cipherdyne.org

Michael Rash, Security Researcher



Software Release - fwknop-1.9.11

software release fwknop-1.9.11 The 1.9.11 release of fwknop is ready for download. The major feature addition in this release is the ability to utilize ipfw 'sets' to organize new rules added by the fwknopd daemon on Mac OS X or FreeBSD systems after receiving a valid SPA packet. A couple of other features were added as well, such as user-defined type and code values for SPA packets sent over ICMP, and support in the test suite for running specific chains of related tests.

Here is the complete ChangeLog:

  • (Julien Picalaus) Contributed patches to implement a proper interface to use ipfw 'sets' on systems running ipfw firewalls. This involved changes to fwknopd, knoptm, and the fwknop.conf file like so: Added a test to see if the local ipfw firewall policy is using dynamic rules. Added ipfw_move_rule() so that rules can be moved from one set to another. Added ipfw_disable() set subroutine and it is called at init for IPFW_SET_NUM (except when ipfw isn't using dynamic rules). Made sure that rule finding includes disabled rules (ipfw list -S and changes to regexp) and returning the set in addition to the rule number. When granting access, if a corresponding disabled rule already exists, enable it instead of adding a new one (except when ipfw isn't using dynamic rules). When adding rules, only use keep-state if there are already dynamic rules. Added IPFW_SET_NUM so that the set number for new ipfw can be specified, and add IPFW_DYNAMIC_INTERVAL so that the interval over which rules that have no associated dynamic rules are removed (the default is 60 seconds).
  • (Franck Joncourt) Bug fix to add -O command line arg to knopwatchd to specify an override config file if one is given on the fwknopd command line.
  • Added --icmp-type and --icmp-code command line arguments for the fwknop client in order to manually set the ICMP type/code values when using "--Spoof-proto icmp" or "--Server-proto icmp". Also restructured how SPA packets are sent over the various protocols. Here is an example of sending an SPA packet over an ICMP packet with type "123" and code "123" (not normal ICMP type/code values) with the pcap trace shown:
    # fwknop -A tcp/22 -s --Server-proto icmp --icmp-type 123 --icmp-code 123 -D 127.0.0.1
    # tcpdump -i lo -l -nn icmp or udp -s 0 -X
    tcpdump: verbose output suppressed, use -v or -vv for full protocol
    decode listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
    07:24:32.527221 IP 127.0.0.1 > 127.0.0.1: ICMP type-#123, length 169
    0x0000: 4510 00bd 0000 4000 4001 3c2e 7f00 0001 E.....@.@.<.....
    0x0010: 7f00 0001 7b7b e66f 0000 0000 2b63 6a6f ....{{.o....+cjo
    0x0020: 5049 6138 7345 7a35 4864 7955 5176 624b PIa8sEz5HdyUQvbK
    0x0030: 6637 6f51 5934 4e36 4c6c 3454 6931 4453 f7oQY4N6Ll4Ti1DS
    0x0040: 2b4f 3756 6636 4775 6234 756f 6738 4432 +O7Vf6Gub4uog8D2
    0x0050: 3155 4377 5259 6b52 2b30 354b 7043 6b33 1UCwRYkR+05KpCk3
    0x0060: 4f66 452f 4f32 6737 6d37 5064 4846 4842 OfE/O2g7m7PdHFHB
    0x0070: 7a32 4745 3766 7a31 4a4c 7652 764e 626c z2GE7fz1JLvRvNbl
    0x0080: 7a4a 7250 5355 3665 5051 5375 7a54 394b zJrPSU6ePQSuzT9K
    0x0090: 702b 4446 4a79 7a6b 3847 6c51 6a70 3564 p+DFJyzk8GlQjp5d
    0x00a0: 3957 3673 4f52 7945 3771 6f57 6b56 634e 9W6sORyE7qoWkVcN
    0x00b0: 4e41 6167 6231 5a79 6a63 4834 49 NAagb1ZyjcH4I
  • Updated all unpack() calls for packet decoding in fwknopd to use the "mN" format instead of "m[N]" format for proper operation on older versions of perl. On FreeBSD 7.0 with perl-5.6.2 the following error is generated without this fix: "Invalid type in unpack: '['".
  • Bug fix to not require that gpg is installed in order to install fwknop.
  • (Franck Joncourt) Documentation updates for the knopwatchd.8 man page to include the latest command line options.
  • (Martin Ferrari) Bug fix to provide a work around for fwknopd segfaults on Debian systems when the version of Net::Pcap that is installed comes from doing 'apt-get install fwknop-server'. See the thread at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508432 for more info.
  • Bug fix to ensure that UDP rules in ipfw firewalls are timed out correctly by knoptm (the problem was that 'keep-state' was required).
  • (Test suite): Added tests for multi-port access requests. So, to gain access to tcp/22,udp/1194 with one SPA packet, the test suite verifies that the code support this.
  • (Test suite): Started on updates to handle the upcoming libfko C implementation of Single Packet Authorization (the command line args are somewhat different).
  • (Test suite): Added support for multiple include/exclude test identifying strings (separated by commas). For example, to run the 'Setup', 'Basic', and 'Replay' tests, just do:
    ./fwknop_test.pl --include Setup,Basic,Replay
  • (Test suite): Added the ability to test sending SPA packets over ICMP.
  • (Test suite): Added import_perl_modules() routine from fwknop itself to enforce the usage of the same perl modules as those that fwknop references. The main application of this is for the Net::RawIP module which is used by the test suite for the SPA over ICMP tests.