fwknop: use with Fedora?

fwknop: use with Fedora?

[Gerry Reno]

I installed fwknop and have it configured and ready to start but in 
reading documentation it looks like it is going to link to a user chain 
it creates from INPUT.  I'm using Fedora 7 and there already appears to 
be a user chain, RH-Firewall-1-INPUT, in INPUT put there by Fedora.  So 
is this going to mess things up with fwknop?  Does anyone have fwknop 
working with Fedora?  How do you get it to work with an existing user chain?

????

Gerry

fwknop: use with Fedora?

[Gerry Reno]

Gerry Reno wrote:
> I installed fwknop and have it configured and ready to start but in 
> reading documentation it looks like it is going to link to a user 
> chain it creates from INPUT.  I'm using Fedora 7 and there already 
> appears to be a user chain, RH-Firewall-1-INPUT, in INPUT put there by 
> Fedora.  So is this going to mess things up with fwknop?  Does anyone 
> have fwknop working with Fedora?  How do you get it to work with an 
> existing user chain?
>
> ????
>
> Gerry
>
Well, I'm just forging ahead.  Hopefully someone can answer my original 
question about user chains.

Right now I tried starting the fwknop daemon and was greeted with these 
errors:

# service fwknop start
Starting the fwknop daemons: Can't load 
'/usr/lib/fwknop/i386-linux-thread-multi/auto/Net/Pcap/Pcap.so' for 
module Net::Pcap: libpcap.so.0.9.4: cannot open shared object file: No 
such file or directory at 
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/DynaLoader.pm line 230.
 at /usr/sbin/fwknopd line 47
Compilation failed in require at /usr/sbin/fwknopd line 47.
BEGIN failed--compilation aborted at /usr/sbin/fwknopd line 47.


What I have installed is the latest rpm from CipherDyne:  
fwknop-1.8.2-1.i386.rpm 
<http://www.cipherdyne.org/fwknop/download/fwknop-1.8.2-1.i386.rpm> and 
I guess this rpm either doesn't have the right dependencies and did not 
perform something necessary during %post.

help...

Gerry

Re: fwknop: use with Fedora?

[Gerry Reno]

Gerry Reno wrote:
> Well, I'm just forging ahead.  Hopefully someone can answer my 
> original question about user chains.
>
> Right now I tried starting the fwknop daemon and was greeted with 
> these errors:
>
> # service fwknop start
> Starting the fwknop daemons: Can't load 
> '/usr/lib/fwknop/i386-linux-thread-multi/auto/Net/Pcap/Pcap.so' for 
> module Net::Pcap: libpcap.so.0.9.4: cannot open shared object file: No 
> such file or directory at 
> /usr/lib/perl5/5.8.8/i386-linux-thread-multi/DynaLoader.pm line 230.
> at /usr/sbin/fwknopd line 47
> Compilation failed in require at /usr/sbin/fwknopd line 47.
> BEGIN failed--compilation aborted at /usr/sbin/fwknopd line 47.
>
>
> What I have installed is the latest rpm from CipherDyne:  
> fwknop-1.8.2-1.i386.rpm 
> <http://www.cipherdyne.org/fwknop/download/fwknop-1.8.2-1.i386.rpm> 
> and I guess this rpm either doesn't have the right dependencies and 
> did not perform something necessary during %post.
>
> help...
>
> Gerry
Well, I found out that the problem is that Fedora 7 has libpcap 0.9.5 
installed and fwknop is looking specifically for libpcap 0.9.4.  So I 
just created a symlink from 0.9.5 to 0.9.4 in /usr/lib.  We'll see if 
this will work.

----------------------------------
So then we get to the next error:

# service fwknop start
Starting the fwknop daemons: [*] /etc/fwknop/access.conf: source ANY 
missing PORT_OFFSET, defaulting to 61000. at /usr/sbin/fwknopd line 2911.
                                                           [FAILED]

Ok, so it defaulted to 61000 but then why not start at this point?

