This commit begins development on a comprehensive test suite for fwknop.
The initial tests are focused on compilation correctness and security options
as determined by the "hardening-check" script from Kees Cook of the Debian
security team.
With the --help command line argument, the following information is printed:
$ ./fwknop-launcher-lsof.pl --help
Usage: fwknop-launcher-lsof.pl [options]
Options:
-c, --config <file> - Path to fwknop-launcher.conf config file.
-l, --lsof-cmd <path> - Path to lsof command.
-f, --fwknop-cmd <path> - Path to fwknop client command.
-s, --sleep <seconds> - Specify sleep interval (default:
1 seconds)
-n --no-daemon - Run in foreground mode.
-u, --user <username> - Specify username (usually this is not
needed).
--home-dir <dir> - Path to user's home directory (usually
this is not needed).
-v --verbose - Print verbose information to the terminal
(requires --no-daemon).
--help - Print usage info and exit.
The fwknop lsof launcher (extras/fwknop-launcher/fwknop-launcher-lsof.pl) is a
lightweight daemon that allows the user to not have to manually run the fwknop
client when attempting to gain access to a service that is protected by Single
Packet Authorization via fwknopd. This is accomplished by checking the output
of lsof to look for pending connections in the SYN_SENT state, which (usually)
indicate that a remote firewall is blocking the attempted connection. At this
point, the launcher executes the fwknop client with the --get-key arg (so the
user must place the key in the local filesystem) to generate an SPA packet for
the attempted connection. The remote fwknopd daemon will reconfigure the
firewall to allow temporary access, and this usually happens fast enough that
the original connection attempt will then succeed.
The idea for this was originally for a pcap-based connection watcher by
Sebastien Jeanquier.
Commit 4248b2687054b38e79e2ab9eecf71e5b299172f4 removed read-only relocations
and immediate bindings for FreeBSD systems (and the same was done for OpenBSD
systems too). This commit adds these security features back in as linker
options by only changing LDFLAGS as opposed to also adding the corresponding
flags to CFLAGS. The end result is that the following errors are fixed:
gcc: -z: linker input file unused because linking not done
gcc: relro: linker input file unused because linking not done
In the fw_config struct the active_rules member is unsigned, so this change
ensures that we don't try to decrement it below zero whenever a firewall rule
is deleted or an error condition occurs.
Replaced all instances of "_exp_" with the #define EXPIRE_COMMENT_PREFIX so
that the prefix can easily be changed. so
that the prefix can easily be changed. so
that the prefix can easily be changed. so
that the prefix can easily be changed.
This commit adds the ability to fwknopd to delete PF rules after the SPA timer
expires. The strategy implemented is similar to iptables and ipfw, except
that all PF rules are added to an 'anchor', and deleting a specific expired
rule is done by listing all rules in the anchor and reinstantiating it via
'pfctl -a <anchor> -f -' with the expired rule deleted. fwknopd uