fwknop-1.9.4 (06/01/2008): - Added two new port randomization options. The first instructs the fwknop client to select a random port between 10,000 and 65,535 as the destination port over which to send an SPA packet. This feature is enabled with a new command line argument "--rand-port" like so: $ fwknop -A tcp/22 --rand-port -R -D 11.1.1.1 On the fwknopd server side, the default PCAP_FILTER setting of "udp port 62201" should be changed to "udp dst portrange 10000-65535" so that fwknopd can sniff SPA packets that are sent over randomized destination ports. Randomizing the destination port makes it more difficult to write IDS signatures to detect fwknop SPA communications. The second port randomization technique uses a new SPA message type to tell the fwknopd daemon to create a NAT rule for access to a local socket via the iptables INPUT chain. This allows an SSH client to meet the local SSHD daemon running on the fwknopd server system by SSH'ing to the random port. This functionality is implemented via two new command line arguments on the fwknop client command line: "--NAT-rand-port" to instruct fwknop to select a random port over which the follow-on connection will be made), and "--NAT-local" (to instruct the fwknopd server that new firewall rules should NAT an incoming connection to the randomly selected port). Here is an example: $ fwknop -A tcp/22 --NAT-rand-port --NAT-local -R -D 11.1.1.1 Now the fwknop client will select a random port to NAT the incoming connection. So say it selects port 31001 (as indicated by the output of fwknop on the command line as displayed below) - then you would SSH to this port to access the real SSH daemon on the system where fwknopd is running: [+] Sending 206 byte message to 127.0.0.1 over udp/46245... Requesting NAT access to tcp/22 on 127.0.0.1 via port 31001 $ ssh -p 31001 @11.1.1.1 Note that in this case it is not necessary to use --NAT-access since the fwknopd daemon knows that access is requested to a local service (so an internal IP address does not have to be specified). - Added the ability to specify the port that SPA packets are sent over with the fwknop client by using the syntax ":". So, for example, to have the client send an SPA packet to 11.1.1.1 over UDP port 12345 (instead of the default of 62201), one could use the following command: $ fwknop -A tcp/22 -R -D 11.1.1.1:12345 - Bugfix to add a check for "keep-state" in ipfw policies in addition to the existing "check-state" check (noticed by Sebastien Jeanquier). - Updated the install.pl script to try to determine the OS type as early as possible during the install process. - Added the MIN_SPA_PKT_LEN variable with 150 (bytes) as the default. This allows fwknopd to ignore packets that are not at least this many bytes (including packet headers) before any decryption attempt is made. - Added --time-offset-plus and --time-offset-minus args to the fwknop client command line. This allows the time stamp within an SPA packet to be influenced without setting the system clock (which normal users cannot usually do). This is useful for when the client and server systems have clocks that are out of sync. - Bugfix on Ubuntu systems to make sure that the fwknop init script is installed with a priority of 99 instead of 20 - this puts fwknop as late as possible within the boot sequence so that the system is ready to run fwknop. - Bugfix to not open ports that are not specifically requested in an SPA packet even if those ports are listed in the OPEN_PORTS variable in the access.conf file. - Updated to version 5.47 of the Digest::SHA module. - Updated to version 0.7 of the IPTables::ChainMgr module (includes perldoc documentation). - Updated to version 0.6 of the IPTables::Parse module (includes perldoc documentation). - Added NAT, port randomization, and and time offset option discussions to fwknop(8) man page. fwknop-1.9.3 (04/05/2008): - Added MASQUERADE and SNAT support to complement inbound DNAT connections for SPA packets that request --Forward-access to internal systems. This functionality is only enabled when both ENABLE_IPT_FORWARDING and ENABLE_IPT_SNAT are set, and is configured by two new variables IPT_MASQUERADE_ACCESS and IPT_SNAT_ACCESS which define the iptables interface to creating SNAT rules. The SNAT supplements of DNAT rules are not usually necessary because internal systems usually have a route back out to the Internet, but this feature accommodates those systems that do not have such a route. By default, the MASQUERADE target is used if ENABLE_IPT_SNAT is enabled because this means that the external IP does not have to be manually defined. However, the external IP can be defined by the SNAT_TRANSLATE_IP variable. - Added hex_dump() feature for fwknop client so that raw encrypted SPA packet data can be displayed in --verbose mode. - When ENABLE_IPT_FORWARDING