fwknop.git
3 years agominor addition of the local_spa.key file for 'make dist' fwknop-2.0rc5 fwknop-2.0rc5
Michael Rash [Tue, 6 Dec 2011 03:23:00 +0000]
minor addition of the local_spa.key file for 'make dist'

3 years agoadded local_spa.key file
Michael Rash [Tue, 6 Dec 2011 03:21:31 +0000]
added local_spa.key file

3 years agoadded local_spa.key file
Michael Rash [Tue, 6 Dec 2011 03:20:39 +0000]
added local_spa.key file

3 years agominor addition of the CREDITS file for 'make dist'
Michael Rash [Tue, 6 Dec 2011 03:16:38 +0000]
minor addition of the CREDITS file for 'make dist'

3 years agoAdded the CREDITS file for 'make dist'
Michael Rash [Tue, 6 Dec 2011 03:16:03 +0000]
Added the CREDITS file for 'make dist'

3 years agochange log doc updates
Michael Rash [Tue, 6 Dec 2011 03:11:58 +0000]
change log doc updates

3 years agoAdded various files to Makefile.am so that 'make dist' continues to work
Michael Rash [Tue, 6 Dec 2011 03:10:47 +0000]
Added various files to Makefile.am so that 'make dist' continues to work

3 years agoadded CREDITS file, bumped software version, added ChangeLog files
Michael Rash [Tue, 6 Dec 2011 02:14:31 +0000]
added CREDITS file, bumped software version, added ChangeLog files

3 years agoadded CREDITS file, bumped software version, added ChangeLog files
Michael Rash [Tue, 6 Dec 2011 02:14:14 +0000]
added CREDITS file, bumped software version, added ChangeLog files

3 years agominor compiler warning fix on OpenBSD test_suite
Michael Rash [Sun, 4 Dec 2011 02:21:29 +0000]
minor compiler warning fix on OpenBSD

3 years agominor compile fixes for FreeBSD
Michael Rash [Sat, 3 Dec 2011 18:10:35 +0000]
minor compile fixes for FreeBSD

3 years agoAdded FORCE_NAT mode to the access.conf file
Michael Rash [Thu, 1 Dec 2011 01:51:19 +0000]
Added FORCE_NAT mode to the access.conf file

This commit adds a new configuration variable "FORCE_NAT" to the access.conf
file:

    For any valid SPA packet, force the requested connection to be NAT'd
    through to the specified (usually internal) IP and port value.  This is
    useful if there are multiple internal systems running a service such as
    SSHD, and you want to give transparent access to only one internal system
    for each stanza in the access.conf file.  This way, multiple external
    users can each directly access only one internal system per SPA key.

This commit also implements a few minor code cleanups.

3 years agominor newline fix for access.conf output dump
Michael Rash [Tue, 29 Nov 2011 04:20:11 +0000]
minor newline fix for access.conf output dump

3 years agomemory leak bugfix as a follow up to commit b280f5cde0246cdef33dee3f8be66a2bcef77336
Michael Rash [Tue, 29 Nov 2011 04:18:07 +0000]
memory leak bugfix as a follow up to commit b280f5cde0246cdef33dee3f8be66a2bcef77336

3 years agoAdded access stanza expiration feature, multiple access stanza bug fix
Michael Rash [Tue, 29 Nov 2011 03:03:21 +0000]
Added access stanza expiration feature, multiple access stanza bug fix

This commit does two major things:

1) Two new access.conf variables are added "ACCESS_EXPIRE" and
"ACCESS_EXPIRE_EPOCH" to allow access stanzas to be expired without having
to modify the access.conf file and restart fwknopd.

2) Allow an access stanza that matches the SPA source address to not
automatically short circuit other stanzas if there is an error (such as when
there are multiple encryption keys involved and an incoming SPA packet is
meant for, say, the second stanza and the first therefore doesn't allow
proper decryption).

