Manpage updates

git-svn-id: file:///home/mbr/svn/fwknop/trunk@247 510a4753-2344-4c79-9c09-4d669213fbeb
2010-07-09 02:09:22 +00:00 · 2010-07-09 02:09:22 +00:00 · 9c6377aff6
commit 9c6377aff6
parent b83733f00d
4 changed files with 122 additions and 115 deletions
--- a/client/fwknop.8
+++ b/client/fwknop.8
@ -2,12 +2,12 @@
 .\"     Title: fwknop
 .\"    Author: [see the "AUTHORS" section]
 .\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\"      Date: 07/05/2010
+.\"      Date: 07/08/2010
 .\"    Manual: Fwknop Client
 .\"    Source: Fwknop Client
 .\"  Language: English
 .\"
-.TH "FWKNOP" "8" "07/05/2010" "Fwknop Client" "Fwknop Client"
+.TH "FWKNOP" "8" "07/08/2010" "Fwknop Client" "Fwknop Client"
 .\" -----------------------------------------------------------------
 .\" * set default formatting
 .\" -----------------------------------------------------------------
@ -25,9 +25,9 @@ fwknop \- Firewall Knock Operator
 \fBfwknop\fR \fB\-A\fR <\fIproto/ports\fR> \fB\-R\fR|\fB\-a\fR|\fB\-s \-D\fR <\fIhost\fR> [\fIoptions\fR]
 .SH "DESCRIPTION"
 .sp
-\fBfwknop\fR implements an authorization scheme known as Single Packet Authorization (SPA) for Linux systems running iptables, and for Mac OS X and FreeBSD systems running ipfw\&. This mechanism requires only a single encrypted and non\-replayed packet to communicate various pieces of information including desired access through an iptables or ipfw policy\&. The main application of this program is to use iptables or ipfw in a default\-drop stance to protect services such as \fISSH\fR with an additional layer of security in order to make the exploitation of vulnerabilities (both 0\-day and unpatched code) much more difficult\&.
+\fBfwknop\fR implements an authorization scheme known as Single Packet Authorization (SPA) for Linux systems running iptables\&. This mechanism requires only a single encrypted and non\-replayed packet to communicate various pieces of information including desired access through an iptables or ipfw policy\&. The main application of this program is to use iptables in a default\-drop stance to protect services such as \fISSH\fR with an additional layer of security in order to make the exploitation of vulnerabilities (both 0\-day and unpatched code) much more difficult\&.
 .sp
-An authorization server \fBfwknopd\fR passively monitors authorization packets via \fIlibpcap\fR and hence there is no "server" to which to connect in the traditional sense\&. Any service protected by \fBfwknop\fR is inaccessible (by using \fIiptables\fR or \fIipfw\fR to intercept packets within the kernel) before authenticating; anyone scanning for the service will not be able to detect that it is even listening\&. Single Packet Authorization offers many advantages over port knocking, including non\-replayability of SPA packets, ability to use asymmetric ciphers (such as Elgamal), and SPA cannot be broken by simply spoofing packets to duplicate ports within the knock sequence on the server to break port knocking authentication\&.
+An authorization server \fBfwknopd\fR passively monitors authorization packets via \fIlibpcap\fR and hence there is no \(lqserver\(rq to which to connect in the traditional sense\&. Any service protected by \fBfwknop\fR is inaccessible (by using \fIiptables\fR or \fIipfw\fR to intercept packets within the kernel) before authenticating; anyone scanning for the service will not be able to detect that it is even listening\&. Single Packet Authorization offers many advantages over port knocking, including non\-replayability of SPA packets, ability to use asymmetric ciphers (such as Elgamal), and SPA cannot be broken by simply spoofing packets to duplicate ports within the knock sequence on the server to break port knocking authentication\&.
 .sp
 SPA packets can easily be spoofed as well (this is a good thing in this context), and this makes it possible to make it appear as though, say, www\&.yahoo\&.com is trying to authenticate to a target system but in reality the actual connection will come from a seemingly unrelated IP\&.
 .sp
@ -50,12 +50,14 @@ Authorization packets are either encrypted with the \fIRijndael\fR block cipher
 .RE
 .\}
 .sp
-Each of the above fields are separated by a \(oq`+:+\'\' character due to the variable length of several of the fields, and those that might contain ``:\(cq\' characters are base64 encoded\&. The message digest (\fBSHA256\fR by default in all versions of \fBfwknop\fR greater than 1\&.9\&.1) allows the server to check message integrity after decryption, and the 16 bytes of random data ensures (with high probability) that no two messages are identical\&. This ensures that replay attacks are not possible against \fBfwknop\fR\&.
