DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity
2,002 Commits 15 Branches 0 Tags
Commit Graph

500 Commits

Author SHA1 Message Date
Michael Rash
547dbb66b3 [server] minor return value handling update for create_chain() and add_jump_rule() 2015-04-08 18:30:03 -07:00
Michael Rash
1e33119b04 [server] use 'success' string for firewalld as returned firewall-cmd for command success 2015-04-08 18:29:03 -07:00
Michael Rash
0fa42ae117 [server] allow DISABLE_DNAT to not require FORCE_NAT 2015-04-07 16:34:49 -07:00
Michael Rash
8010690039 [server] add missing #define's for firewalld 2015-04-06 11:47:07 -07:00
Michael Rash
c25f34e7a2 [server] update firewalld for FORWARD_ALL NAT operations 2015-04-06 01:24:55 -07:00
Michael Rash
8e6db3a5da [server] extend FORWARD_ALL to apply to NAT operations 
This is a significant commit to allow all ports and protocols to be
NAT'd in conjunction with FORWARD ACCEPT rules. This commit is in
support of 6b7a3bbdae295c29a15a59385e637bd391858bc2 to allow fwknopd to
function as an SPA gateway.
 2015-04-06 20:04:33 -04:00
Michael Rash
a18b3e9027 [server] minor code coverage update for firewalld systems 2015-03-29 18:15:11 -07:00
Michael Rash
ab5c000a32 [test suite] added afl-cmin scripts, and the main test suite configs are referenced 2015-03-20 16:09:40 -04:00
Michael Rash
59edf64d9c [server] consolidate fw creation, add FORWARD_ALL functionality 2015-03-07 20:09:31 -08:00
Michael Rash
cfd1cbf2bf [server] minor macro usage update for 127.0.0.2 2015-03-07 19:45:50 -08:00
Michael Rash
bf251034e3 [server] bug fix to exclude pcap.h only in --enable-udp-server mode 
This commit fixes issue #143 on github reported by Coacher. The previous
commit introduced a build time error for non UDP server mode as seen
here:

https://paste.kde.org/pkaxwobwr
 2015-02-18 19:37:37 -05:00
Michael Rash
1ce800446d [server] Bug fix to not include pcap.h in --enable-udp-server mode 2015-02-17 23:21:05 -08:00
Damien Stuart
987455b902 Remove commented out entries from the client and server Makefile.am. 2015-02-14 12:40:58 -05:00
Damien Stuart
b152d15970 Refactored how the cunit tests are processed so "make dist" does not fail and builds with c-unit-tests enabled work on systems with firewalld (added fw_util_firewalld.c for server tests). 2015-02-14 12:29:30 -05:00
Michael Rash
e8cfeaf772 Merge pull request #142 from fjoncourt/c_unit_testing 
C unit testing - excellent, thank you Franck. I'll work on the relative path issue you mentioned as well.
 2015-01-17 09:11:29 -05:00
Michael Rash
6b7a3bbdae [server] Add FORWARD_ALL access.conf wildcard 
This is a significant commit that allows iptables firewalls to be used
as an "SPA gateway" for all ports/protocols upon providing a valid SPA
packet. Additional commits will be made to extend this capability, but
this commit adds two new access.conf keywords: FORWARD_ALL and
DISABLE_DNAT. These are used in conjunction to add ACCEPT rules for all
ports/protocols in the FORWARD chain, and also disable DNAT rules at the
same time. Then, by buildling the SNAT chain to provide translation for
an internal network (where an SPA cliet is located), but DROP all
forwarded traffic by default at the same time, SPA can be used to gain
access to the internet. So, this would allow, say, an RFC 1918 internal
network to have IP's assigned via DHCP but they wouldn't be able to
access the internet before sending a SPA packet to the gateway. This
scenario was suggested by spartan1833 to the fwknop list and tracked via
github issue 131.

