diff --git a/client/http_resolve_host.c b/client/http_resolve_host.c index c2b4496d..ae4ef690 100644 --- a/client/http_resolve_host.c +++ b/client/http_resolve_host.c @@ -31,7 +31,6 @@ */ #include "fwknop_common.h" #include "utils.h" -#include #include @@ -43,6 +42,7 @@ #include #endif #include + #include #endif struct url diff --git a/test/afl/AFL_status_screen.png b/test/afl/AFL_status_screen.png new file mode 100644 index 00000000..e7707817 Binary files /dev/null and b/test/afl/AFL_status_screen.png differ diff --git a/test/afl/README b/test/afl/README deleted file mode 100644 index f2d5ab60..00000000 --- a/test/afl/README +++ /dev/null @@ -1,60 +0,0 @@ - -The fwknop project supports various fuzzing strategies, and one of the most -important is usage of the 'American Fuzzy Lop' (AFL) fuzzer written by Michal -Zalewski (see: https://code.google.com/p/american-fuzzy-lop/). Because AFL is -not designed to handle encryption schemes (see the README included in the AFL -sources for more information on this), a special --enable-afl-fuzzing command -line switch is available to the fwknop autoconf configure script. This argument -allows encryption and base64 encoding to be bypassed when feeding SPA packet -data to fwknopd via stdin. It is the feature that enables AFL fuzzing. - -This directory contains enabling scripts in order to make it easy to fuzz -fwknop with AFL. It is assumed that AFL is installed and in your path. The -files are in this directory are organized as follows: - -afl-fuzzing.in - Directory for initial AFL test case(s). -afl-fuzzing.out - Directory for AFL results after a fuzzing run. - -afl-compile.sh - Script to compile fwknop underneath afl-gcc. -afl-fuzzing.in - AFL input directory which contains input test cases. -afl-fuzzing.out - AFL output directory. -afl-run.sh - Script to invoke AFL with proper command line arguments to - fwknopd for fuzzing enablement. - -For gcov code coverage only: - -afl-compile-code-coverage.sh - Compile fwknop with code coverage support. -afl-gen-code-coverage.sh - Generate code coverage report after running - afl-run.sh (and with coverage support - compiled in) - -Here is an example of what fwknopd produces when compiled for AFL support when -a dummy SPA packet is provided in non-encoded/encrypted form via fwknopd's -stdin: - -$ ./fwknopd-stdin-test.sh -+ SPA_PKT=1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:AAAAA -+ LD_LIBRARY_PATH=../../lib/.libs ../../server/.libs/fwknopd -c ../conf/default_fwknopd.conf -a ../conf/default_access.conf -A -f -t -+ echo -n 1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:AAAAA -Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY' -SPA Field Values: -================= - Random Value: 1716411011200157 - Username: root - Timestamp: 1397329899 - FKO Version: 2.0.1 - Message Type: 1 (Access msg) - Message String: 127.0.0.2,tcp/22 - Nat Access: - Server Auth: - Client Timeout: 0 - Digest Type: 3 (SHA256) - HMAC Type: 0 (None) -Encryption Type: 1 (Rijndael) -Encryption Mode: 2 (CBC) - Encoded Data: 1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22 -SPA Data Digest: AAAAA - HMAC: - Final SPA Data: 200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:AAAAA - -SPA packet decode: Success diff --git a/test/afl/README b/test/afl/README new file mode 120000 index 00000000..42061c01 --- /dev/null +++ b/test/afl/README @@ -0,0 +1 @@ +README.md \ No newline at end of file diff --git a/test/afl/README.md