----------------------------------
next try:

put in a PORT_OFFSET

# service fwknop start
Starting the fwknop daemons: [*] /etc/fwknop/access.conf: source ANY 
missing KNOCK_INTERVAL, defaulting to 60. at /usr/sbin/fwknopd line 2973.
                                                           [FAILED]

----------------------------------
next try:


put in a KNOCK_INTERVAL

# service fwknop start
Starting the fwknop daemons:                               [  OK  ]

Finally!

But, when I check the log I see this:

Sep 22 21:57:48 grp-01-00-50 fwknopd: starting fwknopd
Sep 22 21:57:50 grp-01-00-50 fwknopd: flushing existing iptables 
IPT_AUTO_CHAIN chains
Sep 22 21:57:50 grp-01-00-50 fwknopd: warning, could not find iptables 
state tracking rules in INPUT chain   <------- here I think it is 
confused about RH/Fedora iptables structure
Sep 22 21:57:50 grp-01-00-50 fwknopd: imported access directives (1 
SOURCE definitions).
Sep 22 21:57:50 grp-01-00-50 kernel: device eth0 entered promiscuous mode
Sep 22 21:57:52 grp-01-00-50 setroubleshoot:      SELinux is preventing 
/sbin/iptables (iptables_t) "write" to /var/log/fwknop/fwknopd.iptout 
(var_log_t).      For complete SELinux messages. run sealert -l 
13ca6c50-c04a-4602-9464-9a01ec6a0ba5

I tried to restorecon -v the file but no luck, still same error.

# ls -l /var/log/fwknop/
total 16
dr-x------ 2 root root 4096 2007-09-22 21:57 errs
-rw-r--r-- 1 root root    0 2007-09-22 22:22 fwknopd.ipterr
-rw-r--r-- 1 root root    0 2007-09-22 22:22 fwknopd.iptout

????

Re: fwknop: use with Fedora?

[Michael Rash]

On Sep 22, 2007, Gerry Reno wrote:

> Gerry Reno wrote:
> >Well, I'm just forging ahead.  Hopefully someone can answer my 
> >original question about user chains.
> >
> >Right now I tried starting the fwknop daemon and was greeted with 
> >these errors:
> >
> ># service fwknop start
> >Starting the fwknop daemons: Can't load 
> >'/usr/lib/fwknop/i386-linux-thread-multi/auto/Net/Pcap/Pcap.so' for 
> >module Net::Pcap: libpcap.so.0.9.4: cannot open shared object file: No 
> >such file or directory at 
> >/usr/lib/perl5/5.8.8/i386-linux-thread-multi/DynaLoader.pm line 230.
> >at /usr/sbin/fwknopd line 47
> >Compilation failed in require at /usr/sbin/fwknopd line 47.
> >BEGIN failed--compilation aborted at /usr/sbin/fwknopd line 47.
> >
> >
> >What I have installed is the latest rpm from CipherDyne:  
> >fwknop-1.8.2-1.i386.rpm 
> ><http://www.cipherdyne.org/fwknop/download/fwknop-1.8.2-1.i386.rpm> 
> >and I guess this rpm either doesn't have the right dependencies and 
> >did not perform something necessary during %post.
> >
> >help...

The fwknop RPM is built with all required perl modules and installs them
in /usr/lib/fwknop so as to not pollute the system perl library tree,
but this can cause dependency issues with C libraries occasionally like
the one you are seeing.  Here is an automated solution for this; just
download the cd_rpmbuilder script and execute it like so (this will
build the RPM on your system):

http://www.cipherdyne.org/scripts/cd_rpmbuilder.tar.gz

# ./cd_rpmbuilder -p fwknop
[+] Getting latest version file:
      http://www.cipherdyne.org/fwknop/fwknop-latest
[+] Downloading file:
      http://www.cipherdyne.org/fwknop/download/fwknop-1.8.2.spec
[+] Downloading file:
      http://www.cipherdyne.org/fwknop/download/fwknop-1.8.2.spec.md5
[+] Valid md5 sum check for fwknop-1.8.2.spec
[+] Downloading file:
      http://www.cipherdyne.org/fwknop/download/fwknop-1.8.2.tar.gz
[+] Downloading file:
      http://www.cipherdyne.org/fwknop/download/fwknop-1.8.2.tar.gz.md5
[+] Valid md5 sum check for fwknop-1.8.2.tar.gz
[+] Building RPM, this may take a little while (try -v if you want
    to see all of the steps)...

