~~->{'GPG_HOME_DIR'}) {
3385		unless (defined $~~src_href~~->{'GPG_REMOTE_ID'}) {
3386		die "[*] $config{'ACCESS_CONF'}: SOURCE~~: $src~~ (line: $src_line) ",
	3463	if (defined $access_hr->{'GPG_DECRYPT_ID'}
	3464	or defined $access_hr->{'GPG_DECRYPT_PW'}
	3465	or defined $access_hr->{'GPG_HOME_DIR'}) {
	3466	unless (defined $access_hr->{'GPG_REMOTE_ID'}) {
	3467	die "[*] $config{'ACCESS_CONF'}: SOURCE (line: $src_line) ",
3387	3468	"missing\n GPG_REMOTE_ID variable.";
3388	3469	}
3389	3470	}
3390		$gpg_mode = 1 if defined $~~src_href~~->{'GPG_REMOTE_ID'};
3391		if (defined ($~~src_href~~->{'REQUIRE_AUTH_METHOD'})) {
3392		unless (lc($~~src_href~~->{'REQUIRE_AUTH_METHOD'}) eq 'crypt') {
3393		die "[*] $config{'ACCESS_CONF'}: SOURCE~~: $src~~ (line: $src_line) ",
	3471	$gpg_mode = 1 if defined $access_hr->{'GPG_REMOTE_ID'};
	3472	if (defined ($access_hr->{'REQUIRE_AUTH_METHOD'})) {
	3473	unless (lc($access_hr->{'REQUIRE_AUTH_METHOD'}) eq 'crypt') {
	3474	die "[*] $config{'ACCESS_CONF'}: SOURCE (line: $src_line) ",
3394	3475	"invalid\n REQUIRE_AUTH_METHOD, must be set to 'crypt'.";
3395	3476	}
3396		unless (defined $~~src_href~~->{'SHADOW_FILE'}) {
3397		$~~src_href~~->{'SHADOW_FILE'} = '/etc/shadow';
	3477	unless (defined $access_hr->{'SHADOW_FILE'}) {
	3478	$access_hr->{'SHADOW_FILE'} = '/etc/shadow';
3398	3479	}
3399	3480	}
3400	3481	} else {
3401		die "[*] $config{'ACCESS_CONF'}: SOURCE~~: $src~~ (line: $src_line) ",
	3482	die "[*] $config{'ACCESS_CONF'}: SOURCE (line: $src_line) ",
3402	3483	"missing valid DATA_COLLECT_MODE\n key (must be one of ",
3403	3484	"ENCRYPT_SEQUENCE, SHARED_SEQUENCE, FILE_PCAP, ULOG_PCAP, or PCAP).";
3404	3485	}
3405		if (defined $~~src_href~~->{'MIN_TIME_DIFF'} and
3406		defined $~~src_href~~->{'MAX_TIME_DIFF'}) {
3407		if ($~~src_href~~->{'MAX_TIME_DIFF'} <
3408		$~~src_href~~->{'MIN_TIME_DIFF'}) {
3409		die "[*] $config{'ACCESS_CONF'}: SOURCE~~: $src~~ (line: $src_line) ",
	3486	if (defined $access_hr->{'MIN_TIME_DIFF'} and
	3487	defined $access_hr->{'MAX_TIME_DIFF'}) {
	3488	if ($access_hr->{'MAX_TIME_DIFF'} <
	3489	$access_hr->{'MIN_TIME_DIFF'}) {
	3490	die "[*] $config{'ACCESS_CONF'}: SOURCE (line: $src_line) ",
3410	3491	"MAX_TIME_DIFF\n cannot be less than MIN_TIME_DIFF.";
3411	3492	}
3412	3493	}
3413		if (defined $~~src_href~~->{'KNOCK_INTERVAL'}) {
3414		if ($~~src_href~~->{'KNOCK_INTERVAL'} < 0) {
3415		die "[*] $config{'ACCESS_CONF'}: SOURCE~~: $src~~ (line: $src_line) ",
	3494	if (defined $access_hr->{'KNOCK_INTERVAL'}) {
	3495	if ($access_hr->{'KNOCK_INTERVAL'} < 0) {
	3496	die "[*] $config{'ACCESS_CONF'}: SOURCE (line: $src_line) ",
3416	3497	"KNOCK_INTERVAL\n must be greater than or equal to zero.";
3417	3498	}
3418	3499	} else {
3419		unless ($~~src_href~~->{'DATA_COLLECT_MODE'} == $PCAP
3420		or $~~src_href~~->{'DATA_COLLECT_MODE'} == $FILE_PCAP
3421		or $~~src_href~~->{'DATA_COLLECT_MODE'} == $ULOG_PCAP) {
3422		&logr('[-]', "$config{'ACCESS_CONF'}: SOURCE~~: $src~~ (line: $src_line) " .
	3500	unless ($access_hr->{'DATA_COLLECT_MODE'} == $PCAP
	3501	or $access_hr->{'DATA_COLLECT_MODE'} == $FILE_PCAP
	3502	or $access_hr->{'DATA_COLLECT_MODE'} == $ULOG_PCAP) {
	3503	&logr('[-]', "$config{'ACCESS_CONF'}: SOURCE (line: $src_line) " .
3423	3504	"missing KNOCK_INTERVAL, defaulting to $knock_interval.",