+Each of the above fields are separated by a ":" character due to the variable length of several of the fields, and those that might contain ":" characters are base64 encoded\&. The message digest (\fBSHA256\fR by default in all versions of \fBfwknop\fR greater than 1\&.9\&.1) allows the server to check message integrity after decryption, and the 16 bytes of random data ensures (with high probability) that no two messages are identical\&. This ensures that replay attacks are not possible against \fBfwknop\fR\&.
 .sp
 For each packet coming from an \fBfwknop\fR client, the \fBfwknopd\fR server can cache the digest calculated over the entire packet and compares against previous packet digests in order to detect attempted replay attacks\&. Syslog alerts are generated if a replay is detected\&.
 .sp
 By default, the \fBfwknop\fR client sends authorization packets over UDP port 62201, but this can be altered with the \fB\-\-server\-port\fR argument\&. The server must first be configured to acquire the SPA data on the changed protocol\-port\&. Also, \fBfwknop\fR can send the SPA packet over a random port via the \fB\-\-rand\-port\fR argument\&. See \fIfwknopd(8)\fR for further details\&. See the \fBEXAMPLES\fR section for example invocations of the \fBfwknop\fR client\&.
 .SH "REQUIRED ARGUMENTS"
 .sp
 These required arguments can be specified via command\-line or from within the \fI\&.fwknoprc\fR file (see \fI\-n, \-\-named\-config\fR option and the FWKNOPRC FILE section below\&.
 .PP
 \fB\-D, \-\-destination\fR=\fI<IP\-address>\fR
 .RS 4
@ -63,7 +65,7 @@ Direct the
 \fBfwknop\fR
 client to authenticate with the
 \fBfwknopd\fR
-daemon/service at the destination address <IP>\&. The connection mode is discovered by the
+daemon/service at the specified destination hostname or IP address\&. The connection mode is discovered by the
 \fBfwknopd\fR
 daemon/service when it decrypts and parses the authentication packet\&.
 .RE
@ -114,7 +116,7 @@ client to write a newly created SPA packet out to the specified file so that it
 .PP
 \fB\-G, \-\-get\-key\fR=\fI<file>\fR
 .RS 4
-Load an encryption key/password from the specified file\&.
+Load an encryption key/password from the specified file\&. The key file contains a line for each destination hostname or IP address, a colon (":"), optional space and the password, followed by a newline\&. Note that the last line has to have a terminating newline character\&. Also note: though this is a convenience, have a file on your system with cleartext passwords is not a good idea and is not recommended\&.
 .RE
 .PP
 \fB\-l, \-\-last\-cmd\fR
@ -128,9 +130,10 @@ file\&.
 .PP
 \fB\-n, \-\-named\-config\fR=\fI<stanza name>\fR
 .RS 4
-The
+Specify the name of the configuration stanza in the \(lq$HOME/\&.fwknoprc\(rq file to pull configuration and command directives\&. These named stanzas alleviate the need for remembering the various command\-line arguments for frequently used invocations of
-\fBfwknop\fR
+\fBfwknop\fR\&. See the section labeled, FWKNOPRC FILE below for a list of the valid configuration directives in the
-client program can use parameters specified in it rc file, \(oq`\&.fwknoprc\'\' which is found in the user\'s home directory\&. If *fwknop* does not detect the $HOME/\&.fwknoprc file, it will create it\&. The \'\&.fwkoprc\' file contains a default configuration area or \'stanza\' which holds global configuration directives that override the program defaults\&. You can edit this file and create additonal \'named stanzas\' that can be specified with this (\'\-n\') option\&. Parameters defined in the named stanzas will override any matching \'default\' stanza directives\&. See the section: FWKNOPRC FILE below for a list of the valid configuration directives in the ``\&.fwknoprc\(cq\' file\&.
+\fI\&.fwknoprc\fR
 file\&.
 .RE
 .PP
 \fB\-\-show\-last\fR
@ -148,7 +151,9 @@ Test mode\&. Generate the SPA packet data, but do not send it\&. Instead, print
 .RS 4
 Run the
 \fBfwknop\fR
-client in verbose mode\&.
+client in verbose mode\&. This causes
 \fBfwknop\fR
 to print some extra information about the current command and the resulting SPA data\&.
 .RE
 .PP
 \fB\-V, \-\-Version\fR
@ -161,9 +166,7 @@ Display version information and exit\&.