b/test/afl/README.md new file mode 100644 index 00000000..4cdf37f3 --- /dev/null +++ b/test/afl/README.md @@ -0,0 +1,131 @@ + +# Fuzzing fwknop With American Fuzzy Lop (AFL) + +## Quick Start + +To get going with AFL fuzzing against fwknop: + + $ ./compile/afl-compile.sh + $ ./fuzzing-wrappers/spa-pkts.sh + +Fuzzing results will be placed in fuzzing-output/server-conf.out/. For more +information, read on. + +## Introduction + +The fwknop project supports various fuzzing strategies, and one of the most +important is usage of the 'American Fuzzy Lop' (AFL) fuzzer written by Michal +Zalewski (see: [http://lcamtuf.coredump.cx/afl/]). Because AFL is not designed to +handle encryption schemes (see the README included in the AFL sources for more +information on this), a special *--enable-afl-fuzzing* command line switch is +available in the fwknop autoconf configure script. This argument allows +encryption and base64 encoding to be bypassed when feeding SPA packet data to +fwknopd via stdin. It is this feature that enables AFL fuzzing, and is analogous +to the *libpng-nocrc.patch* patch included in the AFL sources. The corresponding +commit that enables this functionality in fwknop is aaa44656bcfcb705d80768a7b9aa0d45a0e55e21 +(see: [https://github.com/mrash/fwknop/commit/aaa44656bcfcb705d80768a7b9aa0d45a0e55e21]) + +One exception to the need for compiling fwknop wtih *--enable-afl-fuzzing* is +when using AFL to fuzz the fwknoprc file that is leveraged by the fwknop client. +In this case, fwknop should not be compiled with +*--enable-afl-fuzzing* (use the *compile/afl-compile-no-enable-arg.sh* script) +since the fwknoprc file parsing routines are fuzzed instead of the SPA packet +encoding/decoding cycles. + +## AFL Wrappers + +The top level directory contains enabling scripts in order to make it easy to +fuzz fwknop with AFL. It is assumed that AFL is installed and in your path. The +files are in this directory are organized as follows: + + * *fuzzing-wrappers/* + + Directory that contains wrapper scripts for running AFL against fwknop. All + interaction with AFL should be done with these scripts, and they should be executed + from the test/afl/ directory, e.g. "./fuzzing-wrappers/client-rc.sh". + + There are four areas in fwknop that are fuzzed: + 1. SPA packet encoding/decoding (*./fuzzing-wrappers/spa-pkts.sh*) + 2. server access.conf parsing (*./fuzzing-wrappers/server-access.sh*) + 3. server fwknopd.conf parsing (*./fuzzing-wrappers/server-conf.sh*) + 4. client fwknoprc file parsing. (*./fuzzing-wrappers/client-rc.sh*) + + * *fuzzing-wrappers/helpers/* + + Directory for helper scripts that are used by the fuzzing wrappers to ensure + that fwknop is compiled properly for AFL support and is ready for fuzzing cycles. + + * *test-cases/* + + Directory for ALF test cases used by the wrapper scripts. + + * *compile/* + + Directory for compilation scripts to ensure fwknop is compiled underneath afl-gcc. + + * *fuzzing-output/* + + Results directory that is made underneath an AFL fuzzing cycle. + +## Complete Example + +To fuzz the SPA packet encoding/decoding routines, the *fuzzing-wrappers/spa-pkts.sh* +script will kick things off. This assumes that fwknop has been compiled with AFL +support with the *compile/afl-compile.sh* script: + + $ ./fuzzing-wrappers/spa-pkts.sh + ... + + LD_LIBRARY_PATH=../../lib/.libs afl-fuzz -t 1000 -i test-cases/spa-pkts -o fuzzing-output/spa-pkts.out ../../server/.libs/fwknopd -c ../conf/default_fwknopd.conf -a ../conf/default_access.conf -A -f -t + afl-fuzz 0.64b (Nov 22 2014 13:04:11) by + [+] You have 1 CPU cores and 2 runnable tasks (utilization: 200%). + [*] Checking core_pattern... + [*] Setting up output directories... + [+] Output directory exists but deemed OK to reuse. + [*] Deleting old session data... + [+] Output dir cleanup successful. + [*] Scanning 'test-cases/spa-pkts'... + [*] Creating hard links for all input files... + [*] Validating target binary... + [*] Attempting dry run with 'id:000000,orig:spa.start'... + [*] Spinning up the fork server... + [+] All right - fork server is up. + ... + +Then the familiar AFL status screen is displayed: + +![alt text][AFL-status-screen] + +[AFL-status-screen]: https://github.com/mrash/fwknop/raw/master/test/afl/AFL_status_screen.png "AFL Fuzzing SPA Packets" + +## SPA Packet Helper Script + +Here is an example of what fwknopd produces when compiled for AFL support when +a dummy SPA packet is provided in non-encoded/encrypted from via fwknopd's +stdin. This uses the *fwknopd-stdin-test.sh* helper script: + + $ ./fuzzing-wrappers/helpers/fwknopd-stdin-test.sh + + SPA_PKT=1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:AAAAA + + LD_LIBRARY_PATH=../../lib/.libs ../../server/.libs/fwknopd -c ../conf/default_fwknopd.conf -a ../conf/default_access.conf -A -f -t + + echo -n 1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:AAAAA + Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY' + SPA Field Values: + ================= + Random Value: 1716411011200157 + Username: root + Timestamp: 1397329899 + FKO Version: 2.0.1 + Message Type: 1 (Access msg) + Message String: 127.0.0.2,tcp/22 + Nat Access: + Server Auth: + Client Timeout: 0 + Digest Type: 3 (SHA256) + HMAC Type: 0 (None) + Encryption Type: 1 (Rijndael) + Encryption Mode: 2 (CBC) + Encoded Data: 1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22 + SPA Data Digest: AAAAA + HMAC: + Final SPA Data: 200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:AAAAA + + SPA packet decode: Success diff --git a/test/afl/afl-compile-code-coverage.sh b/test/afl/afl-compile-code-coverage.sh deleted file mode 100755 index 6d7d42fd..00000000 --- a/test/afl/afl-compile-code-coverage.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -x - -cd .. -./rm-coverage-files.sh -cd afl - -./afl-compile.sh --enable-profile-coverage - -exit diff --git a/test/afl/compile/afl-compile-code-coverage.sh b/test/afl/compile/afl-compile-code-coverage.sh new file mode 100755 index 00000000..6c2d9376 --- /dev/null +++ b/test/afl/compile/afl-compile-code-coverage.sh @@ -0,0 +1,9 @@ +#!/bin/sh -x + +cd .. +./rm-coverage-files.sh +cd afl + +./compile/afl-compile.sh --enable-profile-coverage + +exit $? diff --git a/test/afl/compile/afl-compile-no-enable-arg.sh b/test/afl/compile/afl-compile-no-enable-arg.sh new file mode 100755 index 00000000..de6e38b6 --- /dev/null +++ b/test/afl/compile/afl-compile-no-enable-arg.sh @@ -0,0 +1,10 @@ +#!/bin/sh -x + +# this is for the fuzzing-wrappers/client-rc.sh script + +cd ../../ +CC=afl-gcc ./extras/apparmor/configure_args.sh $@ +make clean +make +cd test/afl +exit $? diff --git a/test/afl/afl-compile.sh b/test/afl/compile/afl-compile.sh similarity index 93% rename from test/afl/afl-compile.sh rename to test/afl/compile/afl-compile.sh index 332605bf..6e10643b 100755 --- a/test/afl/afl-compile.sh +++ b/test/afl/compile/afl-compile.sh @@ -5,4 +5,4 @@ CC=afl-gcc ./extras/apparmor/configure_args.sh --enable-afl-fuzzing $@ make clean make cd test/afl -exit +exit $? diff --git a/test/afl/afl-gen-code-coverage.sh b/test/afl/compile/afl-gen-code-coverage.sh similarity index 96% rename from test/afl/afl-gen-code-coverage.sh rename to test/afl/compile/afl-gen-code-coverage.sh index b17643d6..747f42c1 100755 --- a/test/afl/afl-gen-code-coverage.sh +++ b/test/afl/compile/afl-gen-code-coverage.sh @@ -10,4 +10,4 @@ cd afl echo "[+] Code coverage available in the $RESULTS_DIR/ directory" -exit +exit $? diff --git a/test/afl/fuzzing-wrappers/client-rc.sh b/test/afl/fuzzing-wrappers/client-rc.sh index 1895515f..9059df39 100755 --- a/test/afl/fuzzing-wrappers/client-rc.sh +++ b/test/afl/fuzzing-wrappers/client-rc.sh @@ -15,8 +15,9 @@ TS=`date +"%m%d%y%H%M%S"` mkdir $OUT_DIR ### make sure the client can handle the rc file -./fuzzing-wrappers/fwknop-rc-test.sh || exit +./fuzzing-wrappers/helpers/fwknop-rc-test.sh || \ + { echo "[*] Client rc file fuzzing requires compilation with ./compile/afl-compile-no-enable-args.sh"; exit 1; } LD_LIBRARY_PATH=$LIB_DIR afl-fuzz -t 1000 -i $IN_DIR -o $OUT_DIR -f $OUT_DIR/fwknoprc $CLIENT --rc-file $OUT_DIR/fwknoprc -T -a 1.1.1.1 -n testhost.com -exit +exit $? diff --git a/test/afl/fuzzing-wrappers/fwknop-rc-test.sh b/test/afl/fuzzing-wrappers/fwknop-rc-test.sh deleted file mode 100755 index c5ece1ab..00000000 --- a/test/afl/fuzzing-wrappers/fwknop-rc-test.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -x - -LD_LIBRARY_PATH=../../lib/.libs ../../client/.libs/fwknop --rc-file test-cases/client-rc/fwknoprc -T -a 1.1.1.1 -n testhost.com diff --git a/test/afl/fuzzing-wrappers/fwknopd-parse-access.sh b/test/afl/fuzzing-wrappers/fwknopd-parse-access.sh deleted file mode 100755 index 9b605223..00000000 --- a/test/afl/fuzzing-wrappers/fwknopd-parse-access.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -x - -LD_LIBRARY_PATH=../../lib/.libs ../../server/.libs/fwknopd -c ../conf/default_fwknopd.conf -a ../conf/default_access.conf -A -f -t --exit-parse-config -D diff --git a/test/afl/fuzzing-wrappers/fwknopd-parse-conf.sh b/test/afl/fuzzing-wrappers/fwknopd-parse-conf.sh deleted file mode 100755 index eb12114e..00000000 --- a/test/afl/fuzzing-wrappers/fwknopd-parse-conf.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -x - -LD_LIBRARY_PATH=../../lib/.libs ../../server/.libs/fwknopd -c test-cases/server-conf/fwknopd.conf -a ../conf/default_access.conf -A -f -t --exit-parse-config -D diff --git a/test/afl/fuzzing-wrappers/helpers/fwknop-rc-hangs.sh b/test/afl/fuzzing-wrappers/helpers/fwknop-rc-hangs.sh new file mode 100755 index 00000000..ec252688 --- /dev/null +++ b/test/afl/fuzzing-wrappers/helpers/fwknop-rc-hangs.sh @@ -0,0 +1,11 @@ +#!/bin/sh -x + +HANG_DIR="fuzzing-output/client-rc.out/hangs" +HELPER_SH="fuzzing-wrappers/helpers/fwknop-rc-test.sh" + +for f in `find $HANG_DIR -name 'id*'` +do + ./$HELPER_SH $f +done + +exit $? diff --git a/test/afl/fuzzing-wrappers/helpers/fwknop-rc-test.sh b/test/afl/fuzzing-wrappers/helpers/fwknop-rc-test.sh new file mode 100755 index 00000000..af42ae46 --- /dev/null +++ b/test/afl/fuzzing-wrappers/helpers/fwknop-rc-test.sh @@ -0,0 +1,12 @@ +#!