fwknop-1.8 (06/03/2007): - Added support for ipfw firewalls (found on *BSD systems). The IPTables::Parse and IPTables::ChainMgr modules are not installed on such systems. - Added gpg-agent support for both the fwknop client and fwknopd SPA server. - Updated client-only installation mode to restrict perl module installation to those module that are actually required by the fwknop client. This results in clean installs of the fwknop client on Windows systems running Cygwin. - Added --Defaults to install.pl so that fwknop can be installed without prompting the user to answer any questions. This is to make it easier to install fwknop on the Source Mage Linux distro. - Consolidated daemon config files into the fwknop.conf file (except for the access.conf file). This simplifies the configuration of fwknop. - Added recursive variable resolution in the parsing routines for the fwknop.conf file. This allows variable values to contain embedded variables. - Added init script for FreeBSD systems. - Added --BSD-install command line argument to install.pl. This is not normally necessary since the installer should detect installations on *BSD systems, but this option can force this behavior. - Updated knopmd and knopwatchd to use safe_malloc() instead of malloc(). - Bugfix to never time out rules from SOURCE blocks with FW_ACCESS_TIMEOUT set to zero fwknop-1.0.1 (01/09/2007): - Updated fwknopd to allow the GPG_REMOTE_ID variable to have the value "ANY" to allow a SOURCE block to match on arbitrary remote gpg signing keys (Leland Weathers). - Bugfix to allow OPEN_PORTS to be omitted in access.conf in favor of having only PERMIT_CLIENT_PORTS enabled (reported by Raul Siles). - Added the cd_rpmbuilder script to make it easy to build RPM's out of CipherDyne projects by automatically downloading the project .tar.gz and .spec files from http://www.cipherdyne.org/. fwknop-1.0 (11/05/2006): - Bugfix for OpenSSH-4.3p2 patch to make sure to include the spa.h header file. - Bugfix for access hashes accumluating when multiple ports are requested to be opened by a client. - Better validation of IPT_AUTO_CHAIN variable so that the from_chain cannot be identical to the to_chain. - Bugfix in RPM to install List::MoreUtils. - Bugfix so that the MD5 sum for an SPA packet is not examined for each SOURCE block. This fixes a problem where an SPA packet could appear to be replayed if multiple SOURCE blocks are defined in /etc/fwknop/access.conf. - Refactored main SPA access loop so that it is clearer how and when SPA clients are granted access. - Better handling of GnuPG key identifier strings (they can now contain spaces, and syslog messages wrap the identifiers with double quotes). - Added source IP address to command string in the SPA packet so that the REQUIRE_SOURCE_ADDRESS criteria can be applied by the fwknopd server. - Added --Show-last-cmd and --Show-host-cmd args to fwknop so that the last fwknop command and the last fwknop host commands can be viewed. - Added the svn revision number to --Version and --help output. fwknop-0.9.9 (10/15/2006): - Added REQUIRE_SOURCE_ADDRESS (disabled by default) to force fwknop clients to know their source IP address (i.e. -s cannot be used). So, either fwknop clients have to use -R to resolve their externally routable address, or they must just know what it is. - Updated to Net-RawIP-0.21_03 for compatibility with gcc-4.x compilers. - Added List-MoreUtils-0.22 which is a dependency of the new Net::RawIP module. - Bugfix to restore "start" functionality in Gentoo init script. - Bugfix to use the IPT_OUTPUT_FILE and IPT_ERROR_FILE configuration variables in fwknopd. - Added KNOPTM_IPT_OUTPUT_FILE and KNOPTM_IPT_ERROR_FILE variables specifically for the knoptm daemon so that it can use IPTables::ChainMgr completely independently of fwknopd (this removes a potential race condition between fwknopd and knoptm). fwknop-0.9.8 (09/17/2006): - Added the ability to ignore old SPA packets through use of the client-side time stamp. This means that an attacker cannot intercept an SPA packet, prevent it from being forwarded to its intended destination, and then put the packet on the wire at some time outside of the allowed time window. There are two new configuration options in fwknop.conf "ENABLE_SPA_PACKET_AGING" and "MAX_SPA_PACKET_AGE" that control the length of the acceptable time window (2 minutes by default). This requires some level of synchronization between the fwknop client and the fwknopd server, but this is not onerous through the use of NTP. This feature is enabled by default, and the idea for it was contributed by Sebastien J. - Completely re-worked IPTables::ChainMgr to support the return of iptables error messages that are collected via stderr. This is critical to fixing any bugs where fwknopd could die as a result of a poorly crafted iptables command. but no information would be returned to the user. - Added the ability to specify the position for both the jump rule into the fwknopd chains as well as the position for new rules within the fwknopd chains via the -I argument to iptables. This fixes a bug where the user was given the impression that the IPTABLES_AUTO_RULENUM would accomplish this (IPTABLES_AUTO_RULENUM has been removed). - Updated fwknopd to require < 1500 byte payload length before attempting to decrypt. Also, GnuPG decrypts are not attempted unless the encrypted payload is at least 400 bytes long (this is conservative since even encrypting a single byte with a 1024-bit key will result in about 340 bytes of encrypted data). - Added the --gpg-default-key option to have fwknop use the default GnuPG key that is defined in the ~/.gnupg/options file. - Added the --URL command line argument so that a URL other than the default http://www.whatismyip.com/ can be provided by the user for external IP resolution (suggested by Sebastien J.). - Updated to be more rigorous with md5 sums; we now require that the md5_base64() function actually returns a non-null result. - Bugfix to make sure that only the users associated with the a specific REQUIRE_USERNAME value (in a specific SOURCE block in access.conf) are granted the appropriate access even if a valid encrypted packet is constructed from a different user name (by an fwknop client). - Populated the _debug option in the IPTables::ChainMgr module, and also added a _verbose option so that the specific iptables commands can actually be seen as IPTables::ChainMgr functions are called. - Added code to install.pl to update command paths in fwknop.conf and knopwatchd.conf if any of the paths are broken (i.e. the local system does not conform to the default paths). By default this only happens if the user does not want old configs to be merged, but to override this use the new --path-update command line argument to install.pl. - Added the --Skip-mod-install command line argument to install.pl to allow all perl module installs to be skipped. - Added the --force-mod-regex command line argument to install.pl to allow a regex match on perl module names to force matching modules to be installed. - Minor bugfix to generate better (i.e. closer to those that Firefox generates) http requests to http://www.whatismyip.com/). - Adapted Mate Wierdl's RPM patch from the psad project so that the fwknop RPM builds on x86_64 systems. - Removed iptables requirement in RPM spec file because fwknop may be installed on a system just to run the fwknop client. - Updated to email username mismatch errors. fwknop-0.9.7 (08/04/2006): - Added fwknop_serv to function as minimal TCP server over which SPA packets can be sent. This allows SPA to be compatible with the Tor network, which requires that a virtual circuit is established before traffic can be sent. - Updated to Crypt::CBC-2.18 after a vulnerability was discovered in previous versions of Crypt::CBC that caused weak ciphertext to be generated for algorithms that have blocksizes greater than 8 bytes (such as Rijndael used by fwknop). Manually specifying initialization vectors is not necessary now. - Updated SSH patch to support OpenSSH-4.3p2. - Bugfix to make sure to create /var/* directories if they don't exist (such as when /var is a tmpfs). - Bugfix (Dwayne Rightler) to restore -w IP lookup functionality after format change on data returned by whatismyip.com. - Bugfix to wrap SPA Rijndael decryption with eval{} so that fwknopd does not die if there are problems trying to decrypt data. This is necessary because of the security vulnerability fix in Crypt::CBC that creates some incompatibilities in different versions of Crypt::CBC. - Added "--L-host" command line argument so that the arguments used for multiple hosts are preserved and can be recalled. - Changed default user-agent setting for whatismyip.com lookups to Firefox/1.0.5.4; there is no need to gratuitously advertise fwknop traffic. - Updated GunPG HOWTO to provide a step-by-step guide to getting fwknop Single Packet Authorization working with GnuPG. - Updated to derive perl module versions from the VERSION files within each of the perl module source