Michael Rash, Security Researcher

Software Release - fwknop-1.8.2

fwknop-1.8.2 release The 1.8.2 release of fwknop is ready for download. This release is the first serious attempt at allowing fwknop to function as a Single Packet Authorization server on Mac OS X systems. Also, several bug fixes and minor command line arguments were added. Here is a screenshot of the fwknop client running under Cygwin on Windows 2000 system that is itself running underneath VMware on Ubuntu Linux. The fwknop client builds an SPA message in the window on the left, and the window on the right shows the syslog messages that are written by the fwknopd server on the Linux machine. Only after the SPA packet is sent does the Windows 2000 system have access to SSH on the Linux box.

fwknop-1.8.2 release

Here is the complete ChangeLog:
  • Added fwknopd server support for Mac OS X. The Darwin uname return string is detected and this enables Darwin-specific installation code in
  • Updated to not print sensitive key/password information in --debug mode with fwknopd.
  • Bugfix for on Windows 2003 Server running under Cygwin where 'uname -o' output is reported 'Gygwin' for some reason.
  • Added --Cygwin-install command line argument to to force client-only fwknop install on Cygwin systems.
  • Added --OS-type command line argument to to allow the user to force the installation type.
  • Updated to version 1.04 of Crypt::Rijndael. This fixes incompatibilities between SPA packets between 64-bit and 32-bit platorms.
  • Bugfix to enforce a maximum of 20 tries to read a password from stdin.
  • Applied TCP options parsing fix from psad for invalid zero or one length fields that break TLV encoding (this is for fwknopd, and only applies to the legacy port knocking mode).
  • Added code to fwknopd to check to see if there are any state tracking rules in place within the local iptables or ipfw policy.
  • Made syslog identity, facility, and priority configurable (applied code from the psad project).
  • Implemented --fw-list for ipfw firewalls.
  • Bugfix for knoptm removing ipfw rules too quickly after not timing out previously instantiated rules properly.
  • Implemented smarter cache removal strategy in knoptm so that rules that are manually removed from the running iptables or ipfw policy are also removed from the cache.
  • Added /var/log/fwknop/errs/fwknopd.{warn,die} tracking to the fwknopd daemon for the PCAP modes of collecting packet data. Added knoptm{warn,die} files for knoptm as well.
  • Bugfix to import the GnuPG::Interface module in --get-key mode.
  • Bugfix to send source IP as a part of the command message in command mode so that REQUIRE_SOURCE_ADDRESS controls can be applied.
  • Added --Test-mode to fwknop client so that SPA packets can be built but never sent over the network.