Navigation

← Previous Changeset
Next Changeset →

Changeset 1104

Timestamp:

05/31/08 18:21:29 (6 months ago)

Author:

mbr

Message:

- Bugfix to not open ports that are not specifically requested in an SPA
packet even if those ports are listed in the OPEN_PORTS variable in the
access.conf file.

Files:

fwknop/trunk/CREDITS (modified) (1 diff)
fwknop/trunk/ChangeLog (modified) (1 diff)
fwknop/trunk/TODO (modified) (2 diffs)
fwknop/trunk/fwknopd (modified) (5 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

fwknop/trunk/CREDITS

r1095	r1104
79	79	- Helped with the testing process for fwknop-1.8.2 and OS X support.
80	80	- Suggested the integration of SHA256 for replay attack detection.
	81	- Suggested the OPEN_PORTS fix to not open ports that are not
	82	specifically requested in an SPA packet.
	83	- Noticed the bug where the "keep-state" option was not noticed when
	84	checking for state tracking rules in ipfw policies.
81	85
82	86	Mate Wierdl

fwknop/trunk/ChangeLog

r1099	r1104
65	65	as possible within the boot sequence so that the system is ready to run
66	66	fwknop.
	67	- Bugfix to not open ports that are not specifically requested in an SPA
	68	packet even if those ports are listed in the OPEN_PORTS variable in the
	69	access.conf file.
67	70	- Updated to version 5.47 of the Digest::SHA module.
68	71	- Updated to version 0.7 of the IPTables::ChainMgr module (includes

fwknop/trunk/TODO

r1063	r1104
84	84
85	85
86		~~- Bugfix for opening all ports instead of just the requested ones.~~
87	86	- Doc links in email messages linking back to help docs on cipherdyne.org
88	87	- Integrate with clients programs besides SSH.
…	…
123	122	- Firefox SPA extension.
124	123	- Finish fwknop tutorial.
125		~~- Bugfix for installing Digest::SHA via the RPM.~~

fwknop/trunk/fwknopd

r1100	r1104
776	776	$digest, $access_hr) = @_;
777	777
778		my $allow_src = '';
779		my %open_ports = ();
780		my %nat_info = ();
	778	my $allow_src = '';
	779	my %open_ports = ();
	780	my %grant_ports = ();
	781	my %nat_info = ();
781	782
782	783	if ($access_hr->{'DISABLE_FW_ACCESS'}) {
…	…
838	839
839	840	if ($access_hr->{'PERMIT_CLIENT_PORTS'}) {
840		$~~open~~_ports{$allow_proto}{$allow_port} = '';
	841	$grant_ports{$allow_proto}{$allow_port} = '';
841	842	} else {
842		~~unless~~ (defined $open_ports{$allow_proto} and
	843	if (defined $open_ports{$allow_proto} and
843	844	defined $open_ports{$allow_proto}{$allow_port}) {
	845	$grant_ports{$allow_proto}{$allow_port} = '';
	846	} else {
844	847	&logr('[-]', "IP $allow_src not permitted to open " .
845	848	"$allow_proto/$allow_port (SOURCE line num: " .
…	…
868	871
869	872	if ($access_hr->{'PERMIT_CLIENT_PORTS'}) {
870		$~~open~~_ports{$proto}{$port} = '';
	873	$grant_ports{$proto}{$port} = '';
871	874	} else {
872		~~unless~~ (defined $open_ports{$proto} and
	875	if (defined $open_ports{$proto} and
873	876	defined $open_ports{$proto}{$port}) {
	877	$grant_ports{$proto}{$port} = '';
	878	} else {
874	879	&logr('[-]', "IP $allow_src not permitted to open " .
875	880	"$proto/$port (SOURCE line num: " .
…	…
932	937	}
933	938	my $port_ctr = 0;
934		for my $proto (keys %~~open~~_ports) {
935		for my $port (keys %{$~~open~~_ports{$proto}}) {
	939	for my $proto (keys %grant_ports) {
	940	for my $port (keys %{$grant_ports{$proto}}) {
936	941	$port_ctr++;
937	942	}
…	…
984	989	### grant access through the firewall
985	990	&grant_access($allow_src, $msg_hr, \%nat_info,
986		{}, \%~~open~~_ports, $access_hr);
	991	{}, \%grant_ports, $access_hr);
987	992
988	993	return 1;