directories. fwknop-0.9.6 (01/13/2006): - Added GPG based authentication capability for SPA packets. This new mode can be configured to require that a GPG message be signed with a particular key or set of keys. - In GPG mode, the fwknop client now prints GPG errors to stdout if not running with --gpg-no-batch-mode. - Added the ability to require that the client know the UNIX crypt() password associated with a username on the server side. This functionality is enabled on the fwknop client with the "--Server-auth crypt" command line argument, and the REQUIRE_AUTH_METHOD variable in /etc/fwknop/access.conf on the fwknopd server. - Added patch against OpenSSH-4.2p1 to integrate SPA mode. This patch adds a "-K " argument to the SSH client so that fwknop can be executed directly before an SSH connection is made. - Separated server and client portions of fwknop into "fwknopd" and fwknop repectively. This will allow better portability to be developed since the client and server pieces can be developed more independently. NOTE: With so many changes, it is probably a good idea to not preserve old fwknop configs via install.pl. - Renamed all relevant fwknopd command and file paths to support new fwknopd server component. - Added --quiet mode (this is used by default in the OpenSSH patch). - Removed legacy port knocking installation in install.pl (fwknopfifo, and fwdata file) unless the data collection mode is set to syslog or syslog-ng for legacy iptables log messages. - Added inode checking for PCAP_PKT_FILE. This helps to ensure that log rotation schemes don't interfere with reading packets out of the file since this check is size independent. - Bugfix for Makefile debug mode. - Added compilation check for perl programs in install.pl before installation into the filesystem. - Bugfix for knopwatchd to make sure it can actually restart all running daemons properly. - Added --force-mod command line argument to install.pl to allow the user to force all perl modules to be be installed regardless of whether a module exists in the system perl lib tree. - Added --no-save-args to fwknop so that existing .fwknop.run file can be preserved (helps to testing new features of fwknop client). - Removed useless --encrypt command line argument (only the old shared port knock sequences are not encrypted). fwknop-0.9.5 (10/02/2005): - Added the ability to resolve the external IP associated with the local network via http://www.whatismyip.com. This is a more secure method of accomplishing what the -s option performs. The new command line option is --whatismyip (or just -w). - Updated fwknop to communicate with knoptm via a UNIX domain socket instead of the previous file-based communication. - Updated to flush the fwknop iptables chains at start time. - Bugfix for removing the wrong hash key in the knoptm IP cache. fwknop-0.9.4 (09/17/2005): - Bugfix for knoptm timing out new entries based on old time values (this caused new rules to timed out too quickly). - Added support for multiple users in REQUIRE_USERNAME keyword in access.conf. - Added the ability to display raw encrypted packet data in client mode with --verbose. - Created fwknop RPM for RPM-based Linux distributions. - Bugfix for inappropriate redirects in command mode where the command already contained a redirect. fwknop-0.9.3 (08/27/2005): - Added an on-disk cache of md5 sums so that the md5 sum check can survive restarts of fwknop. - Updated install.pl to be more friendly to Mac OS X (Blair Zajac). - Updated to allow access.conf variables to have values instead of just being defined. - Started on additional server authentication mode code (re-worked MD5 sum calculation to allow packet format to be extended by taking into account the fwknop version number). fwknop-0.9.2 (08/06/2005): - Added FILE_PCAP data collection method when running in server mode. This is a more general way of getting packets than the ULOG_PCAP mode since then a normal ethernet sniffer can be used to build the file. - Added the ability to re-open a pcap file if its size shrinks (i.e. it gets rotated out or something). - Bugfix for multiple rules with the same timestamp not being timed out by knoptm. - Integrated spoofing capability directly within fwknop (instead of using the knopspoof command) through the use of "require Net::RawIP". - Better multi-protocol support in server mode. Tcp and icmp packets are properly decoded now. fwknop-0.9.1 (07/29/2005): - Added the ability to specify multiple ports/protocols to access on a server with the --Access