Navigation

← Previous Changeset
Next Changeset →

Changeset 1058

Timestamp:

05/21/08 01:01:20 (6 months ago)

Author:

mbr

Message:

- Added two new port randomization options. The first instructs the

fwknop client to select a random port between 10,000 and 65,535 as the
destination port over which to send an SPA packet. This feature is
enabled with a new command line argument "--rand-port" like so:

$ fwknop -A tcp/22 --rand-port -R -D 11.1.1.1

On the fwknopd server side, the default PCAP_FILTER setting of "udp port
62201" should be changed to "udp dst portrange 10000-65535" so that
fwknopd can sniff SPA packets that are sent over randomized destination
ports. Randomizing the destination port makes it more difficult to
write IDS signatures to detect fwknop SPA communications.

The second port randomization technique uses a new SPA message type to
tell the fwknopd daemon to create a NAT rule for access to a local
socket via the iptables INPUT chain. This allows an SSH client to meet
the local SSHD daemon running on the fwknopd server system by SSH'ing to
the random port. This functionality is implemented via a new command
line argument "--Nat-access" on the fwknop command line.

- Bugfix to add a check for "keep-state" in ipfw policies in addition to

the existing "check-state" check (noticed by Sebastien Jeanquier).

Files:

fwknop/trunk/ChangeLog (modified) (1 diff)
fwknop/trunk/fwknop (modified) (21 diffs)
fwknop/trunk/fwknopd (modified) (21 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

fwknop/trunk/ChangeLog

r1046	r1058
	1	fwknop-1.9.4 (05//2008):
	2	- Added the ability to specify the port that SPA packets are sent over
	3	with the fwknop client by using the syntax "<host\|IP>:<port>". So, for
	4	example, to have the client send an SPA packet to 11.1.1.1 over UDP port
	5	12345 (instead of the default of 62201), one could use the following
	6	command:
	7
	8	$ fwknop -A tcp/22 -R -D 11.1.1.1:12345
	9
	10	- Added two new port randomization options. The first instructs the
	11	fwknop client to select a random port between 10,000 and 65,535 as the
	12	destination port over which to send an SPA packet. This feature is
	13	enabled with a new command line argument "--rand-port" like so:
	14
	15	$ fwknop -A tcp/22 --rand-port -R -D 11.1.1.1
	16
	17	On the fwknopd server side, the default PCAP_FILTER setting of "udp port
	18	62201" should be changed to "udp dst portrange 10000-65535" so that
	19	fwknopd can sniff SPA packets that are sent over randomized destination
	20	ports. Randomizing the destination port makes it more difficult to
	21	write IDS signatures to detect fwknop SPA communications.
	22
	23	The second port randomization technique uses a new SPA message type to
	24	tell the fwknopd daemon to create a NAT rule for access to a local
	25	socket via the iptables INPUT chain. This allows an SSH client to meet
	26	the local SSHD daemon running on the fwknopd server system by SSH'ing to
	27	the random port. This functionality is implemented via a new command
	28	line argument "--Nat-access" on the fwknop command line.
	29
	30	- Bugfix to add a check for "keep-state" in ipfw policies in addition to
	31	the existing "check-state" check (noticed by Sebastien Jeanquier).
	32	- Updated the install.pl script to try to determine the OS type as early
	33	as possible during the install process.
	34
1	35	fwknop-1.9.3 (04/05/2008):
2	36	- Added MASQUERADE and SNAT support to complement inbound DNAT connections

fwknop/trunk/fwknop

r1046	r1058
100	100	my $pcap_sleep_interval = 1; ### seconds
101	101	my $knock_dst_pre_resolve = '';
	102	my $rand_port = 0; ### for SPA packet destination port
	103	my $NAT_rand_port = 0; ### for randomized access based on
	104	### NAT rules (e.g. ssh -p <randport>).
	105	my $NAT_local = 0; ### Flag for forwarding a port to local socket.
102	106
103	107	### User agent for contacting http://www.whatismyip.org/, (can
…	…
116	120	my $SPA_COMMAND_MODE = 0;
117	121
118		### ~~FORWARD~~ ACCESS message:
	122	### NAT ACCESS message:
119	123	### random data : user : client_timestamp : client_version : \
120	124	### type (2) : access_request : NAT_info : message digest
121		my $SPA_~~FORWARD~~_ACCESS_MODE = 2;
	125	my $SPA_NAT_ACCESS_MODE = 2;
122	126
123	127	### ACCESS message with client-defined firewall timeout:
…	…
126	130	my $SPA_CLIENT_TIMEOUT_ACCESS_MODE = 3;
127	131
128		### ~~FORWARD~~ ACCESS message with client-defined firewall timeout:
	132	### NAT ACCESS message with client-defined firewall timeout:
129	133	### random data : user : client_timestamp : client_version : \
130	134	### type (4) : access_request : NAT_info : timeout : message digest
131		my $SPA_CLIENT_TIMEOUT_FORWARD_ACCESS_MODE = 4;
	135	my $SPA_CLIENT_TIMEOUT_NAT_ACCESS_MODE = 4;
	136
	137	### local NAT ACCESS message:
	138	### random data : user : client_timestamp : client_version : \
	139	### type (5) : access_request : NAT_info : message digest
	140	my $SPA_LOCAL_NAT_ACCESS_MODE = 5;
	141
	142	### local NAT ACCESS message with client-defined firewall timeout:
	143	### random data : user : client_timestamp : client_version : \
	144	### type (6) : access_request : NAT_info : timeout : message digest
	145	my $SPA_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MODE = 6;
132	146
133	147	### default time values
…	…
141	155	my $digest_type = $SHA256_DIGEST; ### default
142	156	my $cmdl_digest_alg = '';
	157
	158	### default destination port; you can change with --Server-port,
	159	### --rand-port, or by appending the ":<port>" syntax to the
	160	## destination host
	161	my $DEFAULT_PORT = 62201;
143	162
144	163	### default to root (client must run as root in this mode)
…	…
163	182	my $enc_rotate_proto = 0;
164	183	my $get_key_file = ''; ### get key from file
165		my $enc_pcap_port = ~~62201; ### default pcap port~~
	184	my $enc_pcap_port = $DEFAULT_PORT;
166	185	my $access_str = '';
167		my $~~forward~~_access_str = ''; ### for access through the iptables FORWARD chain
	186	my $NAT_access_str = ''; ### for access through the iptables FORWARD chain
168	187
169	188	### packet counters
…	…
217	236	if ($spoof_src and $spa_established_tcp);
218	237
219		die "[*] Server auth method not supported in ~~FORWARD~~ access mode.\n"
220		if $server_auth_method and $~~forward~~_access_str;
	238	die "[*] Server auth method not supported in NAT access mode.\n"
	239	if $server_auth_method and $NAT_access_str;
221	240
222	241	&set_digest_type() if $cmdl_digest_alg;
…	…
234	253	### save a copy
235	254	$knock_dst_pre_resolve = $knock_dst;
	255
	256	if ($rand_port and $enc_pcap_port != $DEFAULT_PORT) {
	257	die "[*] Cannot use --Server-port and --rand-port at the same time";
	258	}
	259
	260	### allow for ":<port>" extension to -D arg
	261	if ($knock_dst =~ /(.*):(\d+)/) {
	262	$knock_dst = $1;
	263	$enc_pcap_port = $2;
	264
	265	die "[*] Cannot use --rand-port with a manually specified -D <host>:<port>"
	266	if $rand_port;
	267	}
	268
	269	if ($rand_port) {
	270	### send the SPA packet over a random port between 10,000 and 65535
	271	$enc_pcap_port = &rand_port();
	272	}
236	273
237	274	if ($run_last_args or $show_last_cmd) {
…	…
270	307
271	308	if ($debug) {
272		print "[+] *DEBUG* Starting fwknop client ($print_mode mode)...\n";
	309	print "\n[+] *DEBUG* Starting fwknop client ($print_mode mode)...\n";
273	310	} else {
274		print "[+] Starting fwknop client ($print_mode mode)...\n"
	311	print "\n[+] Starting fwknop client ($print_mode mode)...\n"
275	312	unless $quiet;
276	313	}
…	…
291	328
292	329	&validate_access_str() if $access_str;
293		&validate_~~forward_access_str() if $forward~~_access_str;
	330	&validate_NAT_access_str() if $NAT_access_str;
294	331
295	332	if (lc($server_mode) eq 'pcap' or lc($server_mode) eq 'knock') {
…	…
400	437	# 0 => command mode / command to execute
401	438	# 1 => access mode / IP,proto,port
402		# 2 => ~~forward~~ access mode / IP,proto,port / internalIP,externalNATPort
	439	# 2 => nat access mode / IP,proto,port / internalIP,externalNATPort
403	440	# (optional) server_auth (post 0.9.2 release)
404	441	# message digest (SHA256 / SHA1 / MD5 )
…	…
431	468	$msg .= &SPA_message();
432	469
433		### append ~~FORWARD~~ access requirement (optional)
434		$msg .= &SPA_~~forward~~_access();
	470	### append NAT access requirement (optional)
	471	$msg .= &SPA_nat_access();
435	472
436	473	### append server authentication method (optional)
…	…
501	538	unless $quiet;
502	539	return ':' . $SPA_COMMAND_MODE;
503		} elsif ($forward_access_str) {
504		if ($cmdl_fw_timeout > 0) {
505		print " Type: " .
506		"$SPA_CLIENT_TIMEOUT_FORWARD_ACCESS_MODE ",
507		"(FORWARD client-timeout access mode)\n" unless $quiet;
508		return ':' . $SPA_CLIENT_TIMEOUT_FORWARD_ACCESS_MODE;
	540	} elsif ($NAT_access_str) {
	541	if ($NAT_local) {
	542	if ($cmdl_fw_timeout > 0) {
	543	print " Type: " .
	544	"$SPA_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MODE ",
	545	"(Local NAT client-timeout access mode)\n" unless $quiet;
	546	return ':' . $SPA_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MODE;
	547	} else {
	548	print " Type: $SPA_LOCAL_NAT_ACCESS_MODE ",
	549	"(Local NAT access mode)\n" unless $quiet;
	550	return ':' . $SPA_LOCAL_NAT_ACCESS_MODE;
	551	}
509	552	} else {
510		print " Type: $SPA_FORWARD_ACCESS_MODE ",
511		"(FORWARD access mode)\n" unless $quiet;
512		return ':' . $SPA_FORWARD_ACCESS_MODE;
	553	if ($cmdl_fw_timeout > 0) {
	554	print " Type: " .
	555	"$SPA_CLIENT_TIMEOUT_NAT_ACCESS_MODE ",
	556	"(NAT client-timeout access mode)\n" unless $quiet;
	557	return ':' . $SPA_CLIENT_TIMEOUT_NAT_ACCESS_MODE;
	558	} else {
	559	print " Type: $SPA_NAT_ACCESS_MODE ",
	560	"(NAT access mode)\n" unless $quiet;
	561	return ':' . $SPA_NAT_ACCESS_MODE;
	562	}
513	563	}
514	564	}
…	…
563	613	}
564	614
565		sub SPA_~~forward~~_access() {
