[docs] man page updates

2015-12-23 11:47:17 -05:00 · 2015-12-23 11:47:17 -05:00 · 9c54d774f6
commit 9c54d774f6
parent fcb0102d69
4 changed files with 97 additions and 37 deletions
--- a/client/fwknop.8.in
+++ b/client/fwknop.8.in
@ -2,12 +2,12 @@
 .\"     Title: fwknop
 .\"    Author: [see the "AUTHORS" section]
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 11/10/2015
+.\"      Date: 12/23/2015
 .\"    Manual: Fwknop Client
 .\"    Source: Fwknop Client
 .\"  Language: English
 .\"
-.TH "FWKNOP" "8" "11/10/2015" "Fwknop Client" "Fwknop Client"
+.TH "FWKNOP" "8" "12/23/2015" "Fwknop Client" "Fwknop Client"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@ -34,11 +34,11 @@ fwknop \- Firewall Knock Operator
 \fBfwknop\fR \fB\-A\fR <\*(Aqproto/ports\*(Aq> \fB\-R\fR|\fB\-a\fR|\fB\-s \-D\fR <\*(Aqhost\*(Aq> [\fIoptions\fR]
 .SH "DESCRIPTION"
 .sp
-\fBfwknop\fR implements an authorization scheme known as Single Packet Authorization (SPA) for strong service concealment\&. SPA requires only a single packet which is encrypted, non\-replayable, and authenticated via an HMAC in order to communicate desired access to a service that is hidden behind a firewall in a default\-drop filtering stance\&. The main application of SPA is to use a firewall to drop all attempts to connect to services such as \fISSH\fR in order to make the exploitation of vulnerabilities (both 0\-day and unpatched code) more difficult\&. Any service that is concealed by SPA naturally cannot be scanned for with \fINmap\fR\&. The fwknop project supports three different firewalls: \fIiptables\fR on Linux systems, \fIpf\fR on OpenBSD, and \fIipfw\fR on FreeBSD and Mac OS X\&.
+\fBfwknop\fR implements an authorization scheme known as Single Packet Authorization (SPA) for strong service concealment\&. SPA requires only a single packet which is encrypted, non\-replayable, and authenticated via an HMAC in order to communicate desired access to a service that is hidden behind a firewall in a default\-drop filtering stance\&. The main application of SPA is to use a firewall to drop all attempts to connect to services such as \fISSH\fR in order to make the exploitation of vulnerabilities (both 0\-day and unpatched code) more difficult\&. Any service that is concealed by SPA naturally cannot be scanned for with \fINmap\fR\&. The fwknop project natively supports four different firewalls: \fIiptables\fR and \fIfirewalld\fR on Linux systems, \fIpf\fR on OpenBSD, and \fIipfw\fR on FreeBSD and Mac OS X\&.
 .sp
 SPA is essentially next generation Port Knocking (PK), but solves many of the limitations exhibited by PK while retaining its core benefits\&. PK limitations include a general difficulty in protecting against replay attacks, asymmetric ciphers and HMAC schemes are not usually possible to reliably support, and it is trivially easy to mount a DoS attack against a PK server just by spoofing an additional packet into a PK sequence as it traverses the network (thereby convincing the PK server that the client doesn\(cqt know the proper sequence)\&. All of these limitation are solved by SPA\&. At the same time, SPA hides services behind a default\-drop firewall policy, acquires SPA data passively (usually via libpcap or other means), and implements standard cryptographic operations for SPA packet authentication and encryption/decryption\&.
 .sp
-This is the manual page for the \fBfwknop\fR client which is responsible for constructing SPA packets and sending them over the network\&. The server side is implemented by the \fBfwknopd\fR daemon which sniffs the network for SPA packets and interacts with the local firewall to allow SPA authenticated connections\&. It is recommended to read the \fIfwknopd(8)\fR manual page as well\&.