Additional commits will be made to fully support this feature.
 2015-01-17 08:38:32 -05:00
Michael Rash
08bc935796 [server] remove redundant mk_chain() calls 2015-01-06 16:39:45 -05:00
Michael Rash
1f9e939c95 [server] consolidate iptables rule additions into a single ipt_rule() function 2015-01-06 15:30:12 -05:00
Franck Joncourt
1c81aef39d Fixed file permissions 2014-12-31 09:51:08 +01:00
Michael Rash
1ece9d022b [server] consolidate create_chain() and add_jump_rule() into a single function 2014-12-30 10:42:31 -05:00
Franck Joncourt
b7ecb3334a Merge upstream changes to our changes 2014-12-28 15:00:24 +01:00
Michael Rash
9dc56d6bb7 [test suite / server] rule deletion/addition tests mid-cycle 2014-12-15 17:06:07 -08:00
Michael Rash
fd582487db [server] minor typo fix 2014-12-15 17:03:08 -08:00
Michael Rash
67f969f2c7 [server] compilation bug fix for firewalld platforms in DESTINATION processing code 2014-12-10 17:06:45 -08:00
Michael Rash
74f114603b check fiu_init() and fiu_enable() return values 2014-12-07 16:29:30 -05:00
Michael Rash
76b1c6dd50 Merge branch 'spa_destination_ip' 2014-12-04 20:07:05 -05:00
Michael Rash
d6dee352af minor update to get DESTINATION filtering tests passing 2014-12-03 20:57:06 -05:00
Michael Rash
285ec0ddcb [server] add AFL support for fuzzing SPA Rijndael decryption routine directly with --afl-pkt-file 2014-12-03 20:25:05 -05:00
Grant Pannell
af6087c48d Keep the documentation consistent 2014-11-29 15:14:31 +10:30
Grant Pannell
624872ef48 Add DESTINATION access.conf directive and ENABLE_DESTINATION_RULE fwknopd.conf directive 2014-11-29 15:05:06 +10:30
Michael Rash
7a2763a133 [server] minor fix to add AFL_FUZZING macro 2014-11-28 19:18:38 -05:00
Michael Rash
01e294aed3 [test suite] use -A mode for AFL fuzzing, make sure fwknopd does not init digest cache in -A mode 2014-11-28 19:13:35 -05:00
Michael Rash
7938e6fbbf [server] manpage update 2014-11-26 08:46:24 -05:00
Michael Rash
a64542c7a4 [server] add --run-dir command line arg 2014-11-25 22:06:56 -05:00
Michael Rash
82cf8b1c9c [server] Enforce proper bounds checking on digest cache file import 
Bug fix to ensure that proper bounds are enforced when importing digest
cache files from previous fwknopd executions. This bug
was discovered through fuzzing with American Fuzzy Lop (AFL) as driven
by the test/afl/fuzzing-wrappers/server-digest-cache.sh wrapper.
Previous to this fix, fwknopd could be made to crash through a malicious
digest cache file (normally in /var/run/fwknop/digest.cache) upon
initial import.
 2014-11-25 22:05:15 -05:00
Michael Rash
8872e50818 [test suite] use digest tracking override for ALF fwknopd fuzzing 2014-11-25 15:04:30 -05:00
Michael Rash
a72b69eee7 manpage updates 2014-11-15 10:51:48 -05:00
Michael Rash
d2880021ca [server] document --udp-server option 2014-11-15 10:45:59 -05:00
Michael Rash
2e1d076160 [server] minor status wording update 2014-11-15 00:16:17 -05:00
Michael Rash
aaa44656bc [server] add support for American Fuzzy Lop (ALF) fuzzing 2014-11-13 20:55:04 -05:00
Michael Rash
7022d79ca7 [server] minor code cleanup 2014-11-06 20:24:50 -05:00
Michael Rash
a8879231c3 [server] add run_extcmd_write() call in code coverage mode 2014-11-06 20:24:33 -05:00
Michael Rash
0c59f6e500 add CODE_COVERAGE macro for ./configure --enable-profile-coverage 2014-11-06 20:23:40 -05:00
Michael Rash
04f8b9669a [server] check number of cmd args even when execvpe() is not available 2014-11-05 23:19:51 -05:00
Michael Rash
e7942f48e0 [server] allow loop restart after select() sets EINTR (since we handle signals) - fixes cmd execution through UDP on FreeBSD 2014-11-04 22:44:59 -05:00
Michael Rash
c5f0389281 [server] minor code restructure, use FD_ISSET() test on file descriptors 2014-11-04 22:43:04 -05:00
Michael Rash
50009115b3 [server] bug fix to close write filehandle in _run_extcmd_write() 2014-11-01 12:03:49 -04:00
Michael Rash
34e38fe39e [server] first pass at eliminating popen() write calls with run_extcmd_write() (used for PF firewalls) 2014-10-28 21:28:21 -04:00
Michael Rash
d2abbd8720 [test suite] more code coverage tests 2014-10-25 22:29:49 -04:00
Michael Rash
17608dd01d [test suite] additional code coverage 2014-10-25 08:42:30 -04:00