Michael Rash, Security Researcher

Software Release - fwknop-1.9.1

fwknop-1.9.1 release The 1.9.1 release of fwknop is ready for download. This release focuses on better installation support for platforms such as Ubuntu 7.10 and Fedora 8, and also includes many enhancements to the fwknop test suite. The test suite is up to over 80 tests on Linux systems now, and includes verbose output that can help to troubleshoot any fwknop installation. Here is an excerpt from one of the symmetric key tests against the loopback interface which uses the fwknop packet hex dump feature: Sat Jan 26 14:33:03 2008 Raw packet data (hex dump, minus packet headers):
    0x0000: 5532 4673 6447 566b 5831 2f46 7867 764e U2FsdGVkX1/FxgvN
    0x0010: 2f7a 516e 626b 6e74 6943 7638 464b 3543 /zQnbkntiCv8FK5C
    0x0020: 6f6c 7a48 7268 3835 6f77 5a71 5075 4444 olzHrh85owZqPuDD
    0x0030: 4133 512f 6133 6b75 392b 6f58 7177 7748 A3Q/a3ku9+oXqwwH
    0x0040: 6450 7250 6933 4d2f 5278 556d 4e70 7833 dPrPi3M/RxUmNpx3
    0x0050: 6477 3942 6f36 5345 7542 4a50 306d 4630 dw9Bo6SEuBJP0mF0
    0x0060: 476a 5a49 5267 736f 6a37 4769 582b 7344 GjZIRgsoj7GiX+sD
    0x0070: 306a 6446 6d7a 7744 7154 3951 7976 4f65 0jdFmzwDqT9QyvOe
    0x0080: 3765 736d 7855 6a69 7049 5a42 5765 6f67 7esmxUjipIZBWeog
    0x0090: 6f45 6a4d 3744 6f50 5338 7469 7874 4f78 oEjM7DoPS8tixtOx
    0x00a0: 4c33 6457 7275 4f6f 6448 55 L3dWruOodHU
Sat Jan 26 14:33:03 2008 [+] Packet from matched SOURCE: ANY (line 15)
Sat Jan 26 14:33:03 2008 SOURCE block: 0
$VAR1 = {
'tcp' => {
'22' => ''
CMD_REGEX: (?-xism:echo)
KEY: (removed)
TYPE: any
Sat Jan 26 14:33:03 2008 [+] Attempting Rijndael decrypt...
Sat Jan 26 14:33:03 2008 Decrypting raw data (hex dump):
    0x0000: 5361 6c74 6564 5f5f c5c6 0bcd ff34 276e Salted__.....4'n
    0x0010: 49ed 882b fc14 ae42 a25c c7ae 1f39 a306 I..+...B.\...9..
    0x0020: 6a3e e0c3 0374 3f6b 792e f7ea 17ab 0c07 j>...t?ky.......
    0x0030: 74fa cf8b 733f 4715 2636 9c77 770f 41a3 t...s?G.&6.ww.A.
    0x0040: a484 b812 4fd2 6174 1a36 4846 0b28 8fb1
    0x0050: a25f eb03 d237 459b 3c03 a93f 50ca f39e ._...7E.<..?P...
    0x0060: edeb 26c5 48e2 a486 4159 ea20 a048 ccec ..&.H...AY. .H..
    0x0070: 3a0f 4bcb 62c6 d3b1 2f77 56ae e3a8 7475 :.K.b.../wV...tu
    0x0000: c5c6 0bcd ff34 276e .....4'n
    0x0000: 9087 692c 0d84 a24b a802 9b30 550e 6031 ..i,...K...0U.`1
    0x0010: 3121 f532 7404 b2af a863 653f 6d6b 7dab 1!.2t....ce?mk}.
    0x0000: 3ba9 7bda d3ac 0ae3 2a75 288e a791 6f0d ;.{.....*u(...o.
    0x0000: 6677 6b6e 6f70 7465 7374 3030 3030 3030 fwknoptest000000
    Block Size: 16
    Key Size: 32

