This commit makes it easier to determine exactly which commands fwknopd
runs in --verbose mode when interacting with the underlying firewall.
This commit also adds --verbose --verbose mode to the test suite.
Added the 'const' qualifier to function prototype variables where possible.
In addition, reduced some functions to file-scope with 'static' where possible.
Also made a few minor changes to remove extra whitespace, and fixed a bug
in create_fwknoprc() to ensure the new fwknoprc filehandle is closed.
This commit fixes the following gcc warning on freebsd systems:
replay_cache.c: In function 'replay_file_cache_init':
replay_cache.c:312: warning: format '%ld' expects type 'long int *', but argument 9 has type 'time_t *'
Changed PID string length to 7 to accomodate an ending newline and NULL
char when writing to the fwknopd .pid file. Without this fix, with a
5 digit PID the trailing newline would be truncated (no room for the
ending NULL char).
Added new command line options --fw-list-all and --fw-flush to allow all
firewall rules to be displayed including those not created by fwknopd, and
allow all firewall rules created by fwknopd to be deleted.
Also switched -D config dump output to stdout.
The test suite now recompiles fwknop only if the --enable-recompile-check
option is used, and if so, uses sudo (if installed) to have the resulting
binaries own by the original user (instead of by root). Also made a couple
of API changes to create test output files automatically if they don't
exist.
This commit begins development on a comprehensive test suite for fwknop.
The initial tests are focused on compilation correctness and security options
as determined by the "hardening-check" script from Kees Cook of the Debian
security team.
With the --help command line argument, the following information is printed:
$ ./fwknop-launcher-lsof.pl --help
Usage: fwknop-launcher-lsof.pl [options]
Options:
-c, --config <file> - Path to fwknop-launcher.conf config file.
-l, --lsof-cmd <path> - Path to lsof command.
-f, --fwknop-cmd <path> - Path to fwknop client command.
-s, --sleep <seconds> - Specify sleep interval (default:
1 seconds)
-n --no-daemon - Run in foreground mode.
-u, --user <username> - Specify username (usually this is not
needed).
--home-dir <dir> - Path to user's home directory (usually
this is not needed).
-v --verbose - Print verbose information to the terminal
(requires --no-daemon).
--help - Print usage info and exit.
The fwknop lsof launcher (extras/fwknop-launcher/fwknop-launcher-lsof.pl) is a
lightweight daemon that allows the user to not have to manually run the fwknop
client when attempting to gain access to a service that is protected by Single
Packet Authorization via fwknopd. This is accomplished by checking the output
of lsof to look for pending connections in the SYN_SENT state, which (usually)
indicate that a remote firewall is blocking the attempted connection. At this
point, the launcher executes the fwknop client with the --get-key arg (so the
user must place the key in the local filesystem) to generate an SPA packet for
the attempted connection. The remote fwknopd daemon will reconfigure the
firewall to allow temporary access, and this usually happens fast enough that
the original connection attempt will then succeed.
The idea for this was originally for a pcap-based connection watcher by
Sebastien Jeanquier.