566		if ($~~forward~~_access_str) {
567		print " Forward access: $~~forward~~_access_str\n"
	615	sub SPA_nat_access() {
	616	if ($NAT_access_str) {
	617	print " Forward access: $NAT_access_str\n"
568	618	unless $quiet;
569		return ':' . encode_base64($~~forward~~_access_str, '');
	619	return ':' . encode_base64($NAT_access_str, '');
570	620	}
571	621	return '';
…	…
767	817	print
768	818	"\n[+] Sending $msg_len byte message to $knock_dst over $spoof_proto",
769		"/$enc_pcap_port\n (spoofed src ~~ip: $spoof_src).~~\n" unless $quiet;
	819	"/$enc_pcap_port\n (spoofed src IP: $spoof_src).\n\n" unless $quiet;
770	820	my $rand_src_port = int(rand(65535));
771	821	$rand_src_port = 65001 if $rand_src_port > 65535;
…	…
840	890	if ($spa_established_tcp) { ### useful for Tor
841	891	print "\n[+] Sending $msg_len byte message to $knock_dst ",
842		"over established tcp/$enc_pcap_port socket...\n"
	892	"over established tcp/$enc_pcap_port socket...\n\n"
843	893	unless $quiet;
844	894
…	…
859	909	} else {
860	910	print "\n[+] Sending $msg_len byte message to $knock_dst ",
861		"over udp/$enc_pcap_port...\n" unless $quiet;
	911	"over udp/$enc_pcap_port...\n\n" unless $quiet;
862	912
863	913	if ($test_mode) {
…	…
1356	1406
1357	1407	sub handle_command_line() {
	1408
1358	1409	### make Getopts case sensitive
1359	1410	Getopt::Long::Configure('no_ignore_case');
1360	1411
1361		die "[-] Use --help for usage information.\n" unless GetOptions(
	1412	die "[*] Use --help for usage information.\n" unless GetOptions(
1362	1413	'Server-port=i' => \$enc_pcap_port,
1363	1414	'Server-mode=s' => \$server_mode,
…	…
1366	1417	'Server-auth=s' => \$server_auth_method,
1367	1418	'Spoof-src=s' => \$spoof_src,
	1419	'rand-port' => \$rand_port,
	1420	'NAT-rand-port' => \$NAT_rand_port,
	1421	'NAT-local' => \$NAT_local,
	1422	'NAT-access=s' => \$NAT_access_str,
1368	1423	'Spoof-user=s' => \$spoof_username,
1369	1424	'Spoof-proto=s' => \$spoof_proto,
…	…
1382	1437	'gpg-agent-info=s' => \$gpg_agent_info,
1383	1438	'quiet' => \$quiet,
1384		'Forward-access=s' => \$~~forward~~_access_str,
	1439	'Forward-access=s' => \$NAT_access_str,
1385	1440	'TCP-sock' => \$spa_established_tcp,
1386	1441	'Access=s' => \$access_str,
…	…
1509	1564	}
1510	1565
1511		sub validate_forward_access_str() {
1512		$forward_access_str = lc($forward_access_str);
1513		unless ($forward_access_str =~ /^$ip_re,\d+$/) {
1514		die "[*] Must specify '<internal_IP>,<external_port>'";
	1566	sub validate_NAT_access_str() {
	1567	$NAT_access_str = lc($NAT_access_str);
	1568
	1569	if ($NAT_rand_port) {
	1570	unless ($NAT_access_str =~ /^$ip_re$/) {
	1571	die "[*] Must specify '<internal_IP>'";
	1572	}
	1573
	1574	### append a random destination port (between 10,000
	1575	### and 65535); this is the port number that will be
	1576	### used on the SSH command line
	1577	$NAT_access_str .= ',' . &rand_port();
	1578
	1579	} else {
	1580	unless ($NAT_access_str =~ /^$ip_re,\d+$/) {
	1581	die "[*] Must specify '<internal_IP>,<external_port>'";
	1582	}
1515	1583	}
1516	1584	return;
…	…
1569	1637	print "\n";
1570	1638	return;
	1639	}
	1640
	1641	sub rand_port() {
	1642	return 10000 + int(rand(55535));
1571	1643	}
1572	1644

fwknop/trunk/fwknopd

r1050	r1058
127	127	my $SPA_COMMAND_MODE = 0;
128	128
129		### ~~FORWARD~~ ACCESS message:
	129	### NAT ACCESS message:
130	130	### random data :user : client_timestamp : client_version : \
131	131	### type (2) : access_request : NAT_info : digest
132		my $SPA_~~FORWARD~~_ACCESS_MODE = 2;
	132	my $SPA_NAT_ACCESS_MODE = 2;
133	133
134	134	### ACCESS message with client-defined firewall timeout:
…	…
137	137	my $SPA_CLIENT_TIMEOUT_ACCESS_MODE = 3;
138	138
139		### ~~FORWARD~~ ACCESS message with client-defined firewall timeout:
	139	### NAT ACCESS message with client-defined firewall timeout:
140	140	### random data :user : client_timestamp : client_version : \
141	141	### type (4) : access_request : NAT_info : timeout : digest
142		my $SPA_CLIENT_TIMEOUT_FORWARD_ACCESS_MODE = 4;
	142	my $SPA_CLIENT_TIMEOUT_NAT_ACCESS_MODE = 4;
	143
	144	### local NAT ACCESS message:
	145	### random data : user : client_timestamp : client_version : \
	146	### type (5) : access_request : NAT_info : message digest
	147	my $SPA_LOCAL_NAT_ACCESS_MODE = 5;
	148
	149	### local NAT ACCESS message with client-defined firewall timeout:
	150	### random data : user : client_timestamp : client_version : \
	151	### type (6) : access_request : NAT_info : timeout : message digest
	152	my $SPA_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MODE = 6;
143	153
144	154	### minimum nummber of fields within a decrypted SPA packet
…	…
527	537
528	538	if ($msg_hr->{'action_type'} == $SPA_ACCESS_MODE
529		or $msg_hr->{'action_type'} == $SPA_FORWARD_ACCESS_MODE
530		or $msg_hr->{'action_type'} == $SPA_FORWARD_ACCESS_MODE
531		or $msg_hr->{'action_type'}
532		== $SPA_CLIENT_TIMEOUT_ACCESS_MODE
533		or $msg_hr->{'action_type'}
534		== $SPA_CLIENT_TIMEOUT_FORWARD_ACCESS_MODE) {
	539	or $msg_hr->{'action_type'} == $SPA_NAT_ACCESS_MODE
	540	or $msg_hr->{'action_type'} == $SPA_LOCAL_NAT_ACCESS_MODE
	541	or $msg_hr->{'action_type'} == $SPA_CLIENT_TIMEOUT_ACCESS_MODE
	542	or $msg_hr->{'action_type'} == $SPA_CLIENT_TIMEOUT_NAT_ACCESS_MODE
	543	or $msg_hr->{'action_type'} == $SPA_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MODE) {
535	544
536	545	if (&SPA_access($msg_hr, $src_ip, $decrypt_algo,
…	…
648	657	} elsif ($msg_hr->{'action_type'} == $SPA_COMMAND_MODE) {
649	658	print STDERR " (SPA_COMMAND_MODE)\n";
650		} elsif ($msg_hr->{'action_type'} == $SPA_FORWARD_ACCESS_MODE) {
651		print STDERR " (SPA_FORWARD_ACCESS_MODE)\n";
	659	} elsif ($msg_hr->{'action_type'} == $SPA_NAT_ACCESS_MODE) {
	660	print STDERR " (SPA_NAT_ACCESS_MODE)\n";
	661	} elsif ($msg_hr->{'action_type'} == $SPA_LOCAL_NAT_ACCESS_MODE) {
	662	print STDERR " (SPA_LOCAL_NAT_ACCESS_MODE)\n";
652	663	} elsif ($msg_hr->{'action_type'} == $SPA_CLIENT_TIMEOUT_ACCESS_MODE) {
653	664	print STDERR " (SPA_CLIENT_TIMEOUT_ACCESS_MODE)\n";
654		} elsif ($msg_hr->{'action_type'} == $SPA_CLIENT_TIMEOUT_FORWARD_ACCESS_MODE) {
655		print STDERR " (SPA_CLIENT_TIMEOUT_FORWARD_ACCESS_MODE)\n";
	665	} elsif ($msg_hr->{'action_type'} == $SPA_CLIENT_TIMEOUT_NAT_ACCESS_MODE) {
	666	print STDERR " (SPA_CLIENT_TIMEOUT_NAT_ACCESS_MODE)\n";
	667	} elsif ($msg_hr->{'action_type'} == $SPA_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MODE) {
	668	print STDERR " (SPA_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MODE)\n";
656	669	}
657	670	printf STDERR " %-16s %s\n",
…	…
659	672
660	673	if ($msg_hr->{'action_type'} == $SPA_CLIENT_TIMEOUT_ACCESS_MODE