[+] The following RPMS were successfully built:

      /usr/src/redhat/SRPMS/fwknop-1.8.2-1.src.rpm (source RPM)
      /usr/src/redhat/RPMS/i386/fwknop-1.8.2-1.i386.rpm

> >Gerry
> Well, I found out that the problem is that Fedora 7 has libpcap 0.9.5 
> installed and fwknop is looking specifically for libpcap 0.9.4.  So I 
> just created a symlink from 0.9.5 to 0.9.4 in /usr/lib.  We'll see if 
> this will work.
> 
> ----------------------------------
> So then we get to the next error:
> 
> # service fwknop start
> Starting the fwknop daemons: [*] /etc/fwknop/access.conf: source ANY 
> missing PORT_OFFSET, defaulting to 61000. at /usr/sbin/fwknopd line 2911.
>                                                           [FAILED]

Are you using the deprecated port knocking mode?  I would recommend
against this; single packet authorization offers better security
properties.

If you want to use a symmetric cipher (Rijndael) for SPA messages, your
/etc/fwknop/access.conf file should look something like this:

SOURCE: ANY;
OPEN_PORTS: tcp/22;  ### testing
FW_ACCESS_TIMEOUT: 30;
REQUIRE_USERNAME: mbr;
KEY: _yourkey_;
ENABLE_CMD_EXEC: Y;

Also, set AUTH_MODE to PCAP in /etc/fwknop/fwknop.conf.  If you want to
use GnuPG keys instead, these instructions should help:

http://www.cipherdyne.org/fwknop/docs/gpghowto.html

> Ok, so it defaulted to 61000 but then why not start at this point?
> 
> ----------------------------------
> next try:
> 
> put in a PORT_OFFSET
> 
> # service fwknop start
> Starting the fwknop daemons: [*] /etc/fwknop/access.conf: source ANY 
> missing KNOCK_INTERVAL, defaulting to 60. at /usr/sbin/fwknopd line 2973.
>                                                           [FAILED]
> 
> ----------------------------------
> next try:
> 
> 
> put in a KNOCK_INTERVAL
> 
> # service fwknop start
> Starting the fwknop daemons:                               [  OK  ]
> 
> Finally!

PORT_OFFSET and KNOCK_INTERVAL are legacy variables only used in port
knocking mode; see above.

> But, when I check the log I see this:
> 
> Sep 22 21:57:48 grp-01-00-50 fwknopd: starting fwknopd
> Sep 22 21:57:50 grp-01-00-50 fwknopd: flushing existing iptables 
> IPT_AUTO_CHAIN chains
> Sep 22 21:57:50 grp-01-00-50 fwknopd: warning, could not find iptables 
> state tracking rules in INPUT chain   <------- here I think it is 
> confused about RH/Fedora iptables structure

That warning message can be ignored if there are any state tracking
rules to allow established TCP connections to remain open.  The state
tracking rule check is very basic (I just introduced it in fwknop-1.8.2
and it doesn't check user-defined chains yet, but I will add this for
1.8.3).

> Sep 22 21:57:50 grp-01-00-50 fwknopd: imported access directives (1 
> SOURCE definitions).
> Sep 22 21:57:50 grp-01-00-50 kernel: device eth0 entered promiscuous mode
> Sep 22 21:57:52 grp-01-00-50 setroubleshoot:      SELinux is preventing 
> /sbin/iptables (iptables_t) "write" to /var/log/fwknop/fwknopd.iptout 
> (var_log_t).      For complete SELinux messages. run sealert -l 
> 13ca6c50-c04a-4602-9464-9a01ec6a0ba5

If you create an SELinux policy that works with fwknop please let me
know.  Basically, in SPA mode, fwknopd needs to do the following:

- Parse files out of /etc/fwknop.
- Sniff on a network interface (it doesn't have to sniff promiscuously
  if you always send SPA packets to an interface with an IP assigned;
  see the ENABLE_PCAP_PROMISC var in the fwknop.conf file).
- Execute various iptables commands.
- Communicate over a domain socket with the knoptm daemon.
- Execute gpg if GnuPG keys are used.
- Write syslog messages and send emails.