+This is the manual page for the \fBfwknop\fR client which is responsible for constructing SPA packets and sending them over the network\&. The server side is implemented by the \fBfwknopd\fR daemon which sniffs the network for SPA packets and interacts with the local firewall to allow SPA authenticated connections\&. It is recommended to read the \fIfwknopd(8)\fR manual page as well\&. Further detailed information may be found in the tutorial \fISingle Packet Authorization: A Comprehensive Guide to Strong Service Concealment with fwknop\fR available online here: \fIhttp://www\&.cipherdyne\&.org/fwknop/docs/fwknop\-tutorial\&.html\fR\&.
 .sp
 SPA packets generated by \fBfwknop\fR leverage HMAC for authenticated encryption in the encrypt\-then\-authenticate model\&. Although the usage of an HMAC is currently optional (enabled via the \fB\-\-use\-hmac\fR command line switch), it is highly recommended for three reasons: \fI1)\fR without an HMAC, cryptographically strong authentication is not possible with \fBfwknop\fR unless GnuPG is used, but even then an HMAC should still be applied, \fI2)\fR an HMAC applied after encryption protects against cryptanalytic CBC\-mode padding oracle attacks such as the Vaudenay attack and related trickery (like the more recent "Lucky 13" attack against SSL), and \fI3)\fR the code required by the \fBfwknopd\fR daemon to verify an HMAC is much more simplistic than the code required to decrypt an SPA packet, so an SPA packet without a proper HMAC isn\(cqt even sent through the decryption routines\&. Reason \fI3)\fR is why an HMAC should still be used even when SPA packets are encrypted with GnuPG due to the fact that SPA data is not sent through \fBlibgpgme\fR functions unless the HMAC checks out first\&. GnuPG and libgpgme are relatively complex bodies of code, and therefore limiting the ability of a potential attacker to interact with this code through an HMAC operation helps to maintain a stronger security stance\&. Generating an HMAC for SPA communications requires a dedicated key in addition to the normal encryption key, and both can be generated with the \fB\-\-key\-gen\fR option\&.
 .sp
--- a/doc/fwknop.man.asciidoc
+++ b/doc/fwknop.man.asciidoc
@ -23,9 +23,9 @@ default-drop filtering stance. The main application of SPA is to use a
 firewall to drop all attempts to connect to services such as 'SSH' in order
 to make the exploitation of vulnerabilities (both 0-day and unpatched code)
 more difficult. Any service that is concealed by SPA naturally cannot be
-scanned for with 'Nmap'. The fwknop project supports three different
+scanned for with 'Nmap'. The fwknop project natively supports four different
-firewalls: 'iptables' on Linux systems, 'pf' on OpenBSD, and 'ipfw' on FreeBSD
+firewalls: 'iptables' and 'firewalld' on Linux systems, 'pf' on OpenBSD, and
-and Mac OS X.
+'ipfw' on FreeBSD and Mac OS X.
 SPA is essentially next generation Port Knocking (PK), but solves many of the
 limitations exhibited by PK while retaining its core benefits. PK limitations
@ -43,7 +43,10 @@ This is the manual page for the *fwknop* client which is responsible for
 constructing SPA packets and sending them over the network. The server side is
 implemented by the *fwknopd* daemon which sniffs the network for SPA packets
 and interacts with the local firewall to allow SPA authenticated connections.
-It is recommended to read the 'fwknopd(8)' manual page as well.
+It is recommended to read the 'fwknopd(8)' manual page as well. Further detailed
 information may be found in the tutorial 'Single Packet Authorization:
 A Comprehensive Guide to Strong Service Concealment with fwknop' available
 online here: 'http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html'.
 SPA packets generated by *fwknop* leverage HMAC for authenticated encryption
 in the encrypt-then-authenticate model. Although the usage of an HMAC is
--- a/doc/fwknopd.man.asciidoc
+++ b/doc/fwknopd.man.asciidoc
@ -27,13 +27,17 @@ The main application of this program is to conceal services such as 'SSH'
 with an additional layer of security in order to make the exploitation of
 vulnerabilities (both 0-day and unpatched code) much more difficult. In
 addition, services that are concealed in this fashion naturally cannot be
-scanned for with 'Nmap'.