3 years agoadded SPA packet aging tests
Michael Rash [Wed, 23 Nov 2011 03:56:48 +0000]
added SPA packet aging tests

3 years agobug fix to exclude SPA packets with timestamps in the future that are too great ...
Michael Rash [Wed, 23 Nov 2011 03:56:36 +0000]
bug fix to exclude SPA packets with timestamps in the future that are too great (old packets were properly excluded already)

3 years agoadded test for --test mode in the fwknop client
Michael Rash [Wed, 23 Nov 2011 03:40:26 +0000]
added test for --test mode in the fwknop client

3 years agobug fix to honor the fwknop client --time-offset-plus and --time-offset-minus options
Michael Rash [Wed, 23 Nov 2011 03:34:10 +0000]
bug fix to honor the fwknop client --time-offset-plus and --time-offset-minus options

3 years agoadded DNAT mode tests, minor memory leak fix in NAT mode, added fwknopd check for...
Michael Rash [Wed, 23 Nov 2011 03:13:27 +0000]
added DNAT mode tests, minor memory leak fix in NAT mode, added fwknopd check for ENABLE_IPT_FORWARDING variable before attempting NAT access

3 years agoadded tests for various access.conf variables
Michael Rash [Sat, 19 Nov 2011 04:23:50 +0000]
added tests for various access.conf variables

3 years agoadded IP/subnet match tests, added --Anonymize-results mode
Michael Rash [Fri, 18 Nov 2011 02:17:50 +0000]
added IP/subnet match tests, added --Anonymize-results mode

3 years agosimplified the client/server interaction code, started on IP filtering tests, added...
Michael Rash [Wed, 16 Nov 2011 02:45:51 +0000]
simplified the client/server interaction code, started on IP filtering tests, added spoof username tests

3 years agominor test wording consolidation
Michael Rash [Fri, 11 Nov 2011 03:54:25 +0000]
minor test wording consolidation

3 years agoThis commit fixes two memory leaks and adds a common exit function.
Michael Rash [Fri, 11 Nov 2011 03:33:32 +0000]
This commit fixes two memory leaks and adds a common exit function.

The two memory leaks were found with the test suite running in
--enable-valgrind mode - here are the relevant error messages:

For fwknopd server GPG clean up:

==345== 9 bytes in 1 blocks are definitely lost in loss record 2 of 2
==345==   at 0x4C2815C: malloc (vg_replace_malloc.c:236)
==345==   by 0x52F6B81: strdup (strdup.c:43)
==345==   by 0x10FA57: add_string_list_ent (access.c:308)
==345==   by 0x110513: parse_access_file (access.c:387)
==345==   by 0x10B5FB: main (fwknopd.c:193)

For fwknop client rc file processing:

==8045== 568 bytes in 1 blocks are still reachable in loss record 12 of 12
==8045==    at 0x4C2815C: malloc (vg_replace_malloc.c:236)
==8045==    by 0x50A53AA: __fopen_internal (iofopen.c:76)
==8045==    by 0x10C3FF: process_rc (config_init.c:446)
==8045==    by 0x10C8F6: config_init (config_init.c:671)
==8045==    by 0x10AC9E: main (fwknop.c:62)

There is also a new clean_exit() function that makes it easier to ensure that
resources are deallocated upon existing.

3 years agoremove CMD timestamps for --diff mode
Michael Rash [Fri, 11 Nov 2011 03:33:00 +0000]
remove CMD timestamps for --diff mode

3 years agoadded --diff mode to the test suite to compare results from one execution to the...
Michael Rash [Sun, 6 Nov 2011 18:51:23 +0000]
added --diff mode to the test suite to compare results from one execution to the next

3 years agoconsolidated several test functions into a single generic_exec() function
Michael Rash [Sat, 5 Nov 2011 03:46:31 +0000]
consolidated several test functions into a single generic_exec() function

3 years agoFixed fwknopd memory leak, several other fixes and updates
Michael Rash [Fri, 4 Nov 2011 02:15:19 +0000]
Fixed fwknopd memory leak, several other fixes and updates

This commit does several things.  First, a memory leak in fwknopd has been
fixed by ensuring to free access.conf stanzas.  This bug was found with the
new test suite running in --enable-valgrind mode.  Here is what some of the
valgrind output looked like to find the leak:

