Changeset 1243
- Timestamp:
- 09/13/08 23:02:42 (3 months ago)
- Files:
-
- fwknop/trunk/CREDITS (modified) (1 diff)
- fwknop/trunk/ChangeLog (modified) (1 diff)
- fwknop/trunk/fwknopd (modified) (2 diffs)
- fwknop/trunk/test/conf/blacklist_dashA_IP_fwknop.conf (added)
- fwknop/trunk/test/fwknop_test.pl (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
fwknop/trunk/CREDITS
r1242 r1243 167 167 and in the knoptm daemon since functions from this module were never 168 168 actually used. 169 - Bugfix to make sure to apply BLACKLIST checks to IP addresses specified 170 with -a (or derived via -R) in addition to the source IP in the IP 171 header (which can be modified via --Spoof-src). 169 172 170 173 Jose Luis Bellido fwknop/trunk/ChangeLog
r1242 r1243 5 5 sure randomness is high or to test encryption properties over large 6 6 sets of SPA packets). 7 - Bugfix to make sure to apply BLACKLIST checks to IP addresses specified 8 with -a (or derived via -R) in addition to the source IP in the IP 9 header (which can be modified via --Spoof-src). (Franck Joncourt 10 submitted a patch for this.) 7 11 - Bugfix to ensure that the permissions for the 8 12 /var/run/fwknop/knopwatchd.pid file are set to 0600 (noticed by Franck fwknop/trunk/fwknopd
r1232 r1243 938 938 } 939 939 940 if (&is_ip_included($allow_src, $blacklist_ar, $blacklist_exclude_ar)) { 941 print STDERR localtime() . " [+] SPA_access() ", 942 "$allow_src in BLACKLIST" if $debug; 943 &logr('[-]', "allow IP: $allow_src SPA packet from $src_ip is " . 944 "blacklisted (SOURCE line num: " . 945 "$access_hr->{'src_line_num'})", $SEND_MAIL); 946 return 0; 947 } 948 940 949 ### initialize to the OPEN_PORTS directives (if defined; we know that 941 950 ### either OPEN_PORTS or PERMIT_CLIENT_PORTS was specified in the … … 1159 1168 return 0; 1160 1169 } 1170 } 1171 1172 if (&is_ip_included($cmd_ip, $blacklist_ar, $blacklist_exclude_ar)) { 1173 print STDERR localtime() . " [+] SPA_cmd() ", 1174 "$cmd_ip in BLACKLIST" if $debug; 1175 &logr('[-]', "cmd IP: $cmd_ip SPA packet from $src_ip is " . 1176 "blacklisted (SOURCE line num: " . 1177 "$access_hr->{'src_line_num'})", $SEND_MAIL); 1178 return 0; 1161 1179 } 1162 1180 fwknop/trunk/test/fwknop_test.pl
r1232 r1243 69 69 my $restricted_forward_access_conf = "$conf_dir/forward_internal_ip_access.conf"; 70 70 my $no_loopback_ip_match_access_conf = "$conf_dir/no_loopback_ip_match_access.conf"; 71 my $blacklist_dashA_IP_fwknop_conf = "$conf_dir/blacklist_dashA_IP_fwknop.conf"; 71 72 my $pk_fwknop_conf = "$conf_dir/pk_fwknop.conf"; 72 73 my $pk_encrypted_sequence_conf = "$conf_dir/pk_encrypted_sequence_access.conf"; … … 442 443 &stop_fwknopd_quiet('(Blacklist src)'); 443 444 445 ### blacklisted -a 127.0.0.2 address 446 &test_driver('(Blacklist src) Generating blacklisted -a SPA packet', 447 \&non_matching_source_generation); 448 &test_driver('(Blacklist src) Sniffing SPA packet', 449 \&blacklist_dashA_net_source_block); 450 &test_driver('(Blacklist src) Making sure firewall rules do not exist', 451 \&fw_rules_removed); 452 &stop_fwknopd_quiet('(Blacklist src)'); 453 444 454 ### test multi-SOURCE access.conf configuration 445 455 &test_driver('(Multi-SOURCE) Generating SPA access packet', … … 1224 1234 } 1225 1235 1236 sub blacklist_dashA_net_source_block() { 1237 1238 if (&run_fwknopd($cache_encrypted_spa_packet, 1239 $blacklist_dashA_IP_fwknop_conf, $default_access_conf)) { 1240 1241 ### now that fwknopd has exited, see if the SPA packet was valid 1242 my $found_blacklist_match = 0; 1243 open SE, "< $current_test_file" 1244 or die "[*] Could not open $current_test_file: $!"; 1245 while (<SE>) { 1246 if (/in\s+BLACKLIST/) { 1247 $found_blacklist_match = 1; 1248 last; 1249 } 1250 } 1251 close SE; 1252 unless ($found_blacklist_match) { 1253 return &print_errors("[-] fwknopd " . 1254 "accepted blacklisted SPA packet"); 1255 } 1256 return 1; 1257 } 1258 return &print_errors("[-] Sniff alarm ($sniff_alarm seconds) expired"); 1259 } 1260 1226 1261 sub non_matching_source_block() { 1227 1262