+scanned for with 'Nmap' or 'Shodan'.
 The main configuration for *fwknopd* is maintained within two files:
 'fwknopd.conf' and 'access.conf'. The default location for these files
 is determined at package configuration (typically '@sysconfdir@/fwknop').
 The configuration variables within these files are described below.
 Additional information may be found in the tutorial 'Single Packet Authorization:
 A Comprehensive Guide to Strong Service Concealment with fwknop' available
 online here: 'http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html'.
 COMMAND-LINE OPTIONS
 --------------------
@ -236,24 +240,23 @@ COMMAND-LINE OPTIONS
 FWKNOPD CONFIG AND ACCESS VARIABLES
 -----------------------------------
-*fwknopd* references the '@sysconfdir@/fwknop/fwknopd.conf' file for configuration variables
+*fwknopd* references the '@sysconfdir@/fwknop/fwknopd.conf' file for configuration
-that define its operational parameters (what network interface and port
+variables to define operational parameters (what network interface and port
 to sniff, what features to enable/disable, etc.). The 'fwknopd.conf' file
-does not define any access control directives.
+does not define any access control directives or set any encryption or authenitcation
 keys.
-The access control directives are contained in the '@sysconfdir@/fwknop/access.conf' file.
+The access control directives are contained in the '@sysconfdir@/fwknop/access.conf'
-Access control directives define encryption keys and level of access that
+file.  Access control directives define encryption keys and level of access that
 is granted to an fwknop client that has generated the appropriate encrypted
 SPA message.
 FWKNOPD.CONF VARIABLES
 ~~~~~~~~~~~~~~~~~~~~~~
 This section list the more prominent configuration variables used by
-*fwknopd*. It is not a complete list. There are directives for the type
+*fwknopd*. You will want to make sure to check these to make sure they have
-of firewall used by *fwknopd* (i.e. _iptables_, _ipfw_, or _pf_). You will
+appropriate values, but sensible defaults are provided for most systems. See
-want to make sure to check these to make sure they have appropriate values.
+the '@sysconfdir@/fwknop/fwknopd.conf' file for additional details.
 See the '@sysconfdir@/fwknop/fwknopd.conf' file for the full list and
 corresponding details.
 *PCAP_INTF* '<interface>'::
    Specify the ethernet interface on which *fwknopd* will sniff packets.
@ -453,10 +456,11 @@ corresponding details.
 ACCESS.CONF VARIABLES
 ~~~~~~~~~~~~~~~~~~~~~
-This section describes the access control directives in the '@sysconfdir@/fwknop/access.conf'
+This section describes the access control directives in the
-file. Theses directives define encryption keys and level of access that
+'@sysconfdir@/fwknop/access.conf' file. Theses directives define encryption
-is granted to *fwknop* clients that have generated the appropriate
+and authentication keys, and the level of access that is granted to *fwknop*
-encrypted message.
+clients that have generated an appropriate encrypted and authenticated
 SPA packet.
 The 'access.conf' variables described below provide the access directives
 for the SPA packets with a source (or embedded request) IP that matches an
@ -468,11 +472,11 @@ directive starts a new stanza.
    This defines the source address from which the SPA packet will be
    accepted. The string ``ANY'' is also accepted if a valid SPA packet
    should be honored from any source IP. Every authorization stanza in
-    '@sysconfdir@/fwknop/access.conf' definition must start with the ``SOURCE'' keyword.
+    '@sysconfdir@/fwknop/access.conf' definition must start with the ``SOURCE''
-    Networks should be specified in CIDR notation (e.g. ``192.168.10.0/24''),
+    keyword.  Networks should be specified in CIDR notation (e.g.
-    and individual IP addresses can be specified as well. Also, multiple
+    ``192.168.10.0/24''), and individual IP addresses can be specified as well.
-    IP's and/or networks can be defined as a comma separated list (e.g.
+    Also, multiple IP's and/or networks can be defined as a comma separated
-    ``192.168.10.0/24,10.1.1.123'')
+    list (e.g.  ``192.168.10.0/24,10.1.1.123'')
 *DESTINATION* '<IP,..,IP/NET,..,NET/ANY>'::
    This defines the destination address for which the SPA packet will be
@ -522,6 +526,19 @@ directive starts a new stanza.