661		or $msg_hr->{'action_type'}
662		~~== $SPA_CLIENT_TIMEOUT_FORWARD~~_ACCESS_MODE) {
	674	or $msg_hr->{'action_type'} == $SPA_CLIENT_TIMEOUT_NAT_ACCESS_MODE
	675	or $msg_hr->{'action_type'} == $SPA_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MODE) {
663	676	printf STDERR " %-16s %s\n",
664	677	'Client timeout:', $msg_hr->{'client_timeout'};
…	…
671	684	if ($debug) {
672	685	printf STDERR " %-16s %s", 'Server auth:', $server_auth_type;
673		for (my $i=0; $i<length($server_auth_crypt_pw); $i++) {
	686	for (my $i=0; $i < length($server_auth_crypt_pw); $i++) {
674	687	print STDERR '*';
675	688	}
…	…
678	691	}
679	692	}
680		if ($msg_hr->{'~~forward~~_info'}) {
681		printf STDERR " %-16s %s\n", '~~Forward~~ info:',
682		$msg_hr->{'~~forward~~_info'};
	693	if ($msg_hr->{'nat_info'}) {
	694	printf STDERR " %-16s %s\n", 'NAT info:',
	695	$msg_hr->{'nat_info'};
683	696	}
684	697	printf STDERR " %-16s %s\n", "$msg_hr->{'digest_str'} digest:",
…	…
750	763	$digest, $access_hr) = @_;
751	764
752		my $allow_src = '';
753		my %open_ports = ();
754		my %~~forward_info~~ = ();
	765	my $allow_src = '';
	766	my %open_ports = ();
	767	my %nat_info = ();
755	768
756	769	if ($access_hr->{'DISABLE_FW_ACCESS'}) {
…	…
762	775
763	776	if ($msg_hr->{'action_type'} == $SPA_CLIENT_TIMEOUT_ACCESS_MODE
764		or $msg_hr->{'action_type'}
765		~~== $SPA_CLIENT_TIMEOUT_FORWARD~~_ACCESS_MODE) {
	777	or $msg_hr->{'action_type'} == $SPA_CLIENT_TIMEOUT_NAT_ACCESS_MODE
	778	or $msg_hr->{'action_type'} == $SPA_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MODE) {
766	779
767	780	if ($access_hr->{'PERMIT_CLIENT_TIMEOUT'}) {
…	…
857	870
858	871	### handle SPA access through iptables FORWARD chain for
859		### SPA_FORWARD_ACCESS_MODE messages
	872	### SPA_NAT_ACCESS_MODE messages (or through the INPUT chain for
	873	### SPA_LOCAL_NAT_ACCESS_MODE messages)
860	874	### iptables -t nat -A PREROUTING -p tcp -s <SPA_src> --dport 55000 \
861	875	### -i eth0 -j DNAT --to 192.168.10.3:80
862		if ($msg_hr->{'forward_info'}
863		and $msg_hr->{'forward_info'} =~ /($ip_re),(\d+)/) {
	876	if ($msg_hr->{'nat_info'}
	877	and $msg_hr->{'nat_info'} =~ /($ip_re),(\d+)/) {
	878
	879	%nat_info = (
	880	'internal_ip' => $1,
	881	'external_port' => $2,
	882	);
	883
864	884	unless ($config{'FIREWALL_TYPE'} eq 'iptables') {
865		&logr('[-]', "~~FORWARD~~ access requested through non-iptables " .
	885	&logr('[-]', "NAT access requested through non-iptables " .
866	886	"firewall (SOURCE line num: ".
867	887	"$access_hr->{'src_line_num'})", $NO_MAIL);
868	888	return 0;
869	889	}
870		unless ($access_hr->{'ENABLE_FORWARD_ACCESS'}) {
871		&logr('[-]', "FORWARD access requested through non-forward " .
872		"access SOURCE block (SOURCE line num: ".
873		"$access_hr->{'src_line_num'})", $NO_MAIL);
874		return 0;
875		}
876		%forward_info = (
877		'internal_ip' => $1,
878		'external_port' => $2,
879		);
880
881		### check to see if access is allowed to internal IP
882		unless (&is_ip_included($forward_info{'internal_ip'},
	890
	891	if ($msg_hr->{'action_type'} == $SPA_NAT_ACCESS_MODE
	892	or $msg_hr->{'action_type'} == $SPA_CLIENT_TIMEOUT_NAT_ACCESS_MODE) {
	893	unless ($access_hr->{'ENABLE_FORWARD_ACCESS'}) {
	894	&logr('[-]', "FORWARD access requested through non-forward " .
	895	"access SOURCE block (SOURCE line num: ".
	896	"$access_hr->{'src_line_num'})", $NO_MAIL);
	897	return 0;
	898	}