Thanks,

--
Michael Rash
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F


> I tried to restorecon -v the file but no luck, still same error.
> 
> # ls -l /var/log/fwknop/
> total 16
> dr-x------ 2 root root 4096 2007-09-22 21:57 errs
> -rw-r--r-- 1 root root    0 2007-09-22 22:22 fwknopd.ipterr
> -rw-r--r-- 1 root root    0 2007-09-22 22:22 fwknopd.iptout
> 
> ????
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: fwknop: use with Fedora?

[Gerry Reno]

Mike,
I'm going to try building the RPM on my system.

Here are a few things that I think the RPM should take care of though:

in a %post rule:
set permissions: (I notice that 'other' has too much access in 1.8.2)
/etc/fwknop/*
/usr/lib/fwknop/*
/usr/bin/fwknop*

=======================================

And a question about SPA. If I switch to this mode will I still be able 
to keep this system completely stealthy? That is no ports open anywhere? 
I know I can do this with port knocking. I didn't know whether this was 
possible with SPA mode.

Thanks,
Gerry

Re: fwknop: use with Fedora?

[Gerry Reno]

And here is what a typical firewall looks like on Fedora if you don't 
already have a Fedora setup:

# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT 0 -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain RH-Firewall-1-INPUT (1 references)
num target prot opt source destination
1 ACCEPT 0 -- 0.0.0.0/0 224.0.0.18
2 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
4 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
7 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
9 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
13 REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited


Gerry

Re: fwknop: use with Fedora?

[Gerry Reno]

Ok, I used the regular SRC RPM because my RPM BUILD ROOT and .rpmmacros 
is different.

The RPMS built ok except for this problem:

+ /usr/lib/rpm/redhat/brp-strip-comment-note /usr/bin/strip /usr/bin/objdump
/usr/bin/strip: unable to copy file 
'/home/greno/redhat/tmp/fwknop-buildroot/usr/lib/fwknop/i386-linux-thread-multi/auto/Unix/Syslog/Syslog.so' 
reason: Permission denied
/usr/bin/strip: unable to copy file 
'/home/greno/redhat/tmp/fwknop-buildroot/usr/sbin/knopmd' reason: 
Permission denied
/usr/bin/strip: unable to copy file 
'/home/greno/redhat/tmp/fwknop-buildroot/usr/sbin/knopwatchd' reason: 
Permission denied

Where is it trying to copy the files?

So I don't know whether this affects the validity of the RPMS but I'm 
going to install them and see what happens.

Gerry

Re: fwknop: use with Fedora?

[Gerry Reno]

Yes, the RPM installs and the daemon starts ok:

# yum localinstall /tmp/fwknop-1.8.2-1.fc7.i386.rpm
Loading "installonlyn" plugin
Setting up Local Package Process
Examining /tmp/fwknop-1.8.2-1.fc7.i386.rpm: fwknop - 1.8.2-1.fc7.i386
Marking /tmp/fwknop-1.8.2-1.fc7.i386.rpm to be installed
fedora 100% |=========================| 2.1 kB 00:00
updates 100% |=========================| 2.3 kB 00:00
Resolving Dependencies
--> Running transaction check
---> Package fwknop.i386 0:1.8.2-1.fc7 set to be updated

Dependencies Resolved

=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
fwknop i386 1.8.2-1.fc7 /tmp/fwknop-1.8.2-1.fc7.i386.rpm 22 M

Transaction Summary
=============================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 22 M
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: fwknop ######################### [1/1]
Can't open /etc/fwknop/knopwatchd.conf: No such file or directory.
[+] You can edit the EMAIL_ADDRESSES variable in /etc/fwknop/fwknop.conf
/etc/fwknop/fwknop.conf to have email alerts sent to an address
other than root\@localhost

Installed: fwknop.i386 0:1.8.2-1.fc7
Complete!
#

# service fwknop start
Starting the fwknop daemons: [ OK ]
#

So now to test.