    ``FW_ACCESS_TIMEOUT'' is not set then the default timeout of 30 seconds
    will automatically be set.
 *%include* '<file>'::
    Have *fwknopd* import an additional 'access.conf' file. This allows more
    access stanzas to be defined in other locations in the filesystem, and this
    can be adventageous in some scenarios by letting non-privledged users define
    their own encryption and authentication keys for SPA operations. This way,
    users do not need write access to the main '@sysconfdir@/fwknop/access.conf'
    file to change keys around or define new ones.
 *%include_folder* '<directory>'::
    Similarly to the '%include' option above, the '%include_folder' directive
    has *fwknopd* import all .conf files from the specified directory. There is
    also command line support for this via the 'access-folder' option.
 *ENCRYPTION_MODE* '<mode>'::
    Specify the encryption mode when AES is used. The default is CBC mode,
    but other modes can be selected such as OFB and CFB. In general, it is
--- a/server/fwknopd.8.in
+++ b/server/fwknopd.8.in
@ -2,12 +2,12 @@
 .\"     Title: fwknopd
 .\"    Author: [see the "AUTHORS" section]
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 11/10/2015
+.\"      Date: 12/23/2015
 .\"    Manual: Fwknop Server
 .\"    Source: Fwknop Server
 .\"  Language: English
 .\"
-.TH "FWKNOPD" "8" "11/10/2015" "Fwknop Server" "Fwknop Server"
+.TH "FWKNOPD" "8" "12/23/2015" "Fwknop Server" "Fwknop Server"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@ -36,9 +36,11 @@ fwknopd \- Firewall Knock Operator Daemon
 .sp
 \fBfwknopd\fR is the server component for the FireWall Knock Operator, and is responsible for monitoring and processing Single Packet Authorization (SPA) packets that are generated by \fBfwknop\fR clients, modifying a firewall or ACL policy to allow the desired access after authenticating and decrypting a valid SPA packet (in that order), and removing access after a configurable timeout\&.
 .sp
-The main application of this program is to conceal services such as \fISSH\fR with an additional layer of security in order to make the exploitation of vulnerabilities (both 0\-day and unpatched code) much more difficult\&. In addition, services that are concealed in this fashion naturally cannot be scanned for with \fINmap\fR\&.
+The main application of this program is to conceal services such as \fISSH\fR with an additional layer of security in order to make the exploitation of vulnerabilities (both 0\-day and unpatched code) much more difficult\&. In addition, services that are concealed in this fashion naturally cannot be scanned for with \fINmap\fR or \fIShodan\fR\&.
 .sp
 The main configuration for \fBfwknopd\fR is maintained within two files: \fIfwknopd\&.conf\fR and \fIaccess\&.conf\fR\&. The default location for these files is determined at package configuration (typically \fI@sysconfdir@/fwknop\fR)\&. The configuration variables within these files are described below\&.
 .sp
 Additional information may be found in the tutorial \fISingle Packet Authorization: A Comprehensive Guide to Strong Service Concealment with fwknop\fR available online here: \fIhttp://www\&.cipherdyne\&.org/fwknop/docs/fwknop\-tutorial\&.html\fR\&.
 .SH "COMMAND-LINE OPTIONS"
 .PP
 \fB\-i, \-\-interface\fR=\fI<interface>\fR
@ -72,6 +74,13 @@ will use the compile\-time default location (typically
 \fI@sysconfdir@/fwknop/access\&.conf\fR)\&.
 .RE
 .PP
 \fB\-\-access\-folder\fR=\fI<access\-folder>\fR
 .RS 4
 Specify the location of the
 \fIaccess\&.conf\fR
 folder\&. If this option is given, rather than load a single access\&.conf file, all the \&.conf files in the given folders are processed\&.
 .RE
 .PP
 \fB\-c, \-\-config\fR=\fI<config\-file>\fR
 .RS 4
 Specify the location of the
@ -165,8 +174,15 @@ without having to look in the process table\&.