is set, added a check for the value of the /proc/sys/net/ipv4/ip_forward file to ensure that the local system allows packets to be forwarded. Unless ENABLE_PROC_IP_FORWARD is disabled, then fwknopd will automatically set the ip_forward file to "1" if it is set to "0" (again, only if ENABLE_IPT_FORWARDING is enabled). - Minor bugfix to remove sys_log() call in legacy port knocking mode. - Minor bugfix to expand both the Id and Revision tags via the svn:keywords directive. fwknop-1.9.2 (03/12/2008): - Crypt::CBC adds the string "Salted__" to the beginning of the encrypted text (at least for how fwknop interfaces with Crypt::CBC), so the fwknop client was updated to delete the encoded version of this string "U2FsdGVkX1" before sending a Rijndael-encrypted SPA packet on the wire. The fwknopd server will add this string back in before decrypting. This makes it harder to write an IDS signature that looks for fwknop traffic; e.g. look for the default prefix string "U2FsdGVkX1" over UDP port 62201, which would work for fwknop clients < 1.9.2 (as long as the port number is not changed with --Server-port). - Added more granular source IP and allowed IP tests so that access to particular internal IP addresses can be excluded in --Forward-access mode. A new keyword "INTERNAL_NET_ACCESS" is now parsed from the access.conf file in order to implemented these restrictions. - (SPAPICT Group) Added BLACKLIST functionality to allow source IP addresses to easily be excluded from the authentication process. - (Grant Ferley) Submitted patch to handle SIGCHLD in IPTables::ChainMgr. - (Grant Ferley) Submitted patch to handle Linux "cooked" interfaces for packet capture (e.g. PPPoE interfaces). - (SPAPICT Group) Applied modified version of the client-defined access timeout patches submitted by the PICT SPA Group. There are two new message types to facilitate client timeouts; one for normal access mode, and the other for the FORWARD access mode. In the access.conf file, there is also a new variable "PERMIT_CLIENT_TIMEOUT" to allow each SOURCE stanza to allow client-defined timeouts or not. - (SPAPICT Group) Submitted patches to include support for the SHA1 digest algorithm for SPA packet replay attack detection. I modified these patches for maximum configurability (see the --digest-alg argument on the fwknop command line), and the ability to use the SHA256 algorithm as well. The default path to the /var/log/fwknop/md5sums file has been changed to /var/log/fwknop/digest.cache, and the default digest algorithm is now SHA256 (but this is tunable via the DIGEST_TYPE variable in the fwknop.conf file). - Added the Digest::SHA perl module in support of the SHA1 and SHA256 digest algorithms for replay attack detection and SPA message integrity. - Added full packet hex dumps (including packet headers) to fwknopd in --debug --verbose mode. This is to help diagnose packet sniffing issues over the loopback interface on Mac OS X (first reported by Sebastien Jeanquier). - (Test suite) Bugfix to ensure that the FWKNOP_DIR variable is set to the local output/ directory in several of the test config files in the test/conf/ directory. - (Test suite) Added several tests for configurable digest algorithms in support for the SHA256, SHA1, and MD5 digest changes made by the SPAPICT Group. - Updated the fwknop client to always call encode_base64() with the string to encode along with a second null-string argument to force all encoded data to not include line breaks. - Bugfix in install.pl to not test for the iptable command on non-Linux systems, and to not test for the ipfw command on systems that are Linux. - (Test suite) Updated to include the /proc/config.gz file so that the kernel config can be reviewed (not all Netfilter hooks are necessarily compiled in). fwknop-1.9.1 (01/26/2008): - Added ENABLE_OUTPUT_ACCESS keyword to access.conf file parsing. This provides a similar configuration gate for the iptables OUTPUT chain to the ENABLE_FORWARD_ACCESS keyword, and adds the abiliy to control which access.conf SOURCE blocks interface to the OUTPUT chain. - Better installation support for various Linux distributions including Fedora 8 and Ubuntu. The current runlevel is now acquired via the "runlevel" command instead of attempting to read /etc/inittab (which does not even exist on Ubuntu 7.10), and there are new command line arguments --init-dir, --init-name, and --runlevel to allow the init directory, init script name, and the runlevel to be manually specified on the install.pl command line. - Added command line argument display to fwknop client --verbose mode. - Updated the test suite to include OUTPUT chain tests, reference access.conf files in the test/conf/ directory, and perform SPA packet format validation tests by parsing fwknopd output. - Updated fwknopd to use always use the -c argument on