 .RS 4
 Specify IP address that should be permitted through the destination
 \fBfwknopd\fR
-server firewall (this IP is encrypted within the SPA packet itself)\&. This is useful to prevent a
+server firewall (this IP is encrypted within the SPA packet itself)\&. This is useful to prevent a MTIM attack where a SPA packet can be intercepted enroute and sent from a different IP than the original\&. Hence, if the
 \fIMan\-In\-The\-Middle\fR
 (MTIM) attack where an SPA packet can be intercepted enroute and sent from a different IP than the original\&. Hence, if the
 \fBfwknopd\fR
 server trusts the source address on the SPA packet IP header then the attacker gains access\&. The
 \fB\-a\fR
@ -175,9 +178,7 @@ option\&. Another related option is
 \fB\-R\fR
 (see below) which instructs the
 \fBfwknop\fR
-client to automatically resolve the externally routable IP address the local system is connected to by querying the
+client to automatically resolve the externally routable IP address the local system is connected to by querying a website that returns the actual IP address it sees from the calling system\&.
 \fIhttp://www\&.whatismyip\&.com\fR
 website\&.
 .RE
 .PP
 \fB\-C, \-\-server\-cmd\fR=\fI<command to execute>\fR
@ -206,9 +207,7 @@ Specify an HTTP proxy that the
 \fBfwknop\fR
 client will use to send the SPA packet through\&. Using this option will automatically set the SPA packet transmission mode (usually set via the
 \fB\-\-server\-proto\fR
-argument) to \(lqhttp\(rq\&. You can also specify the proxy port by adding
+argument) to "http"\&. You can also specify the proxy port by adding ":<port>" to the proxy host name or ip\&.
 \fI:<port>\fR
 to the proxy host name or ip\&.
 .RE
 .PP
 \fB\-m, \-\-digest\-type\fR=\fI<digest>\fR
@ -230,7 +229,7 @@ server offers the ability to provide SPA access through an iptables firewall to
 \fBfwknopd\fR
 server is protecting an internal network on an RFC\-1918 address space, an external
 \fBfwknop\fR
-client can request that the server port forward an external port to an internal IP, i\&.e\&. \(lq\-\-NAT\-access 192\&.168\&.10\&.2:55000\(rq\&. In this case, access will be granted to 192\&.168\&.10\&.2 via port 55000 to whatever service is requested via the
+client can request that the server port forward an external port to an internal IP, i\&.e\&. \(lq\-\-NAT\-access 192\&.168\&.10\&.2,55000\(rq\&. In this case, access will be granted to 192\&.168\&.10\&.2 via port 55000 to whatever service is requested via the
 \fB\-\-access\fR
 argument (usually tcp/22)\&. Hence, after sending such an SPA packet, one would then do \(lqssh \-p 55000
 user@host\(rq and the connection would be forwarded on through to the internal 192\&.168\&.10\&.2 system automatically\&. Note that the port \(lq55000\(rq can be randomly generated via the
@ -282,7 +281,7 @@ looks for authorization packets over UDP port 62201\&.
 .PP
 \fB\-P, \-\-server\-proto\fR=\fI<protocol>\fR
 .RS 4
-Set the protocol (udp, tcp, tcpraw, icmp) for the outgoing SPA packet\&. Note: The
+Set the protocol (udp, tcp, http, tcpraw, or icmp) for the outgoing SPA packet\&. Note: The
 \fBtcpraw\fR
 and
 \fBicmp\fR
@ -291,9 +290,7 @@ modes use raw sockets and thus require root access to run\&. Also note: The
 mode expects to establish a TCP connection to the server before sending the SPA packet\&. This is not normally done, but is useful for compatibility with the Tor for strong anonymity; see
 \fIhttp://tor\&.eff\&.org/\fR\&. In this case, the
 \fBfwknopd\fR
-server uses the
+server will need to be configured to listen on the target TCP port (which is 62201 by default)\&.
 \fBfwknop_serv\fR
 daemon to listen on a TCP port (62201 by default)\&.
 .RE
 .PP
 \fB\-Q, \-\-spoof\-src\fR=\fI<IP>\fR
@ -327,11 +324,13 @@ This is an important option, and instructs the
 \fBfwknop\fR
 client and the
 \fBfwknopd\fR
-daemon/service to query
+daemon/service to query a web server that returns the caller\(cqs IP address (as seen by the web server)\&. In some cases, this is needed to determine the IP address that should be allowed through the iptables policy at the remote fwknopd server side\&. This is useful if the
 \fIhttp://www\&.whatismyip\&.com\fR
 to determine the IP address that should be allowed through the iptables policy at the remote fwknopd server side\&. This is useful if the
 \fBfwknop\fR
-client is being used on a system that is behind an obscure NAT address\&.
+client is being used on a system that is behind an obscure NAT address\&. Presently,
 \fBfwknop\fR
 uses the URL:
 \fIhttp://www\&.cipherdyne\&.org/cgi\-bin/myip\fR
 to resolve the caller IP\&.