Gerry

Re: fwknop: use with Fedora?

[Gerry Reno]

BTW, the latest libpcap for Fedora 7 is 0.9.7 so I upgraded to this 
before building the RPMS.

Gerry

Re: fwknop: use with Fedora?

[Gerry Reno]

Just trying to get port knock working first...

When I run the client I see this error:

$ ./knocklogin
++ fwknop --Server-mode knock -A tcp/12345 -s -r --offset 55500 -D 
XXX.XXX.XXX.XXX
[+] Starting fwknop client.
[+] Enter an encryption key. This key must match a key in the file
/etc/fwknop/access.conf on the remote system.

Encryption Key:
[*] Must specify port to open. at /usr/bin/fwknop line 761, <STDIN> line 
1. <------ I thought this is what the -A argument did????
++ ssh -p 12345 user@XXX.XXX.XXX.XXX
ssh: connect to host XXX.XXX.XXX.XXX port 12345: Connection refused
++ set +x


????

Gerry

Re: fwknop: use with Fedora?

[Gerry Reno]

Is this correct for logging on the server?:

Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:55000:62000 LOG flags 2 level 4
2 LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:55000:62000 LOG flags 0 level 4


Gerry

Re: fwknop: use with Fedora?

[Michael Rash]

On Sep 23, 2007, Gerry Reno wrote:

> Is this correct for logging on the server?:
> 
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
> 1 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:55000:62000 LOG flags 2 level 4
> 2 LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:55000:62000 LOG flags 0 level 4

iptables logging is not required in SPA mode.  But, in legacy port
knocking mode those logging rules should work for encrypted knock
sequences since fwknopd would need ports 61000 + 256 to be logged.

--Mike

Re: fwknop: use with Fedora?

[Gerry Reno]

Gerry Reno wrote:
> Just trying to get port knock working first...
>
> When I run the client I see this error:
>
> $ ./knocklogin
> ++ fwknop --Server-mode knock -A tcp/12345 -s -r --offset 55500 -D 
> XXX.XXX.XXX.XXX
> [+] Starting fwknop client.
> [+] Enter an encryption key. This key must match a key in the file
> /etc/fwknop/access.conf on the remote system.
>
> Encryption Key:
> [*] Must specify port to open. at /usr/bin/fwknop line 761, <STDIN> 
> line 1. <------ I thought this is what the -A argument did????
> ++ ssh -p 12345 user@XXX.XXX.XXX.XXX
> ssh: connect to host XXX.XXX.XXX.XXX port 12345: Connection refused
> ++ set +x
>
Ok, I have not been able to get port knock working at all.

This problem refuses to go away:
[*] Must specify port to open. at /usr/bin/fwknop line 761, <STDIN> line 1.

even if I declare the client command like so:
fwknop --Server-mode knock -A tcp/12345 -s -r --offset 55500 -D 
XXX.XXX.XXX.XXX <------ this version should open the port given by -A as 
long as there is a PERMIT_CLIENT_PORTS: Y; in /etc/fwknop/access.conf on 
the server.
fwknop --Server-mode knock -s -r --offset 55500 -D XXX.XXX.XXX.XXX 
<------ this version should open the port given by the OPEN_PORT 
directive in /etc/fwknop/access.conf on the server.

So either I'm completely misunderstanding the man pages and articles or 
there is some kind of bug here.

Gerry

Re: fwknop: use with Fedora?

[Gerry Reno]

Working with this some more...

