DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity
232 Commits 15 Branches 0 Tags
b098a07f045e00b03b678fc9fc9ee3ff35ffffcf
Commit Graph

59 Commits

Author SHA1 Message Date
Damien Stuart
2a67766589 Added fwknop.spec for rpm builds. Removed the server post install hook as it breaks make distcheck and rpm builds. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@238 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-07 02:32:01 +00:00
Damien Stuart
e9c0f41541 Added installation hook to set the perms on the .conf files to 600 during make install. Minot doc tweak. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@235 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-06 00:59:33 +00:00
Damien Stuart
8129f86ddd More cleanup. Removed the direction field (src, dst, both) from the chain configuration directives. Remove the HOSTNAME parameter as it was not used. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@232 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-04 21:12:51 +00:00
Damien Stuart
5f1f0650ea Put locale code back in. More cleanup of config directives and options. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@231 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-04 13:34:31 +00:00
Damien Stuart
b6c57aa6a0 Changed the way running external commands are hanlded to address issues with it not working on some systems/configurations. Just using system and popen and fw commands are run with stdout and stderr tied to gether. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@230 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-03 02:07:28 +00:00
Damien Stuart
14e844f3f2 Updates to TCP server to close the lock file handle, use a non-blocking socket, and detect when the parent fwknop dies so it can exit as well. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@228 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-07-01 03:12:32 +00:00
Damien Stuart
b217c6a1fa Added the GPG signature checking code. Added GPG_REQUIRE_SIG and GPG_IGNORE_SIG_VERIFY_ERROR parameters to access.conf. Implement the checking of GPG signature IDs against the GPG_REOMOTE_ID list. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@227 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-29 02:40:59 +00:00
Damien Stuart
b7ede1625d Added support for COMMAND_MSG requests. Also added CMD_EXEC_USER to access.conf to allow for fwknopd to setuid to the specified user before running the command. Other minor tweaks. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@226 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-29 01:00:11 +00:00
Damien Stuart
b95d222d3c More tweaks, clean-up and documentation tweaks for the first release. Made client http-proxy option allow case insensitive match and to take an option :port as part of the argument. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@225 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-27 21:07:56 +00:00
Damien Stuart
fe09438921 Start of cleanup for beta release candidate. Removed locale-related code (for now) as it was breaking some things like logging. removed some unimplemented and/or unused parameters and config directives (as well as thier respective documentation references. Added a --rotate-digest-cache command-line arg to force a rename of the digest cache file and start a new one. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@224 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-24 02:31:36 +00:00
Damien Stuart
b57ada4c16 More updates to take care of warnings on Ubuntu systems (fixes for common sense warnings that should have come up om my Fedora system but didn't). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@223 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-22 01:28:49 +00:00
Damien Stuart
aef097a31f Some tweaks to the sigchld handling in the server. Other misc minor cleanup. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@222 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-22 01:14:42 +00:00
Damien Stuart
68b171ddd4 More tweaks. Added SIGCHLD handler and code to try to restart the TCP server if it dies for whatever reason. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@221 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-21 03:24:27 +00:00
Damien Stuart
315f3e6778 Tweak to client usage message output. Added TCP server funcionality to the server (call it a first cut). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@220 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-20 23:15:52 +00:00
Damien Stuart
3915f1b7aa Added support for parsing and processing SPA requests over HTTP. Beefed up verbose logging a bit. Added some more sanity checks on the validity of incoming SPA data before attempting to decode. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@219 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-20 15:22:41 +00:00
Damien Stuart
dc6058d3a5 Tweaked firewall rule creation code. Added SNAT/MASQUERADE support. Fixed rule processing code so an INPUT rule was not created for NAT request. Still needs more review and testing. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@217 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-16 03:12:00 +00:00
Damien Stuart
579ec77698 Added support for FWKNOP_OUTPUT_ACCESS and NAT_ACCESS modes (still needs testing and tweaking). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@216 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-15 02:50:17 +00:00
Damien Stuart
fa12602f09 Very minor comment and code tweaks (mostly just an excuse to test the relocation of the svn server). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@215 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-06-08 02:02:44 +00:00
Damien Stuart
aad2daadbf First cut at creating access rules and removing them when they expire (not sure I like this implementation but it is a start). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@214 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-05-17 01:27:26 +00:00
Damien Stuart
bf9e165165 Added the fwknopd.8 man page. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@213 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-04-25 14:44:01 +00:00
Damien Stuart
0008cdc86c Minor tweaks to firewall rules processing and external command execution code. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@212 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-04-14 01:59:02 +00:00
Damien Stuart
83a10b96f6 Started firewall rule processing. Added rule initialization. Added some of the initial routines for external command execution with ability to capture stdout, stderr, and exit status. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@211 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-04-12 12:41:57 +00:00
Damien Stuart
9282a0fd29 Changed to fix possible double-free bug under some circumstances. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@210 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-03-14 03:45:03 +00:00
Damien Stuart
f3c33c273b Added an initial fwknopd.8 man page (and source asciidoc). Added the --locale and --no-locale command-line option support. The set_config_entry function now allows setting a config entry to NULL to clear and free it. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@209 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-02-09 20:23:42 +00:00
Damien Stuart
d0373a5b33 Fixed libfko so gpgme engine is gpg by default. Added functions to libfko to set/get path to gpgme engine. Fixed some memory leaks. Reworkd the get_user_pw routine. Added code in fwknopd to put back the "hQ" string on the front of incoming GPG-encypted message data. Removed the previously add pretty-print routine to configure. Updated configure to check for path to gpg executable. Updated docs accordingly. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@205 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-02-06 03:43:54 +00:00
Damien Stuart
e3bd3b703e Added additional sanity checks and clean-up of access.conf processing and functionality. Fixes require source and added check for required username. Added fallback to use GPG_DECRYPT_PW if it was set and the normal KEY failed with a decyption error. Fixed packet count checks to allow a limit of 0 to mean unlimited number of packets. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@203 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-30 20:22:53 +00:00
Michael Rash
903f5f466c updated to call dump_access_list() if -D was given to dump config information 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@202 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-20 01:34:23 +00:00
Michael Rash
e8b875789b Update to call parse_proto_and_port() before allocating a new port list. This 
fixes the following stack trace when generating an SPA packet that contains
"none/0" for the port list:

Program received signal SIGABRT, Aborted.
0x00007ffff74574b5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
        in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) where
#0  0x00007ffff74574b5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff745af50 in *__GI_abort () at abort.c:92
#2  0x00007ffff748fc97 in __libc_message (do_abort=<value optimized out>, fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3  0x00007ffff7499dd6 in malloc_printerr (action=3, str=0x7ffff755b748 "double free or corruption (fasttop)", ptr=<value optimized out>) at malloc.c:6217
#4  0x00007ffff749e74c in *__GI___libc_free (mem=<value optimized out>) at malloc.c:3716
#5  0x000000000040570c in free_acc_port_list (acc=0x60a1c0, port_str=0x7fffffffdc20 "none/0") at access.c:390
#6  acc_check_port_access (acc=0x60a1c0, port_str=0x7fffffffdc20 "none/0") at access.c:892
#7  0x0000000000403f4a in incoming_spa (opts=<value optimized out>) at incoming_spa.c:229
#8  0x00000000004041eb in pcap_capture (opts=0x7fffffffde40) at pcap_capture.c:155
#9  0x0000000000402ba7 in main (argc=9, argv=0x7fffffffe6e8) at fwknopd.c:241



git-svn-id: file:///home/mbr/svn/fwknop/trunk@201 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-20 01:20:36 +00:00
Michael Rash
daca01a2c6 Added minor validation code to access.conf parsing to ensure that a SOURCE stanza 
begins with the SOURCE variable and that there is at least one usage of the
OPEN_PORTS and KEY variables.  The OPEN_PORTS requirement might be relaxed when
PERMIT_CLIENT_PORTS handling is added.


git-svn-id: file:///home/mbr/svn/fwknop/trunk@199 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-19 02:51:37 +00:00
Michael Rash
ca531c3dcc bug fix in --packet-limit handling to ensure multi-packet processing when the arg is not used 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@198 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-19 02:48:41 +00:00
Michael Rash
1092e6ef46 * Fixed a few minor warnings like the following: 
cipher_funcs.c:85: warning: ignoring return value of ‘fread’, declared with attribute warn_unused_result

A few of these were in code in the lib/ directory, and required adding a
new error code 'FKO_ERROR_FILESYSTEM_OPERATION' and associated error
string 'Read/write bytes mismatch'.