 .RE
 .PP
 \fB\-s, \-\-source\-ip\fR
@ -343,8 +342,7 @@ client to form an SPA packet that contains the special\-case IP address \(lq0\&.
 SPA server to use the source IP address from which the SPA packet originates as the IP that will be allowed through upon modification of the firewall ruleset\&. This option is useful if the
 \fBfwknop\fR
 client is deployed on a machine that is behind a NAT device\&. The permit\-address options
-\fB\-s\fR
+\fB\-s\fR,
 (default),
 \fB\-R\fR
 and
 \fB\-a\fR
@ -411,21 +409,23 @@ server and the associated private key is used to decrypt the SPA packet\&. The r
 .PP
 \fB\-\-gpg\-signer\-key\fR=\fI<key ID or Name>\fR
 .RS 4
-Specify the GnuPG key ID, e\&.g\&. \(oq`+ABCD1234+\'\' (see the output of ``gpg \-\-list\-keys\(cq\') or the key name to use when signing the SPA message\&. The user is prompted for the associated GnuPG password to create the signature\&. This adds a cryptographically strong mechanism to allow the
+Specify the GnuPG key ID, e\&.g\&. \(lqABCD1234\(rq (see the output of "gpg \-\-list\-keys") or the key name to use when signing the SPA message\&. The user is prompted for the associated GnuPG password to create the signature\&. This adds a cryptographically strong mechanism to allow the
 \fBfwknopd\fR
 daemon on the remote server to authenticate who created the SPA message\&.
 .RE
 .SH "FWKNOPRC FILE"
 .sp
-The \(lq\&.fwknoprc\(rq file is used to set various parameters to override default program parameters at runtime\&. It also allows for additional named configuration \fIstanzas\fR for setting program parameters for a particular invocation\&.
+The \fI\&.fwknoprc\fR file is used to set various parameters to override default program parameters at runtime\&. It also allows for additional named configuration \fIstanzas\fR for setting program parameters for a particular invocation\&.
 .sp
 The \fBfwkop\fR client will create this file if it does not exist in the user\(cqs home directory\&. This initial version has some sample directives that are commented out\&. It is up to the user to edit this file to meet their needs\&.
 .sp
-There are directives to match most of the command\-line parameters \fBfwknop\fR supports\&. Here is the current list of each directive along with a brief description and (if applicable) it matching command\-line option:
+The \fI\&.fwkoprc\fR file contains a default configuration area or stanza which holds global configuration directives that override the program defaults\&. You can edit this file and create additonal \fInamed stanzas\fR that can be specified with the \fB\-n\fR or \fB\-\-named\-config\fR option\&. Parameters defined in the named stanzas will override any matching \fIdefault\fR stanza directives\&. Note that command\-line options will still override any corresponding \fI\&.fwknoprc\fR directives\&.
 .sp
 There are directives to match most of the command\-line parameters \fBfwknop\fR supports\&. Here is the current list of each directive along with a brief description and its matching command\-line option(s):
 .PP
 \fBDIGEST_TYPE\fR
 .RS 4
-Set the SPA message digest type (\'\-m, \-\-digest\-type)\&.
+Set the SPA message digest type (\fI\-m, \-\-digest\-type\fR)\&.
 .RE
 .PP
 \fBSPA_SERVER_PROTO\fR
@ -456,19 +456,19 @@ Set the firewall rule timeout value (\fI\-f, \-\-fw\-timeout\fR)\&.
 \fBALLOW_IP\fR
 .RS 4
 Specify the address to allow within the SPA data\&. Note: This parameter covers the
-\fI\-a\fR,
+\fB\-a\fR,
-\fI\-s\fR, and
+\fB\-s\fR, and
-\fI\-R\fR
+\fB\-R\fR
-command\-line options\&. You can specify an IP address (the
+command\-line options\&. You can specify a hostname or IP address (the
-\fI\-a\fR
+\fB\-a\fR
 option), specify the word "source" to tell the
 \fBfwknopd\fR
 server to accept the source IP of the packet as the IP to allow (the
-\fI\-s\fR
+\fB\-s\fR
 option), or use the word "resolve" to have
 \fBfwknop\fR
 resolve the external network IP via HTTP request (the
-\fI\-R\fR
+\fB\-R\fR
 option)\&.
 .RE
 .PP
@ -550,7 +550,7 @@ Have the fwknop client assign a random port for NAT access (\fI\-\-nat\-rand\-po
 .RE
 .SH "ENVIRONMENT"
 .sp
-\fBGPG_AGENT_INFO\fR (only used in \fB\-\-gpg\-agent\fR mode)\&.