command line option. - Added the ability to spoof SPA packets over icmp and tcp protocols. - Added the ability to restrict access at the server to only those ports defined in the OPEN_PORTS keyword. This option is controled by a new keyword "PERMIT_CLIENT_PORTS". - Bugfix for MD5 sum not being properly calculated over decrypted data. This allowed old packets that contained additional garbage data to be replayed against an fwknop server. - Updated to fall back to getpwuid() if getlogin() fails (Blair Zajac). - Added --ipt-list to list all current rules in the FWKNOP iptables chains. - Added --ipt-flush to flush all current rules in the FWKNOP iptables chains. - Bugfix for the installer dying if ~/lib already exists (Blair Zajac). - Updated to delay the loading of server perl modules (Net::Pcap, etc.) only if we are running in server mode. - Bugfix for module directory paths in install.pl. fwknop-0.9.0 (05/29/2005): - Added new authorization mode that uses Net::Pcap to read packets out of a file that is written to by the ulogd pcap writer (also stubbed in code to sniff packets directly off the wire). This authorization mode only requires single packets, and has many characteristics that are better than simple port knocking, including being non-replayable, and much more data can be sent. This mode is now the default for both the server and the client. - Made the execution of knopmd optional depending on whether AUTH_MODE is a pcap mode (e.g. ULOG_PCAP or PCAP). - Added --Spoof-src argument so that encrypted packets can be spoofed via /usr/sbin/knopspoof. - Added /usr/sbin/knoptm so that firewall rules can be timed-out when the server is running in PCAP mode even if new packets don't appear on the wire. - Updated fwknop man page to talk about the new pcap-based authorization mode. fwknop-0.5.0 (03/19/2005): - Added ALERTING_METHOD to allow syslog and/or email reporting to be disabled (there is a dedicated file /etc/fwknop/alert.conf that governs this behavior, and both fwknop and knopwatchd reference this file). - Bugfix for distinguishing OPT field associated with --log-tcp-options vs. --log-ip-options. - Added install_perl_module() install.pl from psad to provide a consistent installation interface. - Applied patch to only install perl modules that are not already installed (Blair Zajac). - Added --last-cmd option to allow fwknop to be executed with command line arguments from the previous execution (they are saved in ~/.fwknop.run). - Added --Home-dir option to allow the home directory to be manually specified. - Re-worked get_homedir() to be more friendly to systems that do not necessarily have /etc/passwd (e.g. OS X). - Added configuration preservation and querying for which syslog daemon is running to install.pl. These features were adapted from the psad installer (http://www.cipherdyne.org/psad). - Added IPTables::ChainMgr. Fwknop uses this module to maintain dedicated chains to which access rules are added. - Added IPTables::Parse, which is used internally by IPTables::ChainMgr. - Added __WARN__ and __DIE__ handlers so errors can easily be collected. fwknop-0.4.2 (09/27/2004): - Added init script for Fedora systems. - Added --Kill, --Restart, and --Status modes (this fixes the generic init script which depends on these arguments). fwknop-0.4.1 (09/14/2004): - Bugfix for legacy posf code in fwknop and variable in fwknop.conf. fwknop-0.4 (09/10/2004): - Added ability to specify multiple IPs/networks in a single SOURCE definition. - Better examples section in the fwknop manpage. - Bugfix to make sure EMAIL_ADDRESSES variable does not contain commas (any commas are translated into spaces). - Added LICENSE file. fwknop-0.3 (08/21/2004): - Bugfix for tracking knock sequences by source IP address. - Bugfix for knock sequence timeouts. - Removed old passive OS fingerprinting code in favor of the p0f strategy. - Added support for taking encryption keys from a file specified on the command line. - Update to send "sequence decrypt failed" email message only if decryption failed for all encrypt sequence SOURCE blocks. fwknop-0.2 (07/31/2004): - Implemented remote username checking in encrypted sequences. - Added support for icmp in knock sequences. - Added protocol rotation option for encrypted sequences. - Added code for multiple SOURCE access blocks with the same source net/IP. - Added KNOCK_LIMIT access control variable to limit the number of times a particular knock sequence is honored. - Added email alerts. fwknop-0.1 (07/08/2004): - Initial release.