I followed the code in /usr/bin/fwknop and there was no case to handle 
tcp so I created this patch which fixed the problem:

750c750,755
< if ($access_str =~ /udp/i) {
---
 > if ($access_str =~ /tcp/i) {
 > $proto_num = 6;
 > if ($access_str =~ /(\d+)/) {
 > $enc_allow_port = $1;
 > }
 > } elsif ($access_str =~ /udp/i) {

So now when I run the client I get the knock sequence sent to the 
server, however the server is still not opening the port so now to 
investigate that.

Gerry

Re: fwknop: use with Fedora?

[Gerry Reno]

Ok, now I'm stuck again. The port knock sequence is showing up in 
/var/log/messages on the server but the ssh port never opens. I don't 
see anything in the log about what fwknop is doing. Is there a debug 
setting so I can get some output?

Gerry

Re: fwknop: use with Fedora?

[Gerry Reno]

I ran the daemon in debug mode but still no luck:

# fwknopd --debug
[+] ** Starting fwknopd (debug mode) **
[+] Building iptables config info.
/sbin/iptables -t filter -n -L INPUT
[+] starting fwknopd
[+] flushing existing iptables IPT_AUTO_CHAIN chains
/sbin/iptables -t filter -n -L FWKNOP_INPUT
/sbin/iptables -t filter -F FWKNOP_INPUT
/sbin/iptables -nL INPUT
[-] warning, could not find iptables state tracking rules in INPUT chain
[+] imported access directives (1 SOURCE definitions).
[+] Sniffing (promisc) packet data from interface: eth0
[+] pcap_loop()

After a good knock sequence is received this is all the output that I 
see from fwknopd in debug mode.

Gerry

Re: fwknop: use with Fedora?

[Michael Rash]

On Sep 23, 2007, Gerry Reno wrote:

> Just trying to get port knock working first...
> 
> When I run the client I see this error:
> 
> $ ./knocklogin
> ++ fwknop --Server-mode knock -A tcp/12345 -s -r --offset 55500 -D 
> XXX.XXX.XXX.XXX
> [+] Starting fwknop client.
> [+] Enter an encryption key. This key must match a key in the file
> /etc/fwknop/access.conf on the remote system.
> 
> Encryption Key:
> [*] Must specify port to open. at /usr/bin/fwknop line 761, <STDIN> line 
> 1. <------ I thought this is what the -A argument did????
> ++ ssh -p 12345 user@XXX.XXX.XXX.XXX
> ssh: connect to host XXX.XXX.XXX.XXX port 12345: Connection refused
> ++ set +x

Ok, thanks for reporting that; I'll fix it for the next release.  Still,
this is the legacy port knocking mode.  How about trying this?:

$ fwknop -A tcp/12345 -R -D XXX.XXX.XXX.XXX

...and setting your /etc/fwknop/access.conf file per one of my previous
emails?  This will get you going with SPA mode.

--Mike

Re: fwknop: use with Fedora?

[Michael Rash]

On Sep 23, 2007, Gerry Reno wrote:

> Mike,
> I'm going to try building the RPM on my system.
> 
> Here are a few things that I think the RPM should take care of though:
> 
> in a %post rule:
> set permissions: (I notice that 'other' has too much access in 1.8.2)
> /etc/fwknop/*

Agreed for /etc/fwknop/*, I will fix this.

> /usr/lib/fwknop/*

The fwknop script (as opposed to the fwknopd daemon) uses modules
installed in /usr/lib/fwknop, and normal users need to be able to
execute fwknop.  Only fwknopd and knoptm needs access to the
IPTables::ChainMgr and IPTables::Parse modules, so perhaps more
restrictive permissions makes sense for them, but standard execute
permission on the iptables binary still applies...

> /usr/bin/fwknop*

Normal users should be able to execute /usr/bin/fwknop.  The other
programs such as /usr/sbin/fwknopd, /usr/sbin/knoptm, etc. already have
minimal permissions.

> =======================================
> 
> And a question about SPA. If I switch to this mode will I still be able 
> to keep this system completely stealthy? That is no ports open anywhere? 