+\fBSPOOF_USER\fR, \fBGPG_AGENT_INFO\fR (only used in \fB\-\-gpg\-agent\fR mode)\&.
 .SH "EXAMPLES"
 .sp
 The following examples illustrate the command line arguments that could be supplied to the fwknop client in a few situations:
@ -598,7 +598,7 @@ Same as above example, but gain access from whatever source IP is seen by the fw
 .RE
 .\}
 .sp
-Same as above example, but use the IP identification website \fIhttp://www\&.whatismyip\&.com\fR to derive the client IP address\&. This is a safer method of acquiring the client IP address than using the \fB\-s\fR option because the source IP is put within the encrypted packet instead of having the \fBfwknopd\fR daemon grant the requested access from whatever IP address the SPA packet originates:
+Same as above example, but use an IP identification website to derive the client IP address\&. This is a safer method of acquiring the client IP address than using the \fB\-s\fR option because the source IP is put within the encrypted packet instead of having the \fBfwknopd\fR daemon grant the requested access from whatever IP address the SPA packet originates:
 .sp
 .if n \{\
 .RS 4
@ -652,9 +652,7 @@ fwknopd(8), iptables(8), gpg(1), libfko documentation\&.
 More information on Single Packet Authorization can be found in the paper \(lqSingle Packet Authorization with fwknop\(rq available at \fIhttp://www\&.cipherdyne\&.org/fwknop/docs/SPA\&.html\fR\&.
 .SH "AUTHORS"
 .sp
-Damien Stuart <dstuart@dstuart\&.org>
+Damien Stuart <dstuart@dstuart\&.org>, Michael Rash <mbr@cipherdyne\&.org>
 .sp
 Michael Rash <mbr@cipherdyne\&.org>
 .SH "CONTRIBUTORS"
 .sp
 This \(lqC\(rq version of fwknop was derived from the original Perl\-based version on which many people who are active in the open source community have contributed\&. See the CREDITS file in the fwknop sources, or visit \fIhttp://www\&.cipherdyne\&.org/fwknop/docs/contributors\&.html\fR to view the online list of contributors\&.
--- a/doc/fwknop.man.asciidoc
+++ b/doc/fwknop.man.asciidoc
@ -16,17 +16,16 @@ SYNOPSIS
 DESCRIPTION
 -----------
 *fwknop* implements an authorization scheme known as Single Packet
-Authorization (SPA) for Linux systems running iptables, and for Mac OS X
+Authorization (SPA) for Linux systems running iptables.  This mechanism
-and FreeBSD systems running ipfw.  This mechanism requires only a single
+requires only a single encrypted and non-replayed packet to communicate
-encrypted and non-replayed packet to communicate various pieces of
+various pieces of information including desired access through an iptables
-information including desired access through an iptables or ipfw policy.
+or ipfw policy.  The main application of this program is to use iptables
-The main application of this program is to use iptables or ipfw in a
+in a default-drop stance to protect services such as 'SSH' with an
-default-drop stance to protect services such as 'SSH' with an additional
+additional layer of security in order to make the exploitation of
-layer of security in order to make the exploitation of vulnerabilities
+vulnerabilities (both 0-day and unpatched code) much more difficult.
 (both 0-day and unpatched code) much more difficult.
 An authorization server *fwknopd* passively monitors authorization packets
-via 'libpcap' and hence there is no "server" to which to connect in the
+via 'libpcap' and hence there is no ``server'' to which to connect in the
 traditional sense.  Any service protected by *fwknop* is inaccessible (by
 using 'iptables' or 'ipfw' to intercept packets within the kernel) before
 authenticating; anyone scanning for the service will not be able to detect
@ -60,9 +59,9 @@ format (before they are encrypted):
    message digest (SHA512 / SHA384 / SHA256 / SHA1 / MD5)
 ..........................
-Each of the above fields are separated by a ``+:+'' character due to the
+Each of the above fields are separated by a ":" character due to the
 variable length of several of the fields, and those that might contain
-``+:+'' characters are base64 encoded.  The message digest (*SHA256* by
+":" characters are base64 encoded.  The message digest (*SHA256* by
 default in all versions of *fwknop* greater than 1.9.1) allows the server
 to check message integrity after decryption, and the 16 bytes of random data
 ensures (with high probability) that no two messages are identical.  This
@ -83,11 +82,15 @@ Also, *fwknop* can send the SPA packet over a random port via the
 REQUIRED ARGUMENTS
 ------------------
 These required arguments can be specified via command-line or from within
 the '.fwknoprc' file (see '-n, --named-config' option and the FWKNOPRC FILE
 section below.
