DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity
354 Commits 15 Branches 0 Tags
Commit Graph

47 Commits

Author SHA1 Message Date
Michael Rash
2531896ebf Added the ability to delete PF rules 
This commit adds the ability to fwknopd to delete PF rules after the SPA timer
expires.  The strategy implemented is similar to iptables and ipfw, except
that all PF rules are added to an 'anchor', and deleting a specific expired
rule is done by listing all rules in the anchor and reinstantiating it via
'pfctl -a <anchor> -f -' with the expired rule deleted.  fwknopd uses the
"_exp_<expire time>" convention in a PF rule label similarly to how fwknopd
interfaces with iptables (via the 'comment' match), and ipfw (via the
"//<comment>" feature).
 2011-09-07 23:24:18 -04:00
Michael Rash
10ff421e1e For PF firewalls implemented a check for an active fwknop anchor 
This commit ensures that for PF firewalls that the fwknop anchor is active and
linked into the running PF policy.  This is accomplished by looking for the
string 'anchor "fwknop"' in the output of "pfctl -s rules".  If the anchor
exists, then fwknopd will be able to influence traffic via rules added and
removed from the fwknop anchor.
 2011-08-28 13:27:15 -04:00
Michael Rash
0649ef924a PF support on OpenBSD in progress, fwknop --fw-list now works 
This is the first commit that has fwknopd interact with the PF firewall on
OpenBSD (via fwknopd --fw-list to show any active fwknopd rules).
 2011-08-27 10:57:17 -04:00
Michael Rash
ff7c4219e8 Update to suppress additional compiler warning 
This change fixes the following compiler warning that was seen with many of
the source files in server/

fwknopd_common.h:223: warning: ‘config_map’ defined but not used
 2011-08-20 12:56:30 -04:00
Michael Rash
941a4aa9a3 Added source port and protocol to digest tracking 
Added the source port and protocol fields to valid SPA packets in the digest
cache.  This can help to discover replay trends.  The format of the digest
file cache is now:

<digest> <proto> <src_ip> <src_port> <dst_ip> <dst_port> <time>
 2011-08-13 21:00:54 -04:00
Michael Rash
6982a72c07 Added dst IP to tracked SPA data 
The digest cache now contains destination IP addresses of valid SPA packets.
The complete format is now:

<digest> <src_ip> <dst_ip> <creation time>
 2011-08-12 22:00:44 -04:00
Michael Rash
459cfb4d45 Implemented linked list cache of SPA digests 
When not using gdbm/ndbm support (the default now), fwknopd implements a linked
list of SPA packet digests for replay attack detection along with writing
digest data in ascii text down to disk (in the CONF_DIGEST_FILE file).
 2011-08-12 20:16:00 -04:00
Michael Rash
52c795634b Updated digest file path for gdbm/ndbm support 
If fwknopd is compiled with --disable-file-cache to the ./configure script
then it will assume that the default filename is "digest_db.cache" for the
digest cache.  If the file cache method is used (this is the default), then
"digest.cache" is the default filename.  A new variable DIGEST_DB_FILE in
the fwknopd.conf file controls the digest filename if gdbm/ndbm support is
required.
 2011-08-10 22:07:25 -04:00
Michael Rash
ca5f82c067 Removed legacy $Id$ tags from svn 
$Id$ tags don't really mean anything to git so they have been removed from all
source files.
 2011-06-18 20:53:40 -04:00
Damien Stuart
0f6ca00ac4 Updated the GPL blurb at the top of the source files. Added some missing copyright statements (Thanks to Franck Joncourt). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@300 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-11-13 03:04:36 +00:00
Damien Stuart
cdff077bb6 Added rule expire and purge for ipfw. Almost there... 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@283 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-08-24 03:09:35 +00:00
Damien Stuart
51c21b318f Start of addition of access requests via ipfw. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@282 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-08-23 02:43:43 +00:00
Damien Stuart
838b80fd7d Refactored firewall rule code to separate files by firewall type. Stubbed in ipfw and ipf firewall types. Updated autoconf to set a firewall type and path depending on configure arguments. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@279 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-08-10 02:29:09 +00:00
Damien Stuart
6126b7b7ca Updates to accomodate building and compiling on FreeBSD systems. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@276 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-08-08 18:53:35 +00:00
Damien Stuart
4c995c146b Almost all he conf variables have a default value if they are not there (or set). All the entries in the initial fwknop.conf file are not commented out adn can be override as needed. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@262 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-15 01:38:16 +00:00
Michael Rash
6f4ff9cb69 added --fw-list arg to the fwknopd daemon to list all current firewall rules for any running fwknopd process 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@260 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-13 04:09:07 +00:00
Damien Stuart
f03b2786eb Added the fwknopd_errors.[ch] files which provides the get_errstr() and fwknopd_errstr() functions. The get_errstr() function takes and error_code, tries to determine the type, then calls the appropriate xxx_errstr function to return a description string. Fixed some minor errors in the libfko API docs. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@258 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-11 20:16:32 +00:00
Michael Rash
05fdf6f319 minor macro update to define the default gpg keyring 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@253 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-11 02:49:12 +00:00
Damien Stuart
8129f86ddd More cleanup. Removed the direction field (src, dst, both) from the chain configuration directives. Remove the HOSTNAME parameter as it was not used. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@232 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-04 21:12:51 +00:00
Damien Stuart
5f1f0650ea Put locale code back in. More cleanup of config directives and options. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@231 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-04 13:34:31 +00:00
Damien Stuart
14e844f3f2 Updates to TCP server to close the lock file handle, use a non-blocking socket, and detect when the parent fwknop dies so it can exit as well. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@228 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-01 03:12:32 +00:00
Damien Stuart
b217c6a1fa Added the GPG signature checking code. Added GPG_REQUIRE_SIG and GPG_IGNORE_SIG_VERIFY_ERROR parameters to access.conf. Implement the checking of GPG signature IDs against the GPG_REOMOTE_ID list. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@227 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-29 02:40:59 +00:00
Damien Stuart
b7ede1625d Added support for COMMAND_MSG requests. Also added CMD_EXEC_USER to access.conf to allow for fwknopd to setuid to the specified user before running the command. Other minor tweaks. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@226 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-29 01:00:11 +00:00
Damien Stuart
b95d222d3c More tweaks, clean-up and documentation tweaks for the first release. Made client http-proxy option allow case insensitive match and to take an option :port as part of the argument. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@225 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-27 21:07:56 +00:00
Damien Stuart
fe09438921 Start of cleanup for beta release candidate. Removed locale-related code (for now) as it was breaking some things like logging. removed some unimplemented and/or unused parameters and config directives (as well as thier respective documentation references. Added a --rotate-digest-cache command-line arg to force a rename of the digest cache file and start a new one. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@224 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-24 02:31:36 +00:00
Damien Stuart
315f3e6778 Tweak to client usage message output. Added TCP server funcionality to the server (call it a first cut). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@220 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-20 23:15:52 +00:00
Damien Stuart
3915f1b7aa Added support for parsing and processing SPA requests over HTTP. Beefed up verbose logging a bit. Added some more sanity checks on the validity of incoming SPA data before attempting to decode. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@219 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-20 15:22:41 +00:00
Damien Stuart
579ec77698 Added support for FWKNOP_OUTPUT_ACCESS and NAT_ACCESS modes (still needs testing and tweaking). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@216 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-15 02:50:17 +00:00
Damien Stuart
aad2daadbf First cut at creating access rules and removing them when they expire (not sure I like this implementation but it is a start). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@214 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-05-17 01:27:26 +00:00
Damien Stuart
83a10b96f6 Started firewall rule processing. Added rule initialization. Added some of the initial routines for external command execution with ability to capture stdout, stderr, and exit status. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@211 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-04-12 12:41:57 +00:00
Damien Stuart
f3c33c273b Added an initial fwknopd.8 man page (and source asciidoc). Added the --locale and --no-locale command-line option support. The set_config_entry function now allows setting a config entry to NULL to clear and free it. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@209 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-02-09 20:23:42 +00:00
Damien Stuart
e3bd3b703e Added additional sanity checks and clean-up of access.conf processing and functionality. Fixes require source and added check for required username. Added fallback to use GPG_DECRYPT_PW if it was set and the normal KEY failed with a decyption error. Fixed packet count checks to allow a limit of 0 to mean unlimited number of packets. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@203 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-30 20:22:53 +00:00
Damien Stuart
4e12808345 Added support for multiple GPG_REMOTE_ID values from access.conf (still need to implement the use of those however). Also, went back to support colons (:) as an optional part of the access.conf parameter name (better to keep backward compatibility). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@192 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-11 01:33:38 +00:00
Michael Rash
11cedcf3eb Added --access-file command line arg to fwknopd so that the path to the 
access.conf file can be specified from the command line.