 .PP
 \fB\-\-exit\-parse\-config\fR
 .RS 4
-Parse config files (\fI@sysconfdir@/fwknop/fwknopd\&.conf\fR,
+Parse config files (\fI@sysconfdir@/fwknop/fwknopd\&.conf\fR, and
-\fI@sysconfdir@/fwknop/access\&.conf\fR, the digest cache file, etc\&.) and exit\&. This provides a way to test whether the config files are properly structured without having to start processing network traffic\&.
+\fI@sysconfdir@/fwknop/access\&.conf\fR) and then exit\&. This provides a way to test whether the config files are properly structured without having to start processing network traffic\&.
 .RE
 .PP
 \fB\-\-exit\-parse\-digest\-cache\fR
 .RS 4
 Parse the digest cache file
 \fI@localstatedir@/fwknop/digest\&.cache\fR
 and exit\&. This validates the structure of the digest cache file without having to start processing network traffic\&. Note that the standard configuration files are also parsed in this mode\&.
 .RE
 .PP
 \fB\-l, \-\-locale\fR=\fI<locale>\fR
@ -328,12 +344,12 @@ Display version information and exit\&.
 .RE
 .SH "FWKNOPD CONFIG AND ACCESS VARIABLES"
 .sp
-\fBfwknopd\fR references the \fI@sysconfdir@/fwknop/fwknopd\&.conf\fR file for configuration variables that define its operational parameters (what network interface and port to sniff, what features to enable/disable, etc\&.)\&. The \fIfwknopd\&.conf\fR file does not define any access control directives\&.
+\fBfwknopd\fR references the \fI@sysconfdir@/fwknop/fwknopd\&.conf\fR file for configuration variables to define operational parameters (what network interface and port to sniff, what features to enable/disable, etc\&.)\&. The \fIfwknopd\&.conf\fR file does not define any access control directives or set any encryption or authenitcation keys\&.
 .sp
 The access control directives are contained in the \fI@sysconfdir@/fwknop/access\&.conf\fR file\&. Access control directives define encryption keys and level of access that is granted to an fwknop client that has generated the appropriate encrypted SPA message\&.
 .SS "FWKNOPD\&.CONF VARIABLES"
 .sp
-This section list the more prominent configuration variables used by \fBfwknopd\fR\&. It is not a complete list\&. There are directives for the type of firewall used by \fBfwknopd\fR (i\&.e\&. \fIiptables\fR, \fIipfw\fR, or \fIpf\fR)\&. You will want to make sure to check these to make sure they have appropriate values\&. See the \fI@sysconfdir@/fwknop/fwknopd\&.conf\fR file for the full list and corresponding details\&.
+This section list the more prominent configuration variables used by \fBfwknopd\fR\&. You will want to make sure to check these to make sure they have appropriate values, but sensible defaults are provided for most systems\&. See the \fI@sysconfdir@/fwknop/fwknopd\&.conf\fR file for additional details\&.
 .PP
 \fBPCAP_INTF\fR \fI<interface>\fR
 .RS 4
@ -581,7 +597,7 @@ writes run time state files\&. The default is
 .RE
 .SS "ACCESS\&.CONF VARIABLES"
 .sp
-This section describes the access control directives in the \fI@sysconfdir@/fwknop/access\&.conf\fR file\&. Theses directives define encryption keys and level of access that is granted to \fBfwknop\fR clients that have generated the appropriate encrypted message\&.
+This section describes the access control directives in the \fI@sysconfdir@/fwknop/access\&.conf\fR file\&. Theses directives define encryption and authentication keys, and the level of access that is granted to \fBfwknop\fR clients that have generated an appropriate encrypted and authenticated SPA packet\&.
 .sp
 The \fIaccess\&.conf\fR variables described below provide the access directives for the SPA packets with a source (or embedded request) IP that matches an address or network range defined by the \(lqSOURCE\(rq variable\&. All variables following \(lqSOURCE\(rq apply to the source \fIstanza\fR\&. Each \(lqSOURCE\(rq directive starts a new stanza\&.