 *-D, --destination*='<IP-address>'::
    Direct the *fwknop* client to authenticate with the *fwknopd*
-    daemon/service at the destination address <IP>.  The connection mode
+    daemon/service at the specified destination hostname or IP address. The
-    is discovered by the *fwknopd* daemon/service when it decrypts and
+    connection mode is discovered by the *fwknopd* daemon/service when it
-    parses the authentication packet.
+    decrypts and parses the authentication packet.
 *-A, --access*='<port list>'::
    Provide a list of ports and protocols to access on a remote computer
@ -115,7 +118,12 @@ GENERAL OPTIONS
    to the specified file so that it can be examined off-line.
 *-G, --get-key*='<file>'::
-    Load an encryption key/password from the specified file.
+    Load an encryption key/password from the specified file.  The key file
    contains a line for each destination hostname or IP address, a colon
    (":"), optional space and the password, followed by a newline.  Note
    that the last line has to have a terminating newline character. 
    Also note: though this is a convenience, have a file on your system with
    cleartext passwords is not a good idea and is not recommended.
 *-l, --last-cmd*::
    Execute *fwknop* with the command-line arguments from the previous
@ -128,7 +136,7 @@ GENERAL OPTIONS
    alleviate the need for remembering the various command-line arguments
    for frequently used invocations of *fwknop*. See the section labeled,
    FWKNOPRC FILE below for a list of the valid configuration directives in
-    the ``.fwknoprc'' file.
+    the '.fwknoprc' file.
 *--show-last*::
    Display the last command-line arguments used by *fwknop*.
@ -140,7 +148,9 @@ GENERAL OPTIONS
    This is primarily a debugging feature.
 *-v, --verbose*::
-    Run the *fwknop* client in verbose mode.
+    Run the *fwknop* client in verbose mode.  This causes *fwknop* to print
    some extra information about the current command and the resulting SPA
    data.
 *-V, --Version*::
    Display version information and exit.
@ -151,18 +161,18 @@ SPA OPTIONS
 *-a, --allow-ip*='<IP-address>'::
    Specify IP address that should be permitted through the destination
    *fwknopd* server firewall (this IP is encrypted within the SPA packet
-    itself).  This is useful to prevent a 'Man-In-The-Middle' (MTIM) attack
+    itself).  This is useful to prevent a MTIM attack where a SPA packet
-    where an SPA packet can be intercepted enroute and sent from a
+    can be intercepted enroute and sent from a different IP than the
-    different IP than the original.  Hence, if the *fwknopd* server trusts
+    original.  Hence, if the *fwknopd* server trusts the source address
-    the source address on the  SPA  packet IP header then the attacker
+    on the  SPA  packet IP header then the attacker gains access. 
-    gains access.  The *-a* option puts the source address within the
+    The *-a* option puts the source address within the encrypted SPA
-    encrypted SPA packet, and so thwarts this attack.  The *-a* option
+    packet, and so thwarts this attack.  The *-a* option is also
-    is also useful to specify the IP that will be granted access when the
+    useful to specify the IP that will be granted access when the
    SPA packet itself is spoofed with the *--spoof-src* option.  Another
    related option is *-R* (see below) which instructs the *fwknop* client
    to automatically resolve the externally routable IP address the local
-    system is connected to by querying the 'http://www.whatismyip.com'
+    system is connected to by querying a website that returns the actual
-    website.
+    IP address it sees from the calling system.
 *-C, --server-cmd*='<command to execute>'::
    Instead of requesting access to a service with an SPA packet, the
@ -180,7 +190,7 @@ SPA OPTIONS
    Specify an HTTP proxy that the *fwknop* client will use to send the SPA
    packet through.  Using this option will automatically set the SPA packet
    transmission mode (usually set via the *--server-proto* argument) to
-    ``http''.  You can also specify the proxy port by adding ':<port>' to
+    "http".  You can also specify the proxy port by adding ":<port>" to
    the proxy host name or ip.
 *-m, --digest-type*='<digest>'::
@ -193,7 +203,7 @@ SPA OPTIONS
    iptables NAT capabilities.  So, if the *fwknopd* server is protecting
    an internal network on an RFC-1918 address space, an external *fwknop*
    client can request that the server port forward an external port to an
-    internal IP, i.e. ``+--NAT-access 192.168.10.2:55000+''.  In this case,
+    internal IP, i.e. ``+--NAT-access 192.168.10.2,55000+''.  In this case,
    access will be granted to 192.168.10.2 via port 55000 to whatever
    service is requested via the *--access* argument (usually tcp/22). 
    Hence, after sending such an SPA packet, one would then do
@ -230,14 +240,14 @@ SPA OPTIONS
    over UDP port 62201.
 *-P, --server-proto*='<protocol>'::
-    Set the protocol (udp, tcp, tcpraw, icmp) for the outgoing SPA packet. 
+    Set the protocol (udp, tcp, http, tcpraw, or icmp) for the outgoing SPA
-    Note: The *tcpraw* and *icmp* modes use raw sockets and thus require
+    packet.  Note: The *tcpraw* and *icmp* modes use raw sockets and thus
-    root access to run.  Also note: The *tcp* mode expects to establish a
+    require root access to run.  Also note: The *tcp* mode expects to establish
-    TCP connection to the server before sending the SPA packet.  This is
+    a TCP connection to the server before sending the SPA packet.  This is
    not normally done, but is useful for compatibility with the Tor for
    strong anonymity; see 'http://tor.eff.org/'.  In this case, the
-    *fwknopd* server uses the *fwknop_serv* daemon to listen on a TCP
+    *fwknopd* server will need to be configured to listen on the target TCP
-    port (62201 by default).
+    port (which is 62201 by default).
 *-Q, --spoof-src*='<IP>'::
    Spoof the source address from which the *fwknop* client sends SPA
@ -255,11 +265,13 @@ SPA OPTIONS
 *-R, --resolve-ip-http*::
    This is an important option, and instructs the *fwknop* client and
-    the *fwknopd* daemon/service to query 'http://www.whatismyip.com' to
+    the *fwknopd* daemon/service to query a web server that returns the
-    determine the IP address that should be allowed through the iptables
+    caller's IP address (as seen by the web server). In some cases, this is
-    policy at the remote fwknopd server side.  This is useful if the
+    needed to determine the IP address that should be allowed through the
-    *fwknop* client is being used on a system that is behind an obscure
+    iptables policy at the remote fwknopd server side.  This is useful if
-    NAT address.
+    the *fwknop* client is being used on a system that is behind an obscure
    NAT address. Presently, *fwknop* uses the URL:
    'http://www.cipherdyne.org/cgi-bin/myip' to resolve the caller IP.
 *-s, --source-ip*::
    Instruct the *fwknop* client to form an SPA packet that contains the
@ -268,7 +280,7 @@ SPA OPTIONS
    SPA packet originates as the IP that will be allowed through upon
    modification of the firewall ruleset.  This option is useful if the
    *fwknop* client is deployed on a machine that is behind a NAT device. 
-    The permit-address options *-s* (default), *-R* and *-a* are mutually
+    The permit-address options *-s*, *-R* and *-a* are mutually
    exclusive.
 *--time-offset-plus*='<time>'::
@ -322,7 +334,7 @@ GPG-RELATED OPTIONS
 *--gpg-signer-key*='<key ID or Name>'::
    Specify the GnuPG key ID, e.g. ``+ABCD1234+'' (see the output of
-    ``+gpg --list-keys+'') or the key name to use when signing the SPA message. 
+    "gpg --list-keys") or the key name to use when signing the SPA message. 
    The user is prompted for the associated GnuPG password to create the
    signature.  This adds a cryptographically strong mechanism to allow
    the *fwknopd* daemon on the remote server to authenticate who created
@ -331,7 +343,7 @@ GPG-RELATED OPTIONS
 FWKNOPRC FILE
 -------------
-The ``.fwknoprc'' file is used to set various parameters to override default
+The '.fwknoprc' file is used to set various parameters to override default
 program parameters at runtime.  It also allows for additional named
 configuration 'stanzas' for setting program parameters for a particular
 invocation.
@ -340,18 +352,20 @@ The *fwkop* client will create this file if it does not exist in the user's
 home directory.  This initial version has some sample directives that are
 commented out.  It is up to the user to edit this file to meet their needs.
-The ``.fwkoprc'' file contains a default configuration area or 'stanza' which
+The '.fwkoprc' file contains a default configuration area or stanza which
 holds global configuration directives that override the program defaults. 
 You can edit this file and create additonal 'named stanzas' that can be
-specified with this ('-n') option.  Parameters defined in the named stanzas
+specified with the *-n* or *--named-config* option. Parameters defined in
-will override any matching 'default' stanza directives.
+the named stanzas will override any matching 'default' stanza directives.
 Note that command-line options will still override any corresponding
 '.fwknoprc' directives.
 There are directives to match most of the command-line parameters *fwknop*
 supports.  Here is the current list of each directive along with a brief
 description and its matching command-line option(s):
 *DIGEST_TYPE*::
-    Set the SPA message digest type ('-m, --digest-type).
+    Set the SPA message digest type ('-m, --digest-type').
 *SPA_SERVER_PROTO*::
    Set the protocol to use for sending the SPA packet ('-P, --server-proto').