git-svn-id: file:///home/mbr/svn/fwknop/trunk@187 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-04 04:08:58 +00:00
Damien Stuart
055aa365cb Added access.conf handling and processing. Added a new acces.conf parameter: RESTRICT_PORTS for specifying 1 or more proto/ports that are explicitly not allowed. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@183 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-04 00:20:19 +00:00
Michael Rash
ba68afc37b added Id tag expansion 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@181 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-03 04:52:25 +00:00
Michael Rash
153a0964e2 Added --packet-limit to fwknopd so that the number of incoming candidate 
SPA packets can be limited from the command line.  When this limit is
reached (any packet that contains application layer data and passes the
pcap filter is included in the count) then fwknopd exits.



git-svn-id: file:///home/mbr/svn/fwknop/trunk@179 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-03 04:37:37 +00:00
Damien Stuart
909ff4eaec Added check for and create of run dir and/or basename of digest_cache (if different from run dir). Added set_locale() call based on LOCALE setting in the conf file. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@177 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-02 16:42:07 +00:00
Damien Stuart
d8dc9be941 Added check for SPA packet age against the MAX_SPA_PACKET_AGE if ENABLE SPA_PACKET_AGING is set to "Y" in the conf file. Made the digest cache check only of ENABLE_DIGEST_PERSISTENCE is "Y". 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@176 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-12-29 20:16:52 +00:00
Damien Stuart
f6b98cab87 The default conf and run directories are captured from the autoconf output. Added post install hook to create the xxx/var/run/fwknop directory (which works, but breaks the "make distcheck" feature of autoconf). Changed order of config processing and set conf struct for some default and overridden parameters so they will be shown properly when -D is used. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@171 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-12-18 13:43:49 +00:00
Damien Stuart
8b4b55fa44 Added stubs and some handling for signals. SIGHUP induces the re-reading the configs and restarting the capture loop. SIGTERM and SIGINT simply trigger a graceful exit. Trimmed some more of the configuration options. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@152 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-10-11 17:42:45 +00:00
Damien Stuart
5a72c4fca7 Updates and enhancements to logging functions. Now log_msg writes only to stderr when running in foreground. Default log facility is LOG_DAEMON. Config file options of ENABLE_PACP_PROMISC, HOSTNAME, SYSLOG_IDENTITY, and SYSLOG_FACILITY are processed. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@150 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-09-27 15:09:41 +00:00
Damien Stuart
61c243f827 Added some more (stubbed-in) server code and functions. Minor doc tweak. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@148 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-09-14 00:38:31 +00:00
Damien Stuart
0c87e7395f Added override config handling and updated the config_init routines to parse everything in the correct order (i.e. config file, override configs, then command-line). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@139 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-09-05 17:32:15 +00:00
Damien Stuart
998fe8da0a Added more server command-line and config file processing code. Updated autoconf config for new checks and files. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@138 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-09-05 02:54:42 +00:00
Damien Stuart
791eb4055b Added check for libpcap. More stubbing in on the server code side. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@137 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-09-04 21:14:44 +00:00
Damien Stuart
5b3f6f07da Forgot to add the server dir. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@128 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-08-09 15:45:45 +00:00