the knoptm command line (this makes sure that the test suite usage of fwknopd causes knoptm to reference the correct configuration). - Updated IPTables::ChainMgr to print iptables command output to stdout or stderr if running in debug or verbose mode. - Added --Exclude-mod-regex to install.pl so that the installation of particular perl modules that match the supplied regex can be skipped. - Added SIGALRM wrapper to the test suite since some libpcap and system combinations break the ability of fwknopd to sniff packets. - Added srand() call to the fwknop client (this is useful for older versions of perl which do not automatically call srand() at the first rand() call if srand() was not already called). - Added a test to the test suite for sniffing packets over the loopback interface. - Added SPA packet aging test to the test suite to ensure that packet expirations work properly (this feature protects against MITM attacks where a valid SPA packet is stopped by an inline attacker and retransmitted at a later time to acquire access). - Added a file (test.log) to collect test suite console output. - Added --Prepare-results argument to test suite to anonymize test results and create a tarball that can be emailed to a third party to assist in - Added full firewall policy dumps and the collection of system specifics to the test suite. This makes it easy to send the output directory and the test.log file to developers to assist in debugging (no information is sent anywhere except as part of a manual process of course, and addresses can be anonymized with --Prepare-results - loopback addresses are not modified). - Added --fw-del-ip argument to fwknopd so that a specific IP address can be removed from the local firewall policy (this is used by the test suite to ensure that if a test for removed firewall rules fails then subsequent tests will not also fail because they are no longer tracked by a running knoptm instance). - Added a test to the test suite to collect fwknopd syslog output. This is useful to see if a mechanism such as SELinux is deployed in a manner that prevents normal fwknop communications. - Bugfix to track MD5 digest for SPA command mode packets. - Bugfix in fwknopd to not open ports listed in OPEN_PORTS in the absence of the PERMIT_CLIENT_PORTS directive when an SPA packet contains a request for access to a port not listed in OPEN_PORTS. debugging fwknop if there are any issues. - Added --verbose flag to fwknopd commands issued by the test suite so that more data is collected for debugging analysis. - Added GnuPG tests to the test suite with dedicated keys (for use only with the test suite) in the test/conf/client-gpg and test/conf/server-gpg directories. - Added digest file validation to test suite to make sure that fwknopd correctly tracks SPA packet MD5 digests. - Updated to search state tracking rule in any iptables chain (many iptables policies have user-defined chains that can be a bit complicated to parse). - Updated install.pl to be more strict in stopping any running fwknopd processes. fwknop-1.9.0 (12/15/2007): - Added a test suite so that fwknop and fwknopd functionality can be automatically tested over the loopback interface (see the fwknop_test.pl script in the test/ directory). - Major update to allow SPA packets to create DNAT connections to internal systems through the FORWARD chain (iptables only). This is useful to connect through to internal systems (that may be running on non-routable IP addresses) via a border firewall or router that is running fwknopd to create inbound DNAT rules. - Added support for the iptables OUTPUT chain via two new variable in the fwknop.conf file: ENABLE_IPT_OUTPUT and IPT_OUTPUT_ACCESS. This is useful for iptables firewalls that are not running the conntrack modules and that have a restrictive OUTPUT chain (so SYN/ACK responses are not allowed out without an explicit ACCEPT rule). - Added the ability to force the fwknopd and knoptm daemons to restart themselves (via knopwatchd) after a configurable timeout (see the ENABLE_VOLUNTARY_EXITS and EXIT_INTERVAL variables in the /etc/fwknop/fwknop.conf file). This feature is for those that want fwknopd to go through its initialization routine periodically just in case there is a logic (or other) bug that might result in fwknopd not accepting a valid SPA packet. NOTE: This feature is disabled by default, and is not normally needed since fwknopd is quite stable in most deployments. - Major update to perform all firewall rule expirations with knoptm, which is now started in all data collection modes. Older versions of fwknopd maintained its own firewall rule expiration code for the FILE_PCAP, ULOG_PCAP, and KNOCK modes, so two mechanisms were being maintained for the same purpose. The 1.9.0 release fixes this oversight. - Minor bugfix to have knopwatchd generate syslog