@ -371,11 +385,11 @@ description and its matching command-line option(s):
 *ALLOW_IP*::
    Specify the address to allow within the SPA data.  Note: This parameter
-    covers the '-a', '-s', and '-R' command-line options.  You can specify
+    covers the *-a*, *-s*, and *-R* command-line options.  You can specify
-    an IP address (the '-a' option), specify the word "source" to tell the
+    a hostname or IP address (the *-a* option), specify the word "source" to
-    *fwknopd* server to accept the source IP of the packet as the IP to
+    tell the *fwknopd* server to accept the source IP of the packet as the IP
-    allow (the '-s' option), or use the word "resolve" to have *fwknop*
+    to allow (the *-s* option), or use the word "resolve" to have *fwknop*
-    resolve the external network IP via HTTP request (the '-R' option).
+    resolve the external network IP via HTTP request (the *-R* option).
 *TIME_OFFSET*::
    Set a value to apply to the timestamp in the SPA packet.  This can
@ -434,7 +448,7 @@ description and its matching command-line option(s):
 ENVIRONMENT
 -----------
-*GPG_AGENT_INFO* (only used in *--gpg-agent* mode).
+*SPOOF_USER*, *GPG_AGENT_INFO* (only used in *--gpg-agent* mode).
 EXAMPLES
 --------
@ -472,12 +486,11 @@ behind a NAT device):
    $ fwknop -A "tcp/22,udp/53" -s -D 10.0.0.123
 ..........................
-Same as above example, but use the IP identification website
+Same as above example, but use an IP identification website to derive
-'http://www.whatismyip.com' to derive the client IP address.  This
+the client IP address.  This is a safer method of acquiring the client
-is a safer method of acquiring the client IP address than using the
+IP address than using the *-s* option because the source IP is put within
-*-s* option because the source IP is put within the encrypted packet
+the encrypted packet instead of having the *fwknopd* daemon grant the
-instead of having the *fwknopd* daemon grant the requested access
+requested access from whatever IP address the SPA packet originates:
 from whatever IP address the SPA packet originates:
 ..........................
    $ fwknop -A "tcp/22,udp/53" -R -D 10.0.0.123
@ -530,8 +543,7 @@ More information on Single Packet Authorization can be found in the paper
 AUTHORS
 -------
-Damien Stuart <dstuart@dstuart.org>
+Damien Stuart <dstuart@dstuart.org>, 
 Michael Rash <mbr@cipherdyne.org>
 CONTRIBUTORS
--- a/doc/fwknopd.man.asciidoc
+++ b/doc/fwknopd.man.asciidoc
@ -1,5 +1,5 @@
 :man source: Fwknop Server
-:man manual: Fwknop Server 
+:man manual: Fwknop Server
 FWKNOPD(8)
 ==========
@ -407,8 +407,7 @@ fwknop(8), iptables(8), libfko docmentation.
 AUTHOR
 ------
-Damien Stuart <dstuart@dstuart.org>
+Damien Stuart <dstuart@dstuart.org>, 
 Michael Rash <mbr@cipherdyne.org>
--- a/server/fwknopd.8
+++ b/server/fwknopd.8
@ -2,12 +2,12 @@
 .\"     Title: fwknopd
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
-.\"      Date: 07/04/2010
+.\"      Date: 07/08/2010
 .\"    Manual: Fwknop Server
 .\"    Source: Fwknop Server
 .\"  Language: English
 .\"
-.TH "FWKNOPD" "8" "07/04/2010" "Fwknop Server" "Fwknop Server"
+.TH "FWKNOPD" "8" "07/08/2010" "Fwknop Server" "Fwknop Server"
 .\" -----------------------------------------------------------------
 .\" * set default formatting
 .\" -----------------------------------------------------------------
@ -494,9 +494,7 @@ The \fBfwknopd\fR daemon requires a functioning Netfilter firewall on the underl
 fwknop(8), iptables(8), libfko docmentation\&.
 .SH "AUTHOR"
 .sp
-Damien Stuart <dstuart@dstuart\&.org>
+Damien Stuart <dstuart@dstuart\&.org>, Michael Rash <mbr@cipherdyne\&.org>
 .sp
 Michael Rash <mbr@cipherdyne\&.org>
 .SH "CREDITS"
 .sp
 This \(lqC\(rq version of \fBfwknopd\fR was derived from the original Perl\-based version on which many people who are active in the open source community have contributed\&. See the \fICREDITS\fR file in the fwknop sources, or visit \fIhttp://www\&.cipherdyne\&.org/fwknop/docs/contributors\&.html\fR to view the online list of contributors\&.