/bin/sh -x + +RC_FILE="test-cases/client-rc/fwknoprc" + +if [ $@ ] +then + RC_FILE=$@ +fi + +LD_LIBRARY_PATH=../../lib/.libs ../../client/.libs/fwknop --rc-file $RC_FILE -T -a 1.1.1.1 -n testhost.com + +exit $? diff --git a/test/afl/fuzzing-wrappers/helpers/fwknopd-parse-access-hangs.sh b/test/afl/fuzzing-wrappers/helpers/fwknopd-parse-access-hangs.sh new file mode 100755 index 00000000..a2ac62cf --- /dev/null +++ b/test/afl/fuzzing-wrappers/helpers/fwknopd-parse-access-hangs.sh @@ -0,0 +1,11 @@ +#!/bin/sh -x + +HANG_DIR="fuzzing-output/server-access.out/hangs" +HELPER_SH="fuzzing-wrappers/helpers/fwknopd-parse-access.sh" + +for f in `find $HANG_DIR -name 'id*'` +do + ./$HELPER_SH $f +done + +exit $? diff --git a/test/afl/fuzzing-wrappers/helpers/fwknopd-parse-access.sh b/test/afl/fuzzing-wrappers/helpers/fwknopd-parse-access.sh new file mode 100755 index 00000000..7a6f39d5 --- /dev/null +++ b/test/afl/fuzzing-wrappers/helpers/fwknopd-parse-access.sh @@ -0,0 +1,12 @@ +#!/bin/sh -x + +ACCESS_FILE="../conf/default_access.conf" + +if [ $@ ] +then + ACCESS_FILE=$@ +fi + +LD_LIBRARY_PATH=../../lib/.libs ../../server/.libs/fwknopd -c ../conf/ipt_snat_fwknopd.conf -a $ACCESS_FILE -A -f -t --exit-parse-config -D + +exit $? diff --git a/test/afl/fuzzing-wrappers/helpers/fwknopd-parse-conf-hangs.sh b/test/afl/fuzzing-wrappers/helpers/fwknopd-parse-conf-hangs.sh new file mode 100755 index 00000000..5d69a7ca --- /dev/null +++ b/test/afl/fuzzing-wrappers/helpers/fwknopd-parse-conf-hangs.sh @@ -0,0 +1,11 @@ +#!/bin/sh -x + +HANG_DIR="fuzzing-output/server-conf.out/hangs" +HELPER_SH="fuzzing-wrappers/helpers/fwknopd-parse-conf.sh" + +for f in `find $HANG_DIR -name 'id*'` +do + ./$HELPER_SH $f +done + +exit $? diff --git a/test/afl/fuzzing-wrappers/helpers/fwknopd-parse-conf.sh b/test/afl/fuzzing-wrappers/helpers/fwknopd-parse-conf.sh new file mode 100755 index 00000000..8f90f518 --- /dev/null +++ b/test/afl/fuzzing-wrappers/helpers/fwknopd-parse-conf.sh @@ -0,0 +1,12 @@ +#!/bin/sh -x + +FWKNOPD_CONF_FILE="test-cases/server-conf/fwknopd.conf" + +if [ $@ ] +then + FWKNOPD_CONF_FILE=$@ +fi + +LD_LIBRARY_PATH=../../lib/.libs ../../server/.libs/fwknopd -c $FWKNOPD_CONF_FILE -a ../conf/default_access.conf -A -f -t --exit-parse-config -D + +exit $? diff --git a/test/afl/fuzzing-wrappers/helpers/fwknopd-stdin-hangs.sh b/test/afl/fuzzing-wrappers/helpers/fwknopd-stdin-hangs.sh new file mode 100755 index 00000000..f49dc105 --- /dev/null +++ b/test/afl/fuzzing-wrappers/helpers/fwknopd-stdin-hangs.sh @@ -0,0 +1,11 @@ +#!/bin/sh -x + +HANG_DIR="fuzzing-output/spa-pkts.out/hangs" +HELPER_SH="fuzzing-wrappers/helpers/fwknopd-stdin-test.sh" + +for f in `find $HANG_DIR -name 'id*'` +do + ./$HELPER_SH $f +done + +exit $? diff --git a/test/afl/fuzzing-wrappers/fwknopd-stdin-test.sh b/test/afl/fuzzing-wrappers/helpers/fwknopd-stdin-test.sh similarity index 77% rename from test/afl/fuzzing-wrappers/fwknopd-stdin-test.sh rename to test/afl/fuzzing-wrappers/helpers/fwknopd-stdin-test.sh index 06b46694..7cdb2e4c 100755 --- a/test/afl/fuzzing-wrappers/fwknopd-stdin-test.sh +++ b/test/afl/fuzzing-wrappers/helpers/fwknopd-stdin-test.sh @@ -1,6 +1,7 @@ #!/bin/sh -x SPA_PKT="1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:AAAAA" -#SPA_PKT="1716411011200157:root:1397329899:2.0.1:1:127.0.0.2,tcp/22:A" echo -n $SPA_PKT | LD_LIBRARY_PATH=../../lib/.libs ../../server/.libs/fwknopd -c ../conf/default_fwknopd.conf -a ../conf/default_access.conf -A -f -t + +exit $? diff --git a/test/afl/fuzzing-wrappers/server-access.sh b/test/afl/fuzzing-wrappers/server-access.sh index e7968728..5b3e2155 100755 --- a/test/afl/fuzzing-wrappers/server-access.sh +++ b/test/afl/fuzzing-wrappers/server-access.sh @@ -15,8 +15,8 @@ TS=`date +"%m%d%y%H%M%S"` mkdir $OUT_DIR ### make sure that parsing the access.conf file works -./fuzzing-wrappers/fwknopd-parse-access.sh || exit +./fuzzing-wrappers/helpers/fwknopd-parse-access.sh || exit $? -LD_LIBRARY_PATH=$LIB_DIR afl-fuzz -t 1000 -i $IN_DIR -o $OUT_DIR -f $OUT_DIR/afl_access.conf $SERVER -c ../conf/default_fwknopd.conf -a $OUT_DIR/afl_access.conf -A -f -t --exit-parse-config -D +LD_LIBRARY_PATH=$LIB_DIR afl-fuzz -t 1000 -i $IN_DIR -o $OUT_DIR -f $OUT_DIR/afl_access.conf $SERVER -c ../conf/ipt_snat_fwknopd.conf -a $OUT_DIR/afl_access.conf -A -f -t --exit-parse-config -D -exit +exit $? diff --git a/test/afl/fuzzing-wrappers/server-conf.sh b/test/afl/fuzzing-wrappers/server-conf.sh index 7fe5b6e7..64f8155d 100755 --- a/test/afl/fuzzing-wrappers/server-conf.sh +++ b/test/afl/fuzzing-wrappers/server-conf.sh @@ -15,8 +15,8 @@ TS=`date +"%m%d%y%H%M%S"` mkdir $OUT_DIR ### make sure that parsing the fwknopd.conf file works -./fuzzing-wrappers/fwknopd-parse-conf.sh || exit +./fuzzing-wrappers/helpers/fwknopd-parse-conf.sh || exit $? LD_LIBRARY_PATH=$LIB_DIR afl-fuzz -t 1000 -i $IN_DIR -o $OUT_DIR -f $OUT_DIR/afl_fwknopd.conf $SERVER -c $OUT_DIR/afl_fwknopd.conf -a $OUT_DIR/afl_access.conf -A -f -t --exit-parse-config -D -exit +exit $? diff --git a/test/afl/fuzzing-wrappers/spa-pkts.sh b/test/afl/fuzzing-wrappers/spa-pkts.sh index 4bedc0cb..9b920b7b 100755 --- a/test/afl/fuzzing-wrappers/spa-pkts.sh +++ b/test/afl/fuzzing-wrappers/spa-pkts.sh @@ -15,8 +15,8 @@ TS=`date +"%m%d%y%H%M%S"` mkdir $OUT_DIR ### make sure that a basic SPA packet to stdin in fwknopd -A mode works -./fuzzing-wrappers/fwknopd-stdin-test.sh || exit +./fuzzing-wrappers/helpers/fwknopd-stdin-test.sh || exit $? LD_LIBRARY_PATH=$LIB_DIR afl-fuzz -t 1000 -i $IN_DIR -o $OUT_DIR $SERVER -c ../conf/default_fwknopd.conf -a ../conf/default_access.conf -A -f -t -exit +exit $? diff --git a/test/afl/test-cases/server-access/access.conf b/test/afl/test-cases/server-access/access.conf index 77aac5a6..dea3417c 100644 --- a/test/afl/test-cases/server-access/access.conf +++ b/test/afl/test-cases/server-access/access.conf @@ -9,8 +9,9 @@ FW_ACCESS_TIMEOUT 2 SOURCE ANY KEY test3 -ACCESS_EXPIRE 3-10-01; ### comment -OPEN_PORTS tcp/80 +ACCESS_EXPIRE 03/10/2014; ### comment +OPEN_PORTS tcp/22; +RESTRICT_PORTS udp/6001, tcp/45, tcp/80, tcp/12345 FW_ACCESS_TIMEOUT 3 ENCRYPTION_MODE legacy @@ -20,26 +21,27 @@ REQUIRE_USERNAME nouser KEY test4 OPEN_PORTS tcp/80 FORCE_NAT 192.168.1.123 22 +FORCE_SNAT 33.3.3.3 -SOURCE ANY -KEY test5 -HMAC_KEY test6 -OPEN_PORTS tcp/80 -RESTRICT_PORTS tcp/34 +SOURCE 1.2.3.4 +KEY_BASE64 wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg= +HMAC_KEY_BASE64 Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg== +OPEN_PORTS tcp/80; ### also appears in RESTRICT_PORTS +RESTRICT_PORTS udp/6001, tcp/22, tcp/80, tcp/12345 FW_ACCESS_TIMEOUT 3 ENABLE_CMD_EXEC Y SOURCE ANY KEY fwknoptest FW_ACCESS_TIMEOUT 3 -GPG_HOME_DIR conf/server-gpg -GPG_DECRYPT_ID 361BBAD4 -GPG_DECRYPT_PW fwknoptest +GPG_HOME_DIR ../conf/server-gpg +GPG_DECRYPT_ID 12341234, DEADBEEF, 361BBAD4, 43214321 +GPG_DECRYPT_PW fwknoptest, testtest GPG_REMOTE_ID 6A3FAD56 SOURCE ANY FW_ACCESS_TIMEOUT 3 -GPG_HOME_DIR conf/server-gpg-no-pw +GPG_HOME_DIR ../conf/server-gpg-no-pw GPG_DECRYPT_ID 361BBAD4 GPG_ALLOW_NO_PW Y GPG_FINGERPRINT_ID 00CC95F05BC146B6AC4038C9E36F443C6A3FAD56