3424	3505	$NO_MAIL);
3425		$~~src_href~~->{'KNOCK_INTERVAL'} = $knock_interval;
3426		}
3427		}
3428		if (defined $~~src_href~~->{'FW_ACCESS_TIMEOUT'}) {
3429		if ($~~src_href~~->{'FW_ACCESS_TIMEOUT'} < 0) {
3430		die "[*] $config{'ACCESS_CONF'}: SOURCE~~: $src~~ (line: $src_line) ",
	3506	$access_hr->{'KNOCK_INTERVAL'} = $knock_interval;
	3507	}
	3508	}
	3509	if (defined $access_hr->{'FW_ACCESS_TIMEOUT'}) {
	3510	if ($access_hr->{'FW_ACCESS_TIMEOUT'} < 0) {
	3511	die "[*] $config{'ACCESS_CONF'}: SOURCE (line: $src_line) ",
3431	3512	"FW_ACCESS_TIMEOUT\n must be greater than or equal to zero.";
3432	3513	}
3433	3514	} else {
3434		if (defined $~~src_href~~->{'PERMIT_CLIENT_TIMEOUT'}) {
	3515	if (defined $access_hr->{'PERMIT_CLIENT_TIMEOUT'}) {
3435	3516	### in this case we will derive the timeout from the SPA
3436	3517	### packet.
3437		$~~src_href~~->{'FW_ACCESS_TIMEOUT'} = 0;
	3518	$access_hr->{'FW_ACCESS_TIMEOUT'} = 0;
3438	3519	} else {
3439		&logr('[-]', "$config{'ACCESS_CONF'}: SOURCE~~: $src~~ (line: $src_line) " .
	3520	&logr('[-]', "$config{'ACCESS_CONF'}: SOURCE (line: $src_line) " .
3440	3521	"missing FW_ACCESS_TIMEOUT, defaulting to $default_access_timeout",
3441	3522	$NO_MAIL);
3442		$~~src_href~~->{'FW_ACCESS_TIMEOUT'} = $default_access_timeout;
3443		}
3444		}
3445		if (defined $~~src_href~~->{'KNOCK_LIMIT'}) {
3446		if ($~~src_href~~->{'KNOCK_LIMIT'} < 0) {
3447		die "[*] $config{'ACCESS_CONF'}: SOURCE~~: $src~~ (line: $src_line) ",
	3523	$access_hr->{'FW_ACCESS_TIMEOUT'} = $default_access_timeout;
	3524	}
	3525	}
	3526	if (defined $access_hr->{'KNOCK_LIMIT'}) {
	3527	if ($access_hr->{'KNOCK_LIMIT'} < 0) {
	3528	die "[*] $config{'ACCESS_CONF'}: SOURCE (line: $src_line) ",
3448	3529	"KNOCK_LIMIT\n must be greater than or equal to zero.";
3449	3530	}
3450	3531	}
3451	3532	if ($gpg_mode) {
3452		unless (defined $~~src_href~~->{'GPG_HOME_DIR'}) {
3453		$~~src_href~~->{'GPG_HOME_DIR'} = $config{'GPG_DEFAULT_HOME_DIR'};
3454		}
3455		unless (-d $~~src_href~~->{'GPG_HOME_DIR'}) {
	3533	unless (defined $access_hr->{'GPG_HOME_DIR'}) {
	3534	$access_hr->{'GPG_HOME_DIR'} = $config{'GPG_DEFAULT_HOME_DIR'};
	3535	}
	3536	unless (-d $access_hr->{'GPG_HOME_DIR'}) {
3456	3537	die "[*] $config{'ACCESS_CONF'}: GnuPG directory " .
3457		"$~~src_href~~->{'GPG_HOME_DIR'} does not exist.";
3458		}
3459		}
3460		if (defined $~~src_href~~->{'KEY'}
3461		and $~~src_href~~->{'KEY'} =~ /_?_CHANGEME_?_/) {
	3538	"$access_hr->{'GPG_HOME_DIR'} does not exist.";
	3539	}
	3540	}
	3541	if (defined $access_hr->{'KEY'}
	3542	and $access_hr->{'KEY'} =~ /_?_CHANGEME_?_/) {
3462	3543	die "[*] $config{'ACCESS_CONF'}: Update the KEY variable ".
3463	3544	"from the default of __CHANGEME__";
…	…
4438	4519	$config{'ACCESS_CONF'} = $access_conf_file if $access_conf_file;
4439	4520
	4521	### handle BLACKLIST variable
	4522	($blacklist_ar, $blacklist_exclude_ar)
	4523	= &parse_nets($config{'BLACKLIST'});
	4524
4440	4525	if ($cmdline_knoptm) {
4441	4526	### used by the test suite
…	…
4560	4645	KNOPTM_SYSLOG_FACILITY KNOPTM_SYSLOG_PRIORITY
4561	4646	ENABLE_IPT_FORWARDING ENABLE_IPT_OUTPUT IPT_OUTPUT_ACCESS
4562		IPT_DNAT_ACCESS~~) {~~
4563
	4647	IPT_DNAT_ACCESS BLACKLIST
	4648	) {
4564	4649	die "[*] Required variable $var is not defined in $config_file"
4565	4650	unless defined $config{$var};