	899	}
	900
	901	### check to see if access is allowed to internal IP (or a local IP
	902	### for NAT'd local connections)
	903	unless (&is_ip_included($nat_info{'internal_ip'},
883	904	$access_hr->{'INTERNAL_NET_ACCESS'},
884	905	$access_hr->{'internal_net_exceptions'})) {
885		&logr('[-]', "~~FORWARD access to $forward~~_info{'internal_ip'} " .
	906	&logr('[-]', "NAT access to $nat_info{'internal_ip'} " .
886	907	"restricted (SOURCE line num: ".
887	908	"$access_hr->{'src_line_num'})", $NO_MAIL);
…	…
940	961
941	962	### grant access through the firewall
942		&grant_access($allow_src, \%forward_info, {}, \%open_ports, $access_hr);
	963	&grant_access($allow_src, $msg_hr, \%nat_info,
	964	{}, \%open_ports, $access_hr);
943	965
944	966	return 1;
…	…
1159	1181	'action' => '',
1160	1182	'server_auth' => '', ### optional
1161		'~~forward_info'~~ => '', ### optional
	1183	'nat_info' => '', ### optional
1162	1184	'client_timeout' => -1, ### optional
1163	1185	'digest' => '',
…	…
1223	1245	return 0, {} unless $fields[4] == $SPA_COMMAND_MODE
1224	1246	or $fields[4] == $SPA_ACCESS_MODE
1225		or $fields[4] == $SPA_~~FORWARD~~_ACCESS_MODE
	1247	or $fields[4] == $SPA_NAT_ACCESS_MODE
1226	1248	or $fields[4] == $SPA_CLIENT_TIMEOUT_ACCESS_MODE
1227		or $fields[4] == $SPA_CLIENT_TIMEOUT_FORWARD_ACCESS_MODE;
	1249	or $fields[4] == $SPA_CLIENT_TIMEOUT_NAT_ACCESS_MODE
	1250	or $fields[4] == $SPA_LOCAL_NAT_ACCESS_MODE
	1251	or $fields[4] == $SPA_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MODE;
1228	1252	$msg_hsh{'action_type'} = $fields[4];
1229	1253	} else {
…	…
1242	1266	if ($msg_hsh{'numeric_version'} >= 190) {
1243	1267	my $found = 0;
1244		if ($msg_hsh{'action_type'} == $SPA_~~FORWARD~~_ACCESS_MODE) {
	1268	if ($msg_hsh{'action_type'} == $SPA_NAT_ACCESS_MODE) {
1245	1269	if ($#fields == $SPA_MIN_PACKET_FIELDS+1) {
1246		$msg_hsh{'~~forward~~_info'} = decode_base64($fields[6]);
	1270	$msg_hsh{'nat_info'} = decode_base64($fields[6]);
1247	1271	$found = 1;
1248	1272	}
…	…
1253	1277	$found = 1;
1254	1278	} elsif ($msg_hsh{'action_type'}
1255		== $SPA_CLIENT_TIMEOUT_~~FORWARD~~_ACCESS_MODE) {
	1279	== $SPA_CLIENT_TIMEOUT_NAT_ACCESS_MODE) {
1256	1280	$msg_hsh{'client_timeout'} = $fields[7];
1257	1281	$found = 1;
…	…
1287	1311	"$msg_hsh{'action'}";
1288	1312
1289		if ($msg_hsh{'~~forward~~_info'}) {
1290		print STDERR ":$msg_hsh{'~~forward~~_info'}";
	1313	if ($msg_hsh{'nat_info'}) {
	1314	print STDERR ":$msg_hsh{'nat_info'}";
1291	1315	}
1292	1316
…	…
2292	2316
2293	2317	sub grant_access() {
2294		my ($src, $~~forward~~_info_hr, $seq_hr, $open_ports_hr, $access_hr) = @_;
	2318	my ($src, $nat_info_hr, $seq_hr, $open_ports_hr, $access_hr) = @_;
2295	2319
2296	2320	if ($config{'FIREWALL_TYPE'} eq 'iptables') {
…	…
2298	2322	### iptables access; the destination IP is only used if access is
2299	2323	### forwarded through the iptables policy
2300		&grant_ipt_access($src, $~~forward~~_info_hr,
	2324	&grant_ipt_access($src, $nat_info_hr,
2301	2325	$seq_hr, $open_ports_hr, $access_hr);
2302	2326
…	…
2311	2335
2312	2336	sub grant_ipt_access() {
2313		my ($src, $forward_info_hr, $seq_href, $open_ports_hr, $access_hr) = @_;
	2337	my ($src, $msg_hr, $nat_info_hr, $seq_href,
	2338	$open_ports_hr, $access_hr) = @_;
2314	2339
2315	2340	my @ipt_hrefs = ();
2316	2341	my $ipt = &get_iptables_chainmgr_obj();
2317	2342
2318		if ($access_hr->{'ENABLE_FORWARD_ACCESS'}) {