git-svn-id: file:///home/mbr/svn/fwknop/trunk@195 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-16 14:59:36 +00:00
Damien Stuart
4e12808345 Added support for multiple GPG_REMOTE_ID values from access.conf (still need to implement the use of those however). Also, went back to support colons (:) as an optional part of the access.conf parameter name (better to keep backward compatibility). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@192 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-11 01:33:38 +00:00
Michael Rash
b32c23e12e added -a arg to fwknopd usage() output 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@189 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-06 00:53:23 +00:00
Michael Rash
11cedcf3eb Added --access-file command line arg to fwknopd so that the path to the 
access.conf file can be specified from the command line.


git-svn-id: file:///home/mbr/svn/fwknop/trunk@187 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-04 04:08:58 +00:00
Damien Stuart
055aa365cb Added access.conf handling and processing. Added a new acces.conf parameter: RESTRICT_PORTS for specifying 1 or more proto/ports that are explicitly not allowed. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@183 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-04 00:20:19 +00:00
Michael Rash
ba68afc37b added Id tag expansion 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@181 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-03 04:52:25 +00:00
Michael Rash
153a0964e2 Added --packet-limit to fwknopd so that the number of incoming candidate 
SPA packets can be limited from the command line.  When this limit is
reached (any packet that contains application layer data and passes the
pcap filter is included in the count) then fwknopd exits.



git-svn-id: file:///home/mbr/svn/fwknop/trunk@179 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-03 04:37:37 +00:00
Michael Rash
9e4efa55ba minor update to include the -f arg in the usage() output 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@178 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-03 02:00:26 +00:00
Damien Stuart
909ff4eaec Added check for and create of run dir and/or basename of digest_cache (if different from run dir). Added set_locale() call based on LOCALE setting in the conf file. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@177 510a4753-2344-4c79-9c09-4d669213fbeb
 2010-01-02 16:42:07 +00:00
Damien Stuart
d8dc9be941 Added check for SPA packet age against the MAX_SPA_PACKET_AGE if ENABLE SPA_PACKET_AGING is set to "Y" in the conf file. Made the digest cache check only of ENABLE_DIGEST_PERSISTENCE is "Y". 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@176 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-12-29 20:16:52 +00:00
Damien Stuart
861c0e8e1a Autoconf updates for detecting locally installed program paths and changes to facilitate portability. Also set AM_MAINTAINER_MODE so we are not forced to regen/reconfigure when we change one of the autoconf source files (but we do now need to remember to do it ourselves before making a new dist). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@172 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-12-28 03:20:55 +00:00
Damien Stuart
f6b98cab87 The default conf and run directories are captured from the autoconf output. Added post install hook to create the xxx/var/run/fwknop directory (which works, but breaks the "make distcheck" feature of autoconf). Changed order of config processing and set conf struct for some default and overridden parameters so they will be shown properly when -D is used. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@171 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-12-18 13:43:49 +00:00
Damien Stuart
814d7d3565 Fixed bug in signal handling when libpcap version 1.0 is used. Minor doc update. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@170 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-12-07 03:48:53 +00:00
Damien Stuart
5cf8813eac Updated digest cache to store additional information including src ip, created, first_replay, last_replay, and replay count. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@163 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-11-02 01:46:56 +00:00
Damien Stuart
34745aa8be Fixed missed MY_DBM_CLOSE call 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@155 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-10-18 14:35:28 +00:00
Damien Stuart
4b8e3e974b Changed digest cache to use gdbm directly wth fallback to ndbm (still not tested). 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@154 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-10-18 14:26:06 +00:00
Damien Stuart
8c1261ca39 Fixed memory leak issue in libfko when fko_new_with_data() was called with a bad key. Added autoconf checks for gdbm with fallback to ndbm for server builds. Added digest cache capability using gdbm (in ndbm compatibility mode) or ndbm for replay detection. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@153 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-10-16 02:23:02 +00:00
Damien Stuart
8b4b55fa44 Added stubs and some handling for signals. SIGHUP induces the re-reading the configs and restarting the capture loop. SIGTERM and SIGINT simply trigger a graceful exit. Trimmed some more of the configuration options. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@152 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-10-11 17:42:45 +00:00
Damien Stuart
e399f39c39 Updated sniffer to be able to handle the linux "any" interface. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@151 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-09-28 00:33:09 +00:00
Damien Stuart
5a72c4fca7 Updates and enhancements to logging functions. Now log_msg writes only to stderr when running in foreground. Default log facility is LOG_DAEMON. Config file options of ENABLE_PACP_PROMISC, HOSTNAME, SYSLOG_IDENTITY, and SYSLOG_FACILITY are processed. 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@150 510a4753-2344-4c79-9c09-4d669213fbeb
 2009-09-27 15:09:41 +00:00