diff --git a/ChangeLog b/ChangeLog index 25679cef..ac9c5032 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,79 @@ +2010-07-18 Damien Stuart + * Bumped version in configure.ac to 2.0.0rc2 + * Added extras directory to source distribution as a holder for extra + and/or contributed files. This initially includes startup (init) + scripts for various platforms. + +2010-07-20 Michael Rash + Release fwknop 2.0.0rc1 + * Tagged fwknop-2.0.0rc1 release. + +2010-07-18 Damien Stuart + * Added default fallback values for all fwknopd.conf parameters and set + all entries in the initially deployed version of fwknopd.conf to be + commented out. + * Yet another round of code cleanup in preparation for the release of + 2.0.0rc1. + +2010-07-13 Michael Rash + * Added the --fw-list option to the server to list current fwknop-related + firewall rules. + * Added fallback to default keyring path if GPG_HOME_DIR is not set in the + config file or specified on the command-line. + * Added is_valdi_dir() function for validating directory paths specified + via .conf file or command-line option. + +2010-07-11 Damien Stuart + * Added the fwknop_errors.[ch] files that provide error code processing + functions that consolidate the various sub-system error codes and + provide the correct string representation of the corresponding errors. + * More documentation tweaks. + +2010-07-07 Damien Stuart + * Reworked how external commands are executed (due to problems encountered + when running in the background on some platforms). + * TCP Server child process no longer holds on to the lock file handle, and + it also will shut itself down if the parent fwknopd process goes away. + * Changed the client to use cipherdyne.org for resolving external IP as + the whatismyip.com site has restrictions that could impede proper client + invocations using this feature. + * Removed the direction fields (src and dst) from the fwknop iptables chain + definition parameters in the fwknopd.conf file. + * Added RC file support for the client. Now fwknop client can use a + .fwknoprc file for saved, named command-line profiles. + * Improved clarity in log message output. + * Added fknwop.spec file for building binary RPM packages. + * Fixed how autoconf was setting up shared library dependencies for the + server and client components. + +2010-06-28 Damien Stuart + * Added COMMAND_MSG support. + +2010-06-28 Damien Stuart + * Added COMMAND_MSG support. + * Added ability to run Command messages as a specified user. + * Added code to complete GPG signature processing and validation. This + included the addition of the GPG_REQUIRE_SIG and the + GPG_IGNORE_SIG_VERIFY_ERROR access.conf parameters. + * Implemented the checking signatures against the GPG_REMOTE_ID list. + +2010-06-23 Damien Stuart + * Added the TCP server functionality. + * Added support for receiving and processing SPA data sent via HTTP + request. + * Added more specific data format and SPA validation checks before + attempting decrypt/decode. + * Lots of code cleanup in preparation for candidate release. + * Brough documentation in sync with functionality. + +2010-06-15 Damien Stuart + * Finished up first cut support for all firewall rules/modes including + Forwarding, DNAT, and SNAT. + +2010-05-16 Damien Stuart + * Added the intial firewall rules creation and expiry/removal code for + simple access requests. + 2010-02-09 Damien Stuart * Created initial fwknopd.8 man page. * Added --locale and --no-locale options. diff --git a/Makefile.am b/Makefile.am index 612cad08..35caf5c5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -15,6 +15,7 @@ SUBDIRS = \ doc EXTRA_DIST = \ + extras \ fwknop.spec \ perl/FKO/README \ perl/FKO/inc/Devel/CheckLib.pm \ diff --git a/configure.ac b/configure.ac index d4c88a5b..31f10297 100644 --- a/configure.ac +++ b/configure.ac @@ -11,7 +11,7 @@ AC_PREREQ(2.61) dnl Define our name, version and email. m4_define(my_package, [fwknop]) -m4_define(my_version, [2.0.0rc1]) +m4_define(my_version, [2.0.0rc2]) m4_define(my_bug_email, [dstuart@dstuart.org]) AC_INIT(my_package, my_version, my_bug_email) diff --git a/extras/fwknop.init.debian b/extras/fwknop.init.debian new file mode 100755 index 00000000..db4928fe --- /dev/null +++ b/extras/fwknop.init.debian @@ -0,0 +1,200 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: fwknop-c-server +# Required-Start: $remote_fs +# Required-Stop: $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: FireWall KNock OPerator (fwknop) +### END INIT INFO + +# Author: Franck Joncourt + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="FireWall KNock OPerator" +NAME=fwknopd +DAEMON=/usr/sbin/$NAME +PIDDIR=/var/run/fwknop +SCRIPTNAME=/etc/init.d/fwknop-c-server + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. +. /lib/lsb/init-functions + +## +# Function that checks if all of the configuration files exist +# +# @return status +# 0 : all of the configuration files exist +# 6 : at least one file is missing +## + +check_config() +{ + local retval + local file_list + + retval=0 + file_list="/etc/fwknop/access.conf /etc/fwknop/fwknopd.conf" + + for ConfFile in $file_list; do + if [ ! -f "$ConfFile" ]; then + retval=6 + break + fi + done + + return $retval +} + +## +# Function that starts the daemon/service +# +# @return status +# 0 : daemon has been started or was already running +# 1 : generic or unspecified errors (could not be started) +# 6 : program is not configured (missing configuration files) +## + +do_start() +{ + local retval + + echo -n "Starting $DESC: $NAME " + + mkdir -p $PIDDIR + chmod 755 $PIDDIR + + # Check fwknopd configuration + check_config + retval=$? + + # Try to start fwknopd + if [ "$retval" = "0" ]; then + start-stop-daemon --start --quiet --pidfile $PIDDIR/$NAME --exec $DAEMON + retval="$?" + fi + + # Handle return status codes + case "$retval" in + 0) + log_success_msg + ;; + 6) + log_failure_msg "You are missing the configuration file $ConfFile." + ;; + 9) + retval=0 + ;; + *) + retval=1 + log_failure_msg "Unable to start the daemon." + ;; + esac + + return $retval +} + +## +# Function that stops the daemon/service +# +# @return status +# 0 : daemon has been stopped or was already stopped +# 1 : daemon could not be stopped +## + +do_stop() +{ + local retval="0" + local status kill_status + local pid pidfile + local process_list="fwknopd" + + echo -n "Stopping $DESC:" + + # For each process + for process in $process_list; do + + pidfile="$PIDDIR/$process.pid" + status="0" + kill_status="1" + + echo -n " $process" + + # Try to kill the process associated to the pid + if [ -r "$pidfile" ]; then + pid=`cat "$pidfile" 2>/dev/null` + kill -0 "${pid:-}" 2>/dev/null + kill_status="$?" + fi + + # Stop the process + if [ "$kill_status" = "0" ]; then + start-stop-daemon --stop --oknodo --quiet --pidfile "$pidfile" + status="$?" + fi + + # Remove its pid file + if [ -r "$pidfile" ] && [ "$status" = "0" ]; then + rm -f "$pidfile" 2>/dev/null + status="$?" + fi + + [ "$status" = "0" ] || retval="1" + + done + + + if [ "$retval" = "0" ]; then + log_success_msg + else + echo -n " " + log_failure_msg "One or more process could not be stopped." + fi + + return $retval +} + +## +# Function that returns the daemon status +## + +do_status() +{ + echo "Status of $DESC:" + $DAEMON -S +} + +case "$1" in + start) + do_start + ;; + + stop) + do_stop + ;; + + restart|force-reload) + do_stop + sleep 1 + do_start + ;; + + status) + do_status + exit $? + ;; + + *) + log_success_msg "Usage: $0 {start|stop|restart|status}" >&2 + exit 1 + ;; +esac + +exit diff --git a/extras/fwknop.init.fedora b/extras/fwknop.init.fedora new file mode 100755 index 00000000..ff1d8187 --- /dev/null +++ b/extras/fwknop.init.fedora @@ -0,0 +1,115 @@ +#!/bin/bash +# +# fwknopd This starts and stops fwknopd. +# +# chkconfig: 345 60 10 +# description: Fwknop implements an authorization scheme known as \ +# Single Packet Authorization (SPA) for Linux systems \ +# running iptables. This mechanism requires only a single \ +# encrypted and non-replayed packet to communicate various \ +# pieces of information including desired access through \ +# an iptables policy. +# +# processname: /usr/sbin/fwknopd +# + +### BEGIN INIT INFO +# Provides: +# Required-Start: $syslog $local_fs $network $iptables +# Required-Stop: $syslog $local_fs $network $iptables +# Should-Start: +# Should-Stop: +# Default-Start: 3 4 5 +# Default-Stop: 0 1 2 6 +# Short-Description: start and stop fwknopd +# Description: Fwknop implements an authorization scheme known as \ +# Single Packet Authorization (SPA) for Linux systems \ +# running iptables. +### END INIT INFO + +PATH=/sbin:/bin:/usr/bin:/usr/sbin + +# Source function library. +. /etc/init.d/functions + +# Get config. +test -f /etc/sysconfig/network && . /etc/sysconfig/network + + +RETVAL=0 + +prog="fwknopd" + +start() { + echo -n $"Starting $prog: " + daemon $prog + RETVAL=$? + echo + [ $RETVAL -eq 0 ] && touch /var/lock/subsys/fwknopd + return $RETVAL +} + +stop() { + echo -n $"Stopping $prog: " + killproc $prog + RETVAL=$? + echo + [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/fwknopd + return $RETVAL +} + +reload(){ + echo -n $"Reloading configuration: " + killproc $prog -HUP + RETVAL=$? + echo + return $RETVAL +} + +restart(){ + stop + sleep 1 + start +} + +condrestart(){ + if [ -e /var/lock/subsys/fwknopd ] ; then + restart + RETVAL=$? + return $RETVAL + fi + RETVAL=0 + return $RETVAL +} + +case "$1" in + start) + start + RETVAL=$? + ;; + stop) + stop + RETVAL=$? + ;; + status) + status $prog + RETVAL=$? + ;; + restart) + restart + RETVAL=$? + ;; + reload|force-reload) + reload + RETVAL=$? + ;; + condrestart|try-restart) + condrestart + RETVAL=$? + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|reload}" + RETVAL=2 +esac + +exit $RETVAL diff --git a/extras/fwknop.init.openwrt b/extras/fwknop.init.openwrt new file mode 100755 index 00000000..bf8980b1 --- /dev/null +++ b/extras/fwknop.init.openwrt @@ -0,0 +1,29 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2006-2010 OpenWrt.org +# Copyright (C) 2010 Damien Stuart +# +START=60 + +FWKNOPD_BIN=/usr/sbin/fwknopd + +start() +{ + $FWKNOPD_BIN +} + +stop() +{ + $FWKNOPD_BIN -K +} + +restart() +{ + stop; + sleep 1; + start; +} + +reload() +{ + $FWKNOPD_BIN -R +}