==19217== 11 bytes in 1 blocks are indirectly lost in loss record 3 of 5
==19217==    at 0x4C2815C: malloc (vg_replace_malloc.c:236)
==19217==    by 0x52F6B81: strdup (strdup.c:43)
==19217==    by 0x10FC8B: add_acc_string (access.c:49)
==19217==    by 0x1105C8: parse_access_file (access.c:756)
==19217==    by 0x10B79B: main (fwknopd.c:194)
==19217==
==19217== 16 bytes in 1 blocks are indirectly lost in loss record 4 of 5
==19217==    at 0x4C27480: calloc (vg_replace_malloc.c:467)
==19217==    by 0x10FEC0: add_source_mask (access.c:88)
==19217==    by 0x110100: expand_acc_source (access.c:191)
==19217==    by 0x1104B0: parse_access_file (access.c:500)
==19217==    by 0x10B79B: main (fwknopd.c:194)
==19217==
==19217== 183 (152 direct, 31 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 5
==19217==    at 0x4C27480: calloc (vg_replace_malloc.c:467)
==19217==    by 0x1103E4: parse_access_file (access.c:551)
==19217==    by 0x10B79B: main (fwknopd.c:194)
==19217==
==19217== LEAK SUMMARY:
==19217==    definitely lost: 152 bytes in 1 blocks
==19217==    indirectly lost: 31 bytes in 3 blocks
==19217==      possibly lost: 0 bytes in 0 blocks
==19217==    still reachable: 8 bytes in 1 blocks
==19217==         suppressed: 0 bytes in 0 blocks

Second, this commit changes how fwknopd acquires packet data with
pcap_dispatch() - packets are now processed within the callback function
process_packet() that is provided to pcap_dispatch(), the global packet
counter is incremented by the return value from pcap_dispatch() (since this is
the number of packets processed per pcap loop), and there are two new
fwknopd.conf variables PCAP_DISPATCH_COUNT and PCAP_LOOP_SLEEP to control the
number of packets that pcap_dispatch() should process per loop and the number
of microseconds that fwknopd should sleep per loop respectively.  Without this
change, it was fairly easy to cause fwknopd to miss packets by creating bursts
of packets that would all be processed one at time with the usleep() delay
between each.  For fwknopd deployed on a busy network and with a permissive
pcap filter (i.e. something other than the default that causes fwknopd to look
at, say, TCP ACK's), this change should help.

Third, the criteria that a packet must reach before data copying into the
buffer designed for SPA processing has been tightened.  A packet less than
/greater than the minimum/maximum expected sizes is ignored before data is
copied, and the base64 check is done as well.

3 years agoadded complete SPA cycle tests for tcp ports 23 and 9418 (git), and for udp 53 dns
Michael Rash [Mon, 31 Oct 2011 02:14:00 +0000]
added complete SPA cycle tests for tcp ports 23 and 9418 (git), and for udp 53 dns

3 years agoupdated client SPA verbose message to include the server IP/host
Michael Rash [Sun, 30 Oct 2011 03:49:29 +0000]
updated client SPA verbose message to include the server IP/host

3 years agominor looping criteria update for valgrind tests
Michael Rash [Sun, 30 Oct 2011 03:48:42 +0000]
minor looping criteria update for valgrind tests

3 years ago[test-suite] added the ability to run all fwknop tests through valgrind
Michael Rash [Sat, 29 Oct 2011 20:59:57 +0000]
[test-suite] added the ability to run all fwknop tests through valgrind

3 years agobugfix to return preprocess_spa_data() result properly to calling function
Michael Rash [Sat, 29 Oct 2011 20:55:28 +0000]
bugfix to return preprocess_spa_data() result properly to calling function

3 years agoupdate to remove packet direction requirement when sniffing on OpenBSD loopback inter...
Michael Rash [Sat, 29 Oct 2011 03:01:06 +0000]
update to remove packet direction requirement when sniffing on OpenBSD loopback interfaces

3 years agominor whitespace removal
Michael Rash [Sat, 29 Oct 2011 03:00:26 +0000]
minor whitespace removal

3 years agoadded stack protection detection for OpenBSD systems
Michael Rash [Sat, 29 Oct 2011 02:59:52 +0000]
added stack protection detection for OpenBSD systems

3 years agoUpdate to ensure libfko.so path is detected properly on OpenBSD
Michael Rash [Sat, 29 Oct 2011 02:42:27 +0000]
Update to ensure libfko.so path is detected properly on OpenBSD

3 years agoUpdate to print all firewall commands in --verbose mode
Michael Rash [Fri, 28 Oct 2011 01:51:55 +0000]
Update to print all firewall commands in --verbose mode

This commit makes it easier to determine exactly which commands fwknopd
runs in --verbose mode when interacting with the underlying firewall.
This commit also adds --verbose --verbose mode to the test suite.

3 years agoadded 'const' to function prototype vars where possible
Michael Rash [Wed, 26 Oct 2011 01:00:40 +0000]
added 'const' to function prototype vars where possible

Added the 'const' qualifier to function prototype variables where possible.
In addition, reduced some functions to file-scope with 'static' where possible.

Also made a few minor changes to remove extra whitespace, and fixed a bug
in create_fwknoprc() to ensure the new fwknoprc filehandle is closed.

3 years agocompiler warning fix for sscanf() on freebsd
Michael Rash [Tue, 25 Oct 2011 01:52:13 +0000]
compiler warning fix for sscanf() on freebsd

This commit fixes the following gcc warning on freebsd systems:

replay_cache.c: In function 'replay_file_cache_init':
replay_cache.c:312: warning: format '%ld' expects type 'long int *', but argument 9 has type 'time_t *'

3 years agoupdate to detect loopback interface
Michael Rash [Tue, 25 Oct 2011 00:48:56 +0000]
update to detect loopback interface

3 years agominor whitespace removal
Michael Rash [Tue, 25 Oct 2011 00:48:20 +0000]
minor whitespace removal

3 years agoadded LD_LIBRARY_PATH to all fwknop/fwknopd commands to make manual command execution...
Michael Rash [Sun, 23 Oct 2011 02:29:27 +0000]
added LD_LIBRARY_PATH to all fwknop/fwknopd commands to make manual command execution easier

3 years agoadded digest cache validation after GPG tests
Michael Rash [Sun, 23 Oct 2011 02:06:00 +0000]
added digest cache validation after GPG tests

3 years agominor update to match include/exclude criteria on the whole test message
Michael Rash [Sun, 23 Oct 2011 01:54:22 +0000]
minor update to match include/exclude criteria on the whole test message

3 years agoextended packet validity tests in GPG mode
Michael Rash [Sun, 23 Oct 2011 01:29:44 +0000]
extended packet validity tests in GPG mode

3 years agoadded first GPG complete cycle SPA test
Michael Rash [Sat, 22 Oct 2011 20:48:30 +0000]
added first GPG complete cycle SPA test

3 years agominor whitespace removal
Michael Rash [Sat, 22 Oct 2011 19:19:54 +0000]
minor whitespace removal

3 years agoadded test to validate digest.cache structure
Michael Rash [Sat, 22 Oct 2011 18:25:56 +0000]
added test to validate digest.cache structure

3 years agoadded -P bpf test for complete SPA cycle over non standard SPA port
Michael Rash [Sat, 22 Oct 2011 14:57:25 +0000]
added -P bpf test for complete SPA cycle over non standard SPA port

3 years agoadded -P bpf filter test
Michael Rash [Sat, 22 Oct 2011 14:48:37 +0000]
added -P bpf filter test

3 years agoadded Rijndael SPA validity tests
Michael Rash [Sat, 22 Oct 2011 03:43:08 +0000]
added Rijndael SPA validity tests

3 years agoadded rule timeout detection
Michael Rash [Sat, 22 Oct 2011 03:13:24 +0000]
added rule timeout detection

3 years agoadded replay attack detection test
Michael Rash [Sat, 22 Oct 2011 02:55:45 +0000]
added replay attack detection test

3 years agominor removal of whitespace
Michael Rash [Sat, 22 Oct 2011 02:54:49 +0000]
minor removal of whitespace

3 years agoadded first complete SPA cycle test
Michael Rash [Fri, 21 Oct 2011 03:33:41 +0000]
added first complete SPA cycle test

3 years agoAdded --digest-file and --pid-file args
Michael Rash [Fri, 21 Oct 2011 03:31:59 +0000]
Added --digest-file and --pid-file args

Added --digest-file and --pid-file args so that the user can easily alter
these paths from the command line.

3 years agoadded client/server interaction test capability
Michael Rash [Thu, 20 Oct 2011 04:06:58 +0000]
added client/server interaction test capability

3 years agoMinor PID string length fix
Michael Rash [Wed, 19 Oct 2011 01:28:38 +0000]
Minor PID string length fix

Changed PID string length to 7 to accomodate an ending newline and NULL
char when writing to the fwknopd .pid file.  Without this fix, with a
5 digit PID the trailing newline would be truncated (no room for the
ending NULL char).