Yes, SPA is completely stealthy..  SPA never uses open ports (unless
you want to run the SPA packet over the Tor network, in which case a
real TCP server must be used because Tor uses TCP for transport).

--Mike


> I know I can do this with port knocking. I didn't know whether this was 
> possible with SPA mode.
> 
> Thanks,
> Gerry
> 
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: fwknop: use with Fedora?

[Gerry Reno]

Gerry Reno wrote:
> Well, I'm just forging ahead.  Hopefully someone can answer my 
> original question about user chains.
>
> Right now I tried starting the fwknop daemon and was greeted with 
> these errors:
>
> # service fwknop start
> Starting the fwknop daemons: Can't load 
> '/usr/lib/fwknop/i386-linux-thread-multi/auto/Net/Pcap/Pcap.so' for 
> module Net::Pcap: libpcap.so.0.9.4: cannot open shared object file: No 
> such file or directory at 
> /usr/lib/perl5/5.8.8/i386-linux-thread-multi/DynaLoader.pm line 230.
> at /usr/sbin/fwknopd line 47
> Compilation failed in require at /usr/sbin/fwknopd line 47.
> BEGIN failed--compilation aborted at /usr/sbin/fwknopd line 47.
>
>
> What I have installed is the latest rpm from CipherDyne:  
> fwknop-1.8.2-1.i386.rpm 
> <http://www.cipherdyne.org/fwknop/download/fwknop-1.8.2-1.i386.rpm> 
> and I guess this rpm either doesn't have the right dependencies and 
> did not perform something necessary during %post.
>
> help...
>
> Gerry
Well, I found out that the problem is that Fedora 7 has libpcap 0.9.5
installed and fwknop is looking specifically for libpcap 0.9.4.  So I
just created a symlink from 0.9.5 to 0.9.4 in /usr/lib.  We'll see if
this will work.

----------------------------------
So then we get to the next error:

# service fwknop start
Starting the fwknop daemons: [*] /etc/fwknop/access.conf: source ANY
missing PORT_OFFSET, defaulting to 61000. at /usr/sbin/fwknopd line 2911.
                                                           [FAILED]

Ok, so it defaulted to 61000 but then why not start at this point?

----------------------------------
next try:

put in a PORT_OFFSET

# service fwknop start
Starting the fwknop daemons: [*] /etc/fwknop/access.conf: source ANY
missing KNOCK_INTERVAL, defaulting to 60. at /usr/sbin/fwknopd line 2973.
                                                           [FAILED]

----------------------------------
next try:


put in a KNOCK_INTERVAL

# service fwknop start
Starting the fwknop daemons:                               [  OK  ]

Finally!

But, when I check the log I see this:

Sep 22 21:57:48 grp-01-00-50 fwknopd: starting fwknopd
Sep 22 21:57:50 grp-01-00-50 fwknopd: flushing existing iptables
IPT_AUTO_CHAIN chains
Sep 22 21:57:50 grp-01-00-50 fwknopd: warning, could not find iptables
state tracking rules in INPUT chain   <------- here I think it is
confused about RH/Fedora iptables structure
Sep 22 21:57:50 grp-01-00-50 fwknopd: imported access directives (1
SOURCE definitions).
Sep 22 21:57:50 grp-01-00-50 kernel: device eth0 entered promiscuous mode
Sep 22 21:57:52 grp-01-00-50 setroubleshoot:      SELinux is preventing
/sbin/iptables (iptables_t) "write" to /var/log/fwknop/fwknopd.iptout
(var_log_t).      For complete SELinux messages. run sealert -l
13ca6c50-c04a-4602-9464-9a01ec6a0ba5

I tried to restorecon -v the file but no luck, still same error.

# ls -l /var/log/fwknop/
total 16
dr-x------ 2 root root 4096 2007-09-22 21:57 errs
-rw-r--r-- 1 root root    0 2007-09-22 22:22 fwknopd.ipterr
-rw-r--r-- 1 root root    0 2007-09-22 22:22 fwknopd.iptout

????