 .PP
@ -642,6 +658,30 @@ Define the length of time access will be granted by
 through the firewall after a valid knock sequence from a source IP address\&. If \(lqFW_ACCESS_TIMEOUT\(rq is not set then the default timeout of 30 seconds will automatically be set\&.
 .RE
 .PP
 \fB%include\fR \fI<file>\fR
 .RS 4
 Have
 \fBfwknopd\fR
 import an additional
 \fIaccess\&.conf\fR
 file\&. This allows more access stanzas to be defined in other locations in the filesystem, and this can be adventageous in some scenarios by letting non\-privledged users define their own encryption and authentication keys for SPA operations\&. This way, users do not need write access to the main
 \fI@sysconfdir@/fwknop/access\&.conf\fR
 file to change keys around or define new ones\&.
 .RE
 .PP
 \fB%include_folder\fR \fI<directory>\fR
 .RS 4
 Similarly to the
 \fI%include\fR
 option above, the
 \fI%include_folder\fR
 directive has
 \fBfwknopd\fR
 import all \&.conf files from the specified directory\&. There is also command line support for this via the
 \fIaccess\-folder\fR
 option\&.
 .RE
 .PP
 \fBENCRYPTION_MODE\fR \fI<mode>\fR
 .RS 4
 Specify the encryption mode when AES is used\&. The default is CBC mode, but other modes can be selected such as OFB and CFB\&. In general, it is recommended to not use this variable and leave it as the default\&. Note that the string \(lqlegacy\(rq can be specified in order to generate SPA packets with the old initialization vector strategy used by versions of
@ -714,7 +754,7 @@ Specify the group (via \(lqsudo \-g <group>\(rq) that will execute a command con
 .RS 4
 Specify a command open/close cycle to be executed upon receipt of a valid SPA packet\&. This directive sets the initial command, and is meant to be used in conjunction with the \(lqCMD_CYCLE_CLOSE\(rq variable below\&. The main application of this feature is to allow
 \fBfwknopd\fR
-to interact with firewall or ACL\(cqs that are not natively supported, and facilitate the same access model as for the main supported firewalls such as iptables\&. That is, a command is executed to open the firewall or ACL, and then a corresponding close command is executed after a timer expires\&. Both the \(lqCMD_CYCLE_OPEN\(rq and \(lqCMD_CYCLE_CLOSE\(rq variables support special substitution strings to allow values to be taken from the SPA payload and used on the command line of the executed command\&. These strings begin with a \(lq$\(rq character, and include \(lq$IP\(rq (the allow IP decrypted from the SPA payload), \(lq$SRC\(rq (synonym for \(lq$IP\(rq) , \(lq$PKT_SRC\(rq (the source IP in the network layer header of the SPA packet), \(lq$DST\(rq (the destination IP), \(lq$PORT\(rq (the allow port), and \(lq$PROTO\(rq (the allow protocol)\&.
+to interact with firewall or ACL\(cqs that are not natively supported, and facilitate the same access model as for the main supported firewalls such as iptables\&. That is, a command is executed to open the firewall or ACL, and then a corresponding close command is executed after a timer expires\&. Both the \(lqCMD_CYCLE_OPEN\(rq and \(lqCMD_CYCLE_CLOSE\(rq variables support special substitution strings to allow values to be taken from the SPA payload and used on the command line of the executed command\&. These strings begin with a \(lq$\(rq character, and include \(lq$IP\(rq (the allow IP decrypted from the SPA payload), \(lq$SRC\(rq (synonym for \(lq$IP\(rq) , \(lq$PKT_SRC\(rq (the source IP in the network layer header of the SPA packet), \(lq$DST\(rq (the destination IP), \(lq$PORT\(rq (the allow port), and \(lq$PROTO\(rq (the allow protocol), \(lq$TIMEOUT\(rq (set the client timeout if specified)\&.
 .RE
 .PP
 \fBCMD_CYCLE_CLOSE\fR \fI<command>\fR