3 years agoAdded --fw-list-all and --fw-flush
Michael Rash [Tue, 18 Oct 2011 03:03:28 +0000]
Added --fw-list-all and --fw-flush

Added new command line options --fw-list-all and --fw-flush to allow all
firewall rules to be displayed including those not created by fwknopd, and
allow all firewall rules created by fwknopd to be deleted.

Also switched -D config dump output to stdout.

3 years agoAdded usage of sudo for recompilation test
Michael Rash [Tue, 18 Oct 2011 02:55:01 +0000]
Added usage of sudo for recompilation test

The test suite now recompiles fwknop only if the --enable-recompile-check
option is used, and if so, uses sudo (if installed) to have the resulting
binaries own by the original user (instead of by root).  Also made a couple
of API changes to create test output files automatically if they don't
exist.

3 years agominor update to allow fw rules to be dumped before parsing the access.conf file
Michael Rash [Fri, 14 Oct 2011 02:44:35 +0000]
minor update to allow fw rules to be dumped before parsing the access.conf file

3 years agominor whitespace fixes
Michael Rash [Fri, 14 Oct 2011 02:02:21 +0000]
minor whitespace fixes

3 years agominor wording update netfilter -> iptables
Michael Rash [Fri, 14 Oct 2011 00:59:30 +0000]
minor wording update netfilter -> iptables

3 years agominor bugfix to ensure that the proper firewall is used to collect system specs
Michael Rash [Fri, 14 Oct 2011 00:41:12 +0000]
minor bugfix to ensure that the proper firewall is used to collect system specs

3 years agoadded the test/conf/ directory for config files use by the test suite
Michael Rash [Fri, 14 Oct 2011 00:30:05 +0000]
added the test/conf/ directory for config files use by the test suite

3 years agominor typo fix
Michael Rash [Fri, 14 Oct 2011 00:29:37 +0000]
minor typo fix

3 years agostarted on basic SPA generation, updated to use LD_LIBRARY_PATH for local libfko...
Michael Rash [Fri, 14 Oct 2011 00:29:19 +0000]
started on basic SPA generation, updated to use LD_LIBRARY_PATH for local libfko instance

3 years agointerim commit to add major functionality to the fwknop test suite
Michael Rash [Thu, 13 Oct 2011 03:37:28 +0000]
interim commit to add major functionality to the fwknop test suite

3 years agoremoved
Michael Rash [Thu, 13 Oct 2011 03:36:51 +0000]
removed

3 years agominor update to switch to stdout when exiting with success
Michael Rash [Thu, 13 Oct 2011 03:36:04 +0000]
minor update to switch to stdout when exiting with success

3 years agoswitched --help output to stdout from stderr
Michael Rash [Fri, 7 Oct 2011 03:02:29 +0000]
switched --help output to stdout from stderr

3 years agominor update to account for hardening-check return values
Michael Rash [Fri, 7 Oct 2011 02:53:27 +0000]
minor update to account for hardening-check return values

3 years agoInitial start on a test suite
Michael Rash [Wed, 5 Oct 2011 03:15:04 +0000]
Initial start on a test suite

This commit begins development on a comprehensive test suite for fwknop.
The initial tests are focused on compilation correctness and security options
as determined by the "hardening-check" script from Kees Cook of the Debian
security team.

3 years agoAdded --help usage information fwknop-2.0.0 fwknop-launcher
Michael Rash [Mon, 26 Sep 2011 01:12:30 +0000]
Added --help usage information

With the --help command line argument, the following information is printed:

$ ./fwknop-launcher-lsof.pl --help

Usage: fwknop-launcher-lsof.pl [options]

Options:

    -c,  --config     <file>   - Path to fwknop-launcher.conf config file.
    -l,  --lsof-cmd   <path>   - Path to lsof command.
    -f,  --fwknop-cmd <path>   - Path to fwknop client command.
    -s,  --sleep   <seconds>   - Specify sleep interval (default:
                                 1 seconds)
    -n   --no-daemon           - Run in foreground mode.
    -u,  --user   <username>   - Specify username (usually this is not
                                 needed).
         --home-dir <dir>      - Path to user's home directory (usually
                                 this is not needed).
    -v   --verbose             - Print verbose information to the terminal
                                 (requires --no-daemon).
         --help                - Print usage info and exit.

3 years agoMerge branch 'master' into fwknop-launcher
Michael Rash [Mon, 26 Sep 2011 01:02:54 +0000]
Merge branch 'master' into fwknop-launcher

3 years agoAdded the fwknop lsof launcher under the extras/ directory
Michael Rash [Sun, 25 Sep 2011 02:24:30 +0000]
Added the fwknop lsof launcher under the extras/ directory

The fwknop lsof launcher (extras/fwknop-launcher/fwknop-launcher-lsof.pl) is a
lightweight daemon that allows the user to not have to manually run the fwknop
client when attempting to gain access to a service that is protected by Single
Packet Authorization via fwknopd.  This is accomplished by checking the output
of lsof to look for pending connections in the SYN_SENT state, which (usually)
indicate that a remote firewall is blocking the attempted connection.  At this
point, the launcher executes the fwknop client with the --get-key arg (so the
user must place the key in the local filesystem) to generate an SPA packet for
the attempted connection.  The remote fwknopd daemon will reconfigure the
firewall to allow temporary access, and this usually happens fast enough that
the original connection attempt will then succeed.

The idea for this was originally for a pcap-based connection watcher by
Sebastien Jeanquier.

3 years agoMerge pull request #5 from maxkas/master
Michael Rash [Thu, 22 Sep 2011 01:10:16 +0000]
Merge pull request #5 from maxkas/master

Fwknop client for iPhone devices - contributed by Max Kastanas

3 years agoCodebase of Fwknop client for iOS (iPhone) devices
Max Kastanas [Sat, 17 Sep 2011 05:51:53 +0000]
Codebase of Fwknop client for iOS (iPhone) devices

3 years agominor typo fix: fwkop -> fwknop
Michael Rash [Tue, 13 Sep 2011 03:04:41 +0000]
minor typo fix: fwkop -> fwknop

3 years agoMerge branch 'master' of https://github.com/mrash/fwknop
Damien Stuart [Sat, 10 Sep 2011 15:30:09 +0000]
Merge branch 'master' of https://github.com/mrash/fwknop

3 years agoAdded the cmd_opts.h file to server and client's Makefile.am so they are included...
Damien Stuart [Sat, 10 Sep 2011 15:25:08 +0000]
Added the cmd_opts.h file to server and client's  Makefile.am so they are included with make dist.

3 years agoReplaced all strcpy() calls with strlcpy()
Michael Rash [Sat, 10 Sep 2011 02:09:37 +0000]
Replaced all strcpy() calls with strlcpy()

OpenBSD especially gives compiler warnings whenever strcpy() is used.  All such
calls have been replaced with strlcpy().

3 years agoAdded read-only relocations and immediate bindings
Michael Rash [Fri, 9 Sep 2011 03:44:50 +0000]
Added read-only relocations and immediate bindings

Commit 4248b2687054b38e79e2ab9eecf71e5b299172f4 removed read-only relocations
and immediate bindings for FreeBSD systems (and the same was done for OpenBSD
systems too).  This commit adds these security features back in as linker
options by only changing LDFLAGS as opposed to also adding the corresponding
flags to CFLAGS.  The end result is that the following errors are fixed:

gcc: -z: linker input file unused because linking not done
gcc: relro: linker input file unused because linking not done

3 years agoCheck for active_rules > 0 before decrementing
Michael Rash [Fri, 9 Sep 2011 01:33:52 +0000]
Check for active_rules > 0 before decrementing

In the fw_config struct the active_rules member is unsigned, so this change
ensures that we don't try to decrement it below zero whenever a firewall rule
is deleted or an error condition occurs.

3 years agoUpdate to make _exp_ string a #define openbsd_pf_support
Michael Rash [Thu, 8 Sep 2011 04:20:20 +0000]
Update to make _exp_ string a #define

Replaced all instances of "_exp_" with the #define EXPIRE_COMMENT_PREFIX so
that the prefix can easily be changed. so
that the prefix can easily be changed. so
that the prefix can easily be changed. so
that the prefix can easily be changed.

