Michael Rash, Security Researcher

Software Release - fwknop-0.9.8

fwknop-0.9.8 released The 0.9.8 release of fwknop is ready for download. Here is an excerpt from the ChangeLog:
  • Added the ability to ignore old SPA packets through use of the client-side time stamp. This means that an attacker cannot intercept an SPA packet, prevent it from being forwarded to its intended destination, and then put the packet on the wire at some time outside of the allowed time window. There are two new configuration options in fwknop.conf "ENABLE_SPA_PACKET_AGING" and "MAX_SPA_PACKET_AGE" that control the length of the acceptable time window (2 minutes by default). This requires some level of synchronization between the fwknop client and the fwknopd server, but this is not onerous through the use of NTP. This feature is enabled by default, and the idea for it was contributed by Sebastien J.
  • Completely re-worked IPTables::ChainMgr to support the return of iptables error messages that are collected via stderr. This is critical to fixing any bugs where fwknopd could die as a result of a poorly crafted iptables command.
  • but no information would be returned to the user.
  • Added the ability to specify the position for both the jump rule into the fwknopd chains as well as the position for new rules within the fwknopd chains via the -I argument to iptables. This fixes a bug where the user was given the impression that the IPTABLES_AUTO_RULENUM would accomplish this (IPTABLES_AUTO_RULENUM has been removed).
  • Updated fwknopd to require < 1500 byte payload length before attempting to decrypt. Also, GnuPG decrypts are not attempted unless the encrypted payload is at least 400 bytes long (this is conservative since even encrypting a single byte with a 1024-bit key will result in about 340 bytes of encrypted data).
  • Added the --gpg-default-key option to have fwknop use the default GnuPG key that is defined in the ~/.gnupg/options file.