messages whenever an fwknop daemon needs to be restarted. - Added --interface command line argument to install.pl to allow the sniffing interface to be specified from the command line. Also updated install.pl to enforce a 10-try maximum for attempting to accept a valid interface name from the command line (LANG env issues can exist sometimes). - Updated SPA packet format for server_auth and forward_info elements; the internal MD5 sum is now always the last field in an SPA packet. This makes extensions of the SPA protocol much easier, and the generation of SPA packets more elegant. Also, SPA packet validation has been improved to ensure that fields that are supposed to be digits really only contain integer data. - Added ENABLE_FORWARD_ACCESS variable to the access.conf file, and added ENABLE_IPT_FORWARDING to the fwknop.conf file. These variables provide the per-SOURCE ability to create DNAT connnections through the FORWARD chain.. - Replaced the IPT_AUTO_CHAIN1 variable with IPT_INPUT_ACCESS and IPT_FORWARD_ACCESS in fwknop.conf. - Added --Forward-access argument to the fwknop client. - Added client version number to syslog messages generated by fwknopd when a valid SPA packet is received. - Added human readable timestamp to MD5 cache. Here is an example of the update format: 127.0.0.1 X6WF2C29kEgAv4aDJ8TDeQ [Wed Nov 28 09:24:46 2007] - Added --Count argument to fwknopd so that it calls exit() when the specified number of packets is monitored. - Added --no-logs argument to knoptm in support of the test suite so that no emails are generated. - Bugfix in fwknopd to account for non-Ethernet link layer header over *BSD loopback interfaces. - Added --Save-dst argument to the fwknop client to add a priority file to store client command line arguments (~/.fwknop.save). This file is only overwritten when --Save-dst is used. - Added fwknopd --fw-del-chains to allow the fwknopd iptables chains to easily be deleted. - Minor fwknopd bugfix to set process exit status to 0 when --Kill is used. fwknop-1.8.3 (11/17/2007): - Updated external IP resolution to point to http://www.whatismyip.org, and added http://www.cipherdyne.org/cgi/clientip.cgi as a backup site for fwknop IP resolution. - Added storage of source IP along with SPA MD5 sum. This allows the user to infer which networks are more hostile if an SPA packet is replayed. - Added SPA packet hex dumps in 'fwknopd --debug' mode so that the integration of third-party encryption algorithms is easier to troubleshoot. Sean Greven contributed a patch for this. - Reinstated the legacy port knocking mode. It appears that all encrypted output from the updated Crypt::Rijndael module is at least 32 bytes long, so port knocking sequences are now 32 bytes long as well (they were previously 16 bytes long in old versions of fwknop). - Bugfix to ensure the key length is at least 8 chars in --get-key mode. - Minor update to remove init message on OS X install. - Updated install.pl to set the LANG environmental variable to "en_US.UTF-8". This should fix the problem where the output of ifconfig was not interpreted correctly if the locale LANG setting is not English. - Implemented verbose email alerting by setting the ALERTING_METHODS variable to "verbose". This instructs fwknopd to generate a new email message for each message that it normally logs vis syslog (this feature is not the default, and must be manually enabled). fwknop-1.8.2 (09/15/2007): - Added fwknopd server support for Mac OS X. The Darwin uname return string is detected and this enables Darwin-specific installation code in install.pl. - Updated to not print sensitive key/password information in --debug mode with fwknopd. - Bugfix for install.pl on Windows 2003 Server running under Cygwin where 'uname -o' output is reported 'Gygwin' for some reason. - Added --Cygwin-install command line argument to install.pl to force client-only fwknop install on Cygwin systems. - Added --OS-type command line argument to install.pl to allow the user to force the installation type. - Updated to version 1.04 of Crypt::Rijndael. This fixes incompatibilities between SPA packets between 64-bit and 32-bit platorms. - Bugfix to enforce a maximum of 20 tries to read a password from stdin. - Applied TCP options parsing fix from psad for invalid zero or one length fields that break TLV encoding (this is for fwknopd, and only applies to the legacy port knocking mode). - Added code to fwknopd to check to see if there are any state tracking rules in place within the local iptables or ipfw policy. - Made syslog identity, facility, and priority configurable (applied code from the psad project). - Implemented --fw-list for ipfw firewalls. - Bugfix for knoptm removing ipfw rules too quickly after not timing out previously instantiated rules properly. - Implemented smarter cache removal strategy in knoptm so that rules that are manually removed from the running iptables or ipfw policy are also removed from the cache. - Added /var/log/fwknop/errs/fwknopd.{warn,die} tracking to the fwknopd daemon for the PCAP modes of collecting packet data. Added knoptm{warn,die} files for knoptm as well. - Bugfix to import the GnuPG::Interface module in --get-key mode. - Bugfix to send source IP as a part of the command message in command mode so that REQUIRE_SOURCE_ADDRESS controls can be applied. - Added --Test-mode to fwknop client so that SPA packets can be built but never sent over the network. fwknop-1.8.1 (06/06/2007): - Bugfix to ensure that the "keep-state" directive is added to firewall rules on systems running the ipfw firewall. - Added the --Save-packet and --Save-packet-file command line arguments to the fwknop client. These options instruct fwknop to save a copy of an encrypted SPA packet before it is sent across the network. - Bugfix to find minimal unused ipfw rule number for ipfw firewalls. This fixes an issue where ipfw rules added by fwknopd could be inserted at the same position as rules from an existing ipfw policy. While ipfw allows duplicate rules, whenever such a rule is deleted by its rule number all matching rules are deleted. fwknop-1.8 (06/03/2007): - Added support for ipfw firewalls (found on *BSD systems). The IPTables::Parse and IPTables::ChainMgr modules are not installed on such systems. - Added gpg-agent support for both the fwknop client and fwknopd SPA server. - Updated client-only installation mode to restrict perl module installation to those module that are actually required by the fwknop client. This results in clean installs of the fwknop client on Windows systems running Cygwin. - Added --Defaults to install.pl so that fwknop can be installed without prompting the user to answer any questions. This is to make it easier to install fwknop on the Source Mage Linux distro. - Consolidated daemon config files into the fwknop.conf file (except for the access.conf file). This simplifies the configuration of fwknop. - Added recursive variable resolution in the parsing routines for the fwknop.conf file. This allows variable values to contain embedded variables. - Added init script for FreeBSD systems. - Added --BSD-install command line argument to install.pl. This is not normally necessary since the installer should detect installations on *BSD systems, but this option can force this behavior. - Updated knopmd and knopwatchd to use safe_malloc() instead of malloc(). - Bugfix to never time out rules from SOURCE blocks with FW_ACCESS_TIMEOUT set to zero fwknop-1.0.1 (01/09/2007): - Updated fwknopd to allow the GPG_REMOTE_ID variable to have the value "ANY" to allow a SOURCE block to match on arbitrary remote gpg signing keys (Leland Weathers). - Bugfix to allow OPEN_PORTS to be omitted in access.conf in favor of having only PERMIT_CLIENT_PORTS enabled (reported by Raul Siles). - Added the cd_rpmbuilder script to make it easy to build RPM's out of CipherDyne projects by automatically downloading the project .tar.gz and .spec files from http://www.cipherdyne.org/. fwknop-1.0 (11/05/2006): - Bugfix for OpenSSH-4.3p2 patch to make sure to include the spa.h header file. - Bugfix for access hashes accumluating when multiple ports are requested to be opened by a client. - Better validation of IPT_AUTO_CHAIN variable so that the from_chain cannot be identical to the to_chain. - Bugfix in RPM to install List::MoreUtils. - Bugfix so that the MD5 sum for an SPA packet is not examined for each SOURCE block. This fixes a problem where an SPA packet could appear to be replayed if multiple SOURCE blocks are defined in /etc/fwknop/access.conf. - Refactored main SPA access loop so that it is clearer how and when SPA clients are granted access. - Better handling of GnuPG key identifier strings (they can now contain spaces, and syslog messages wrap the identifiers with double quotes). - Added source IP address to command string in the SPA packet so that the REQUIRE_SOURCE_ADDRESS criteria can be applied by the fwknopd server. - Added --Show-last-cmd and --Show-host-cmd args to fwknop so that the last fwknop command and the last fwknop host commands can be viewed. - Added the svn revision number to --Version and --help output. fwknop-0.9.9 (10/15/2006): - Added REQUIRE_SOURCE_ADDRESS (disabled by default) to force fwknop clients to know their source IP address (i.e. -s cannot be used). So, either fwknop clients have to use -R to resolve their externally routable address, or they must just know what it is. - Updated to Net-RawIP-0.21_03 for compatibility with gcc-4.x compilers. - Added List-MoreUtils-0.22 which is a dependency of the new Net::RawIP module. - Bugfix to restore "start" functionality in Gentoo init script. - Bugfix to use the IPT_OUTPUT_FILE and IPT_ERROR_FILE configuration variables in fwknopd. - Added KNOPTM_IPT_OUTPUT_FILE and KNOPTM_IPT_ERROR_FILE variables specifically for the knoptm daemon so that it can use IPTables::ChainMgr completely independently of fwknopd (this removes a potential race condition between fwknopd and knoptm). fwknop-0.9.8 (09/17/2006): - Added the ability to ignore old SPA packets through use of the client-side time stamp. This means that an attacker cannot intercept an SPA packet, prevent it from being forwarded to its intended destination, and then put the packet on the wire at some time outside of the allowed time window. There are two new configuration options in fwknop.conf "ENABLE_SPA_PACKET_AGING" and "MAX_SPA_PACKET_AGE" that control the length of the acceptable time window (2 minutes by default). This requires some level of synchronization between the fwknop client and the fwknopd server, but this is not onerous through the use of NTP. This feature is enabled by default, and the idea for it was contributed by Sebastien J. - Completely re-worked IPTables::ChainMgr to support the return of iptables error messages that are collected via stderr. This is critical to fixing any bugs where fwknopd could die as a result of a poorly crafted iptables command. but no information would be returned to the user. - Added the ability to specify the position for both the jump rule into the fwknopd chains as well as the position for new rules within the fwknopd chains via the -I argument to iptables. This fixes a bug where the user was given the impression that the IPTABLES_AUTO_RULENUM would accomplish this (IPTABLES_AUTO_RULENUM has been removed). - Updated fwknopd to require < 1500 byte payload length before attempting to decrypt. Also, GnuPG decrypts are not attempted unless the encrypted payload is at least 400 bytes long (this is conservative since even encrypting a single byte with a 1024-bit key will result in about 340 bytes of encrypted data). - Added the --gpg-default-key option to have fwknop use the default GnuPG key that is defined in the ~/.gnupg/options file. - Added the --URL command line argument so that a URL other than the default http://www.whatismyip.com/ can be provided by the user for external IP resolution (suggested by Sebastien J.). - Updated to be more rigorous with md5 sums; we now require that the md5_base64() function actually returns a non-null result. - Bugfix to make sure that only the users associated with the a specific REQUIRE_USERNAME value (in a specific SOURCE block in access.conf) are granted the appropriate access even if a valid encrypted packet is constructed from a different user name (by an fwknop client). - Populated the _debug option in the IPTables::ChainMgr module, and also added a _verbose option so that the specific iptables commands can actually be seen as IPTables::ChainMgr functions are called. - Added code to install.pl to update command paths in fwknop.conf and knopwatchd.conf if any of the paths are broken (i.e. the local system does not conform to the default paths). By default this only happens if the user does not want old configs to be merged, but to override this use the new --path-update command line argument to install.pl. - Added the --Skip-mod-install command line argument to install.pl to allow all perl module installs to be skipped. - Added the --force-mod-regex command line argument to install.pl to allow a regex match on perl module names to force matching modules to be installed. - Minor bugfix to generate better (i.e. closer to those that Firefox generates) http requests to http://www.whatismyip.com/). - Adapted Mate Wierdl's RPM patch from the psad project so that the fwknop RPM builds on x86_64 systems. - Removed iptables requirement in RPM spec file because fwknop may be installed on a system just to run the fwknop client. - Updated to email username mismatch errors. fwknop-0.9.7 (08/04/2006): - Added fwknop_serv to function as minimal TCP server over which SPA packets can be sent. This allows SPA to be compatible with the Tor network, which requires that a virtual circuit is established before traffic can be sent. - Updated to Crypt::CBC-2.18 after a vulnerability was discovered in previous versions of Crypt::CBC that caused weak ciphertext to be generated for algorithms that have blocksizes greater than 8 bytes (such as Rijndael used by fwknop). Manually specifying initialization vectors is not necessary now. - Updated SSH patch to support OpenSSH-4.3p2. - Bugfix to make sure to create /var/* directories if they don't exist (such as when /var is a tmpfs). - Bugfix (Dwayne Rightler) to restore -w IP lookup functionality after format change on data returned by whatismyip.com. - Bugfix to wrap SPA Rijndael decryption with eval{} so that fwknopd does not die if there are problems trying to decrypt data. This is necessary because of the security vulnerability fix in Crypt::CBC that creates some incompatibilities in different versions of Crypt::CBC. - Added "--L-host" command line argument so that the arguments used for multiple hosts are preserved and can be recalled. - Changed default user-agent setting for whatismyip.com lookups to Firefox/1.0.5.4; there is no need to gratuitously advertise fwknop traffic. - Updated GunPG HOWTO to provide a step-by-step guide to getting fwknop Single Packet Authorization working with GnuPG. - Updated to derive perl module versions from the VERSION files within each of the perl module source directories. fwknop-0.9.6 (01/13/2006): - Added GPG based authentication capability for SPA packets. This new mode can be configured to require that a GPG message be signed with a particular key or set of keys. - In GPG mode, the fwknop client now prints GPG errors to stdout if not running with --gpg-no-batch-mode. - Added the ability to require that the client know the UNIX crypt() password associated with a username on the server side. This functionality is enabled on the fwknop client with the "--Server-auth crypt" command line argument, and the REQUIRE_AUTH_METHOD variable in /etc/fwknop/access.conf on the fwknopd server. - Added patch against OpenSSH-4.2p1 to integrate SPA mode. This patch adds a "-K " argument to the SSH client so that fwknop can be executed directly before an SSH connection is made. - Separated server and client portions of fwknop into "fwknopd" and fwknop repectively. This will allow better portability to be developed since the client and server pieces can be developed more independently. NOTE: With so many changes, it is probably a good idea to not preserve old fwknop configs via install.pl. - Renamed all relevant fwknopd command and file paths to support new fwknopd server component. - Added --quiet mode (this is used by default in the OpenSSH patch). - Removed legacy port knocking installation in install.pl (fwknopfifo, and fwdata file) unless the data collection mode is set to syslog or syslog-ng for legacy iptables log messages. - Added inode checking for PCAP_PKT_FILE. This helps to ensure that log rotation schemes don't interfere with reading packets out of the file since this check is size independent. - Bugfix for Makefile debug mode. - Added compilation check for perl programs in install.pl before installation into the filesystem. - Bugfix for knopwatchd to make sure it can actually restart all running daemons properly. - Added --force-mod command line argument to install.pl to allow the user to force all perl modules to be be installed regardless of whether a module exists in the system perl lib tree. - Added --no-save-args to fwknop so that existing .fwknop.run file can be preserved (helps to testing new features of fwknop client). - Removed useless --encrypt command line argument (only the old shared port knock sequences are not encrypted). fwknop-0.9.5 (10/02/2005): - Added the ability to resolve the external IP associated with the local network via http://www.whatismyip.com. This is a more secure method of accomplishing what the -s option performs. The new command line option is --whatismyip (or just -w). - Updated fwknop to communicate with knoptm via a UNIX domain socket instead of the previous file-based communication. - Updated to flush the fwknop iptables chains at start time. - Bugfix for removing the wrong hash key in the knoptm IP cache. fwknop-0.9.4 (09/17/2005): - Bugfix for knoptm timing out new entries based on old time values (this caused new rules to timed out too quickly). - Added support for multiple users in REQUIRE_USERNAME keyword in access.conf. - Added the ability to display raw encrypted packet data in client mode with --verbose. - Created fwknop RPM for RPM-based Linux distributions. - Bugfix for inappropriate redirects in command mode where the command already contained a redirect. fwknop-0.9.3 (08/27/2005): - Added an on-disk cache of md5 sums so that the md5 sum check can survive restarts of fwknop. - Updated install.pl to be more friendly to Mac OS X (Blair Zajac). - Updated to allow access.conf variables to have values instead of just being defined. - Started on additional server authentication mode code (re-worked MD5 sum calculation to allow packet format to be extended by taking into account the fwknop version number). fwknop-0.9.2 (08/06/2005): - Added FILE_PCAP data collection method when running in server mode. This is a more general way of getting packets than the ULOG_PCAP mode since then a normal ethernet sniffer can be used to build the file. - Added the ability to re-open a pcap file if its size shrinks (i.e. it gets rotated out or something). - Bugfix for multiple rules with the same timestamp not being timed out by knoptm. - Integrated spoofing capability directly