fwknop/trunk/test/conf/default_fwknop.conf

r1009	r1027
35	35	GPG_DEFAULT_HOME_DIR /root/.gnupg;
36	36	PCAP_PKT_FILE /var/log/sniff.pcap;
	37	BLACKLIST NONE;
37	38	SLEEP_INTERVAL 2; ### seconds
38	39	MAX_HOPS 20;

fwknop/trunk/test/conf/forward_chain_fwknop.conf

r1009	r1027
34	34	GPG_DEFAULT_HOME_DIR /root/.gnupg;
35	35	PCAP_PKT_FILE /var/log/sniff.pcap;
	36	BLACKLIST NONE;
36	37	SLEEP_INTERVAL 2; ### seconds
37	38	MAX_HOPS 20;

fwknop/trunk/test/conf/gpg_access.conf

r1011	r1027
2	2	##############################################################################
3	3	#
4		# File: ~~default~~_access.conf
	4	# File: gpg_access.conf
5	5	#
6	6	# Purpose: This file is used by the fwknop test suite to validate fwknop SPA
…	…
12	12	#
13	13
14		~~### default Single Packet Authorization (SPA) via libpcap:~~
15	14	SOURCE: ANY;
16	15	REQUIRE_USERNAME: root;

fwknop/trunk/test/conf/md5_fwknop.conf

r1011	r1027
35	35	GPG_DEFAULT_HOME_DIR /root/.gnupg;
36	36	PCAP_PKT_FILE /var/log/sniff.pcap;
	37	BLACKLIST NONE;
37	38	SLEEP_INTERVAL 2; ### seconds
38	39	MAX_HOPS 20;

