Show
Ignore:
Timestamp:
05/21/08 01:01:20 (6 months ago)
Author:
mbr
Message:

- Added two new port randomization options. The first instructs the

fwknop client to select a random port between 10,000 and 65,535 as the
destination port over which to send an SPA packet. This feature is
enabled with a new command line argument "--rand-port" like so:

$ fwknop -A tcp/22 --rand-port -R -D 11.1.1.1

On the fwknopd server side, the default PCAP_FILTER setting of "udp port
62201" should be changed to "udp dst portrange 10000-65535" so that
fwknopd can sniff SPA packets that are sent over randomized destination
ports. Randomizing the destination port makes it more difficult to
write IDS signatures to detect fwknop SPA communications.

The second port randomization technique uses a new SPA message type to
tell the fwknopd daemon to create a NAT rule for access to a local
socket via the iptables INPUT chain. This allows an SSH client to meet
the local SSHD daemon running on the fwknopd server system by SSH'ing to
the random port. This functionality is implemented via a new command
line argument "--Nat-access" on the fwknop command line.

- Bugfix to add a check for "keep-state" in ipfw policies in addition to

the existing "check-state" check (noticed by Sebastien Jeanquier).

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • fwknop/trunk/ChangeLog

    r1046 r1058  
     1fwknop-1.9.4 (05//2008): 
     2    - Added the ability to specify the port that SPA packets are sent over 
     3      with the fwknop client by using the syntax "<host|IP>:<port>".  So, for 
     4      example, to have the client send an SPA packet to 11.1.1.1 over UDP port 
     5      12345 (instead of the default of 62201), one could use the following 
     6      command: 
     7 
     8      $ fwknop -A tcp/22 -R -D 11.1.1.1:12345 
     9 
     10    - Added two new port randomization options.  The first instructs the 
     11      fwknop client to select a random port between 10,000 and 65,535 as the 
     12      destination port over which to send an SPA packet.  This feature is 
     13      enabled with a new command line argument "--rand-port" like so: 
     14 
     15      $ fwknop -A tcp/22 --rand-port -R -D 11.1.1.1 
     16 
     17      On the fwknopd server side, the default PCAP_FILTER setting of "udp port 
     18      62201" should be changed to "udp dst portrange 10000-65535" so that 
     19      fwknopd can sniff SPA packets that are sent over randomized destination 
     20      ports.  Randomizing the destination port makes it more difficult to 
     21      write IDS signatures to detect fwknop SPA communications. 
     22 
     23      The second port randomization technique uses a new SPA message type to 
     24      tell the fwknopd daemon to create a NAT rule for access to a local 
     25      socket via the iptables INPUT chain.  This allows an SSH client to meet 
     26      the local SSHD daemon running on the fwknopd server system by SSH'ing to 
     27      the random port.  This functionality is implemented via a new command 
     28      line argument "--Nat-access" on the fwknop command line. 
     29 
     30    - Bugfix to add a check for "keep-state" in ipfw policies in addition to 
     31      the existing "check-state" check (noticed by Sebastien Jeanquier). 
     32    - Updated the install.pl script to try to determine the OS type as early 
     33      as possible during the install process. 
     34 
    135fwknop-1.9.3 (04/05/2008): 
    236    - Added MASQUERADE and SNAT support to complement inbound DNAT connections