3 years agoAdded the ability to delete PF rules
Michael Rash [Thu, 8 Sep 2011 03:24:18 +0000]
Added the ability to delete PF rules

This commit adds the ability to fwknopd to delete PF rules after the SPA timer
expires.  The strategy implemented is similar to iptables and ipfw, except
that all PF rules are added to an 'anchor', and deleting a specific expired
rule is done by listing all rules in the anchor and reinstantiating it via
'pfctl -a <anchor> -f -' with the expired rule deleted.  fwknopd uses the
"_exp_<expire time>" convention in a PF rule label similarly to how fwknopd
interfaces with iptables (via the 'comment' match), and ipfw (via the
"//<comment>" feature).

3 years agominor comment typo fixes
Michael Rash [Sun, 4 Sep 2011 01:00:12 +0000]
minor comment typo fixes

3 years agoPF rules are now added to the fwknop anchor
Michael Rash [Sat, 3 Sep 2011 18:50:28 +0000]
PF rules are now added to the fwknop anchor

This commit implements the ability to add PF firewall rules to the fwknop
anchor after a valid SPA packet is sniffed off the wire.  A subsequent commit
will add the ability to delete these rules.

3 years agoMinor copyright holder update
Michael Rash [Sun, 28 Aug 2011 17:37:23 +0000]
Minor copyright holder update

Minor copyright holder update

3 years agoFor PF firewalls implemented a check for an active fwknop anchor
Michael Rash [Sun, 28 Aug 2011 17:27:15 +0000]
For PF firewalls implemented a check for an active fwknop anchor

This commit ensures that for PF firewalls that the fwknop anchor is active and
linked into the running PF policy.  This is accomplished by looking for the
string 'anchor "fwknop"' in the output of "pfctl -s rules".  If the anchor
exists, then fwknopd will be able to influence traffic via rules added and
removed from the fwknop anchor.

3 years agoAdded --fw-list info to --help
Michael Rash [Sat, 27 Aug 2011 15:07:19 +0000]
Added --fw-list info to --help

Added --fw-list output to usage info when --help is specified from the command
line.

3 years agoPF support on OpenBSD in progress, fwknop --fw-list now works
Michael Rash [Sat, 27 Aug 2011 14:57:17 +0000]
PF support on OpenBSD in progress, fwknop --fw-list now works

This is the first commit that has fwknopd interact with the PF firewall on
OpenBSD (via fwknopd --fw-list to show any active fwknopd rules).

3 years agoAdded autoconf check for pf firewalls
Michael Rash [Thu, 25 Aug 2011 03:55:36 +0000]
Added autoconf check for pf firewalls

On OpenBSD systems fwknop now checks for pf firewalls via autoconf.  The next
step will be to fill in support for pf via the C code.

3 years agoDisabled read-only relocations and immediate binding compiler protections
Michael Rash [Thu, 25 Aug 2011 03:17:45 +0000]
Disabled read-only relocations and immediate binding compiler protections

Similarly to FreeBSD systems, gcc throws the following warnings with read-only
relcations and immediate binding protections - disbabled for now:

gcc: -z: linker input file unused because linking not done
gcc: relro: linker input file unused because linking not done
gcc: -z: linker input file unused because linking not done
gcc: now: linker input file unused because linking not done

3 years agoremoved 2.0.0 branch specific ChangeLog, ShortLog and diffstat files
Michael Rash [Tue, 23 Aug 2011 01:39:28 +0000]
removed 2.0.0 branch specific ChangeLog, ShortLog and diffstat files

3 years agobumped version to 2.0.0rc4 fwknop-2.0.0rc4
Michael Rash [Sun, 21 Aug 2011 18:06:41 +0000]
bumped version to 2.0.0rc4

3 years agoAdded version specific ChangeLog, ShortLog, and diffstat files.
Michael Rash [Sun, 21 Aug 2011 18:02:25 +0000]
Added version specific ChangeLog, ShortLog, and diffstat files.

Added version specific ChangeLog, ShortLog, and diffstat files (these go all
the way back to the beginning of the svn import since 2.0.0 will be the
first official non-"rc" release of the new C code).

3 years agoUpdated ChangeLog with all changes from 2.0.0-rc3
Michael Rash [Sun, 21 Aug 2011 18:00:16 +0000]
Updated ChangeLog with all changes from 2.0.0-rc3

Updated ChangeLog with all changes from 2.0.0-rc3