within fwknop (instead of using the knopspoof command) through the use of "require Net::RawIP". - Better multi-protocol support in server mode. Tcp and icmp packets are properly decoded now. fwknop-0.9.1 (07/29/2005): - Added the ability to specify multiple ports/protocols to access on a server with the --Access command line option. - Added the ability to spoof SPA packets over icmp and tcp protocols. - Added the ability to restrict access at the server to only those ports defined in the OPEN_PORTS keyword. This option is controled by a new keyword "PERMIT_CLIENT_PORTS". - Bugfix for MD5 sum not being properly calculated over decrypted data. This allowed old packets that contained additional garbage data to be replayed against an fwknop server. - Updated to fall back to getpwuid() if getlogin() fails (Blair Zajac). - Added --ipt-list to list all current rules in the FWKNOP iptables chains. - Added --ipt-flush to flush all current rules in the FWKNOP iptables chains. - Bugfix for the installer dying if ~/lib already exists (Blair Zajac). - Updated to delay the loading of server perl modules (Net::Pcap, etc.) only if we are running in server mode. - Bugfix for module directory paths in install.pl. fwknop-0.9.0 (05/29/2005): - Added new authorization mode that uses Net::Pcap to read packets out of a file that is written to by the ulogd pcap writer (also stubbed in code to sniff packets directly off the wire). This authorization mode only requires single packets, and has many characteristics that are better than simple port knocking, including being non-replayable, and much more data can be sent. This mode is now the default for both the server and the client. - Made the execution of knopmd optional depending on whether AUTH_MODE is a pcap mode (e.g. ULOG_PCAP or PCAP). - Added --Spoof-src argument so that encrypted packets can be spoofed via /usr/sbin/knopspoof. - Added /usr/sbin/knoptm so that firewall rules can be timed-out when the server is running in PCAP mode even if new packets don't appear on the wire. - Updated fwknop man page to talk about the new pcap-based authorization mode. fwknop-0.5.0 (03/19/2005): - Added ALERTING_METHOD to allow syslog and/or email reporting to be disabled (there is a dedicated file /etc/fwknop/alert.conf that governs this behavior, and both fwknop and knopwatchd reference this file). - Bugfix for distinguishing OPT field associated with --log-tcp-options vs. --log-ip-options. - Added install_perl_module() install.pl from psad to provide a consistent installation interface. - Applied patch to only install perl modules that are not already installed (Blair Zajac). - Added --last-cmd option to allow fwknop to be executed with command line arguments from the previous execution (they are saved in ~/.fwknop.run). - Added --Home-dir option to allow the home directory to be manually specified. - Re-worked get_homedir() to be more friendly to systems that do not necessarily have /etc/passwd (e.g. OS X). - Added configuration preservation and querying for which syslog daemon is running to install.pl. These features were adapted from the psad installer (http://www.cipherdyne.org/psad). - Added IPTables::ChainMgr. Fwknop uses this module to maintain dedicated chains to which access rules are added. - Added IPTables::Parse, which is used internally by IPTables::ChainMgr. - Added __WARN__ and __DIE__ handlers so errors can easily be collected. fwknop-0.4.2 (09/27/2004): - Added init script for Fedora systems. - Added --Kill, --Restart, and --Status modes (this fixes the generic init script which depends on these arguments). fwknop-0.4.1 (09/14/2004): - Bugfix for legacy posf code in fwknop and variable in fwknop.conf. fwknop-0.4 (09/10/2004): - Added ability to specify multiple IPs/networks in a single SOURCE definition. - Better examples section in the fwknop manpage. - Bugfix to make sure EMAIL_ADDRESSES variable does not contain commas (any commas are translated into spaces). - Added LICENSE file. fwknop-0.3 (08/21/2004): - Bugfix for tracking knock sequences by source IP address. - Bugfix for knock sequence timeouts. - Removed old passive OS fingerprinting code in favor of the p0f strategy. - Added support for taking encryption keys from a file specified on the command line. - Update to send "sequence decrypt failed" email message only if decryption failed for all encrypt sequence SOURCE blocks. fwknop-0.2 (07/31/2004): - Implemented remote username checking in encrypted sequences. - Added support for icmp in knock sequences. - Added protocol rotation option for encrypted sequences. - Added code for multiple SOURCE access blocks with the same source net/IP. - Added KNOCK_LIMIT access control variable to limit the number of times a particular knock sequence is honored. - Added email alerts. fwknop-0.1 (07/08/2004): - Initial release.