2319		return unless defined $forward_info_hr->{'internal_ip'};
2320		push @ipt_hrefs, \%ipt_forward;
	2343	my $local_nat = 0;
	2344	$local_nat = 1 if $msg_hr->{'action_type'} == $SPA_LOCAL_NAT_ACCESS_MODE
	2345	or $msg_hr->{'action_type'} == $SPA_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MODE;
	2346
	2347	if ($access_hr->{'ENABLE_FORWARD_ACCESS'} or $local_nat) {
	2348
	2349	return unless defined $nat_info_hr->{'internal_ip'};
2321	2350	push @ipt_hrefs, \%ipt_prerouting if %ipt_prerouting;
2322	2351	push @ipt_hrefs, \%ipt_postrouting if %ipt_postrouting;
2323		print STDERR localtime() . " [+] FORWARD access for $src ",
2324		"to internal IP: $forward_info_hr->{'internal_ip'}\n"
2325		if $debug;
	2352
	2353	if ($local_nat) {
	2354	push @ipt_hrefs, \%ipt_input;
	2355	print STDERR localtime() . " [+] INPUT NAT access for $src ",
	2356	"to local IP: $nat_info_hr->{'internal_ip'}\n"
	2357	if $debug;
	2358	} else {
	2359	push @ipt_hrefs, \%ipt_forward;
	2360	print STDERR localtime() . " [+] FORWARD access for $src ",
	2361	"to internal IP: $nat_info_hr->{'internal_ip'}\n"
	2362	if $debug;
	2363	}
	2364
2326	2365	} else {
2327		return if defined $~~forward~~_info_hr->{'internal_ip'};
	2366	return if defined $nat_info_hr->{'internal_ip'};
2328	2367	push @ipt_hrefs, \%ipt_input;
2329	2368	if ($access_hr->{'ENABLE_OUTPUT_ACCESS'}) {
…	…
2396	2435	if ($target eq 'DNAT') {
2397	2436	$extended_info{'to_ip'}
2398		= $~~forward~~_info_hr->{'internal_ip'};
	2437	= $nat_info_hr->{'internal_ip'};
2399	2438	$extended_info{'to_port'} = $dport;
2400	2439	$extended_info{'d_port'}
2401		= $~~forward~~_info_hr->{'external_port'};
2402		$nat_ip = $~~forward~~_info_hr->{'internal_ip'};
	2440	= $nat_info_hr->{'external_port'};
	2441	$nat_ip = $nat_info_hr->{'internal_ip'};
2403	2442	$nat_port = $dport;
2404		$dport = $~~forward~~_info_hr->{'external_port'};
	2443	$dport = $nat_info_hr->{'external_port'};
2405	2444	} elsif ($target eq 'SNAT') {
2406	2445	$extended_info{'to_ip'}
…	…
2571	2610	while (<LIST>) {
2572	2611	if (/check-state/) {
2573		### check-state means that ipfw builds "dynamic" rules against
2574		### connections, and a subsequent rule can allow established
2575		### connections to continue after the initial rule to accept
2576		### an SSH connection is removed.
	2612	### from the ipfw man page:
	2613	# check-state
	2614	# Checks the packet against the dynamic ruleset. If a match is
	2615	# found, execute the action associated with the rule which gener-
	2616	# ated this dynamic rule, otherwise move to the next rule.
	2617	# Check-state rules do not have a body. If no check-state rule is
	2618	# found, the dynamic ruleset is checked at the first keep-state or
	2619	# limit rule.
2577	2620	$found_state_rule = 1;
2578		}
2579		if (/allow.*to\s+any\s+established/) {
	2621	last;
	2622	} elsif (/keep-state/) {
	2623	### from the ipfw man page:
	2624	# keep-state
	2625	# Upon a match, the firewall will create a dynamic rule, whose
	2626	# default behaviour is to match bidirectional traffic between
	2627	# source and destination IP/port using the same protocol. The rule
	2628	# has a limited lifetime (controlled by a set of sysctl(8) vari-
	2629	# ables), and the lifetime is refreshed every time a matching
	2630	# packet is found.
2580	2631	$found_state_rule = 1;
	2632	last;
	2633	} elsif (/allow.*to\s+any\s+established/) {
	2634	$found_state_rule = 1;
	2635	last;
2581	2636	}
2582	2637	}