fwknop/trunk/test/conf/multi_source_access.conf

r1011	r1027
28	28	SOURCE: 127.0.0.1;
29	29	REQUIRE_USERNAME: root;
30		REQUIRE_SOURCE_ADDRESS: Y;
	30	REQUIRE_SOURCE_ADDRESS: 127.0.0.0/8, ! 127.0.0.5;
31	31	OPEN_PORTS: tcp/22;
32	32	KEY: fwknoptest;

fwknop/trunk/test/conf/no_loopback_ip_match_access.conf

r1011	r1027
2	2	##############################################################################
3	3	#
4		# File: ~~default_access~~.conf
	4	# File: no_loopback_ip_match_access_conf.conf
5	5	#
6	6	# Purpose: This file is used by the fwknop test suite to validate fwknop SPA

fwknop/trunk/test/conf/no_promisc_fwknop.conf

r1011	r1027
35	35	GPG_DEFAULT_HOME_DIR /root/.gnupg;
36	36	PCAP_PKT_FILE /var/log/sniff.pcap;
	37	BLACKLIST NONE;
37	38	SLEEP_INTERVAL 2; ### seconds
38	39	MAX_HOPS 20;

fwknop/trunk/test/conf/output_access.conf

r1011	r1027
2	2	##############################################################################
3	3	#
4		# File: ~~defaul~~t_access.conf
	4	# File: output_access.conf
5	5	#
6	6	# Purpose: This file is used by the fwknop test suite to validate fwknop SPA
…	…
12	12	#
13	13
14		~~### default Single Packet Authorization (SPA) via libpcap:~~
15	14	SOURCE: ANY;
16	15	ENABLE_OUTPUT_ACCESS: Y;

fwknop/trunk/test/conf/output_chain_fwknop.conf

r1011	r1027
35	35	GPG_DEFAULT_HOME_DIR /root/.gnupg;
36	36	PCAP_PKT_FILE /var/log/sniff.pcap;
	37	BLACKLIST NONE;
37	38	SLEEP_INTERVAL 2; ### seconds
38	39	MAX_HOPS 20;

fwknop/trunk/test/conf/pcap_file_fwknop.conf

r1009	r1027
34	34	GPG_DEFAULT_HOME_DIR /root/.gnupg;
35	35	PCAP_PKT_FILE /var/log/sniff.pcap;
	36	BLACKLIST NONE;
36	37	SLEEP_INTERVAL 2; ### seconds
37	38	MAX_HOPS 20;

fwknop/trunk/test/conf/sha1_fwknop.conf

r1011	r1027
35	35	GPG_DEFAULT_HOME_DIR /root/.gnupg;
36	36	PCAP_PKT_FILE /var/log/sniff.pcap;
	37	BLACKLIST NONE;
37	38	SLEEP_INTERVAL 2; ### seconds
38	39	MAX_HOPS 20;

fwknop/trunk/test/conf/sha256_fwknop.conf

r1011	r1027
35	35	GPG_DEFAULT_HOME_DIR /root/.gnupg;
36	36	PCAP_PKT_FILE /var/log/sniff.pcap;
	37	BLACKLIST NONE;
37	38	SLEEP_INTERVAL 2; ### seconds
38	39	MAX_HOPS 20;

fwknop/trunk/test/conf/spa_aging_fwknop.conf

r1011	r1027
35	35	GPG_DEFAULT_HOME_DIR /root/.gnupg;
36	36	PCAP_PKT_FILE /var/log/sniff.pcap;
	37	BLACKLIST NONE;
37	38	SLEEP_INTERVAL 2; ### seconds
38	39	MAX_HOPS 20;

fwknop/trunk/test/fwknop_test.pl
<

r1019 r1027

56 56 my $output_access_conf = "$conf_dir/output_access.conf";
57

r1019	r1027
56	56	my $output_access_conf = "$conf_dir/output_access.conf";
57