Sat Jan 26 14:33:03 2008 [+] Decrypted message: 2729686373650157:cm9vdA== :1201375981:1.9.1:1:MTI3LjAuMC4yLHRjcC8yMg==:5v0x5MwZ8I9AUyvriRQ7Ug
For those interested in the changes in the fwknop-1.9.1 release, here is the complete ChangeLog:
  • Added ENABLE_OUTPUT_ACCESS keyword to access.conf file parsing. This provides a similar configuration gate for the iptables OUTPUT chain to the ENABLE_FORWARD_ACCESS keyword, and adds the abiliy to control which access.conf SOURCE blocks interface to the OUTPUT chain.
  • Better installation support for various Linux distributions including Fedora 8 and Ubuntu. The current runlevel is now acquired via the "runlevel" command instead of attempting to read /etc/inittab (which does not even exist on Ubuntu 7.10), and there are new command line arguments --init-dir, --init-name, and --runlevel to allow the init directory, init script name, and the runlevel to be manually specified on the command line.
  • Added command line argument display to fwknop client --verbose mode.
  • Updated the test suite to include OUTPUT chain tests, reference access.conf files in the test/conf/ directory, and perform SPA packet format validation tests by parsing fwknopd output.
  • Updated fwknopd to use always use the -c argument on the knoptm command line (this makes sure that the test suite usage of fwknopd causes knoptm to reference the correct configuration).
  • Updated IPTables::ChainMgr to print iptables command output to stdout or stderr if running in debug or verbose mode.
  • Added --Exclude-mod-regex to so that the installation of particular perl modules that match the supplied regex can be skipped.
  • Added SIGALRM wrapper to the test suite since some libpcap and system combinations break the ability of fwknopd to sniff packets.
  • Added srand() call to the fwknop client (this is useful for older versions of perl which do not automatically call srand() at the first rand() call if srand() was not already called).
  • Added a test to the test suite for sniffing packets over the loopback interface.
  • Added SPA packet aging test to the test suite to ensure that packet expirations work properly (this feature protects against MITM attacks where a valid SPA packet is stopped by an inline attacker and retransmitted at a later time to acquire access).
  • Added a file (test.log) to collect test suite console output.
  • Added --Prepare-results argument to test suite to anonymize test results and create a tarball that can be emailed to a third party to assist in debugging.
  • Added full firewall policy dumps and the collection of system specifics to the test suite. This makes it easy to send the output directory and the test.log file to developers to assist in debugging (no information is sent anywhere except as part of a manual process of course, and addresses can be anonymized with --Prepare-results - loopback addresses are not modified).
  • Added --fw-del-ip <IP> argument to fwknopd so that a specific IP address can be removed from the local firewall policy (this is used by the test suite to ensure that if a test for removed firewall rules fails then subsequent tests will not also fail because they are no longer tracked by a running knoptm instance).
  • Added a test to the test suite to collect fwknopd syslog output. This is useful to see if a mechanism such as SELinux is deployed in a manner that prevents normal fwknop communications.
  • Bugfix to track MD5 digest for SPA command mode packets.
  • Bugfix in fwknopd to not open ports listed in OPEN_PORTS in the absence of the PERMIT_CLIENT_PORTS directive when an SPA packet contains a request for access to a port not listed in OPEN_PORTS. debugging fwknop if there are any issues.
  • Added --verbose flag to fwknopd commands issued by the test suite so that more data is collected for debugging analysis.
  • Added GnuPG tests to the test suite with dedicated keys (for use only with the test suite) in the test/conf/client-gpg and test/conf/server-gpg directories.
  • Added digest file validation to test suite to make sure that fwknopd correctly tracks SPA packet MD5 digests.
  • Updated to search state tracking rule in any iptables chain (many iptables policies have user-defined chains that can be a bit complicated to parse).
  • Updated to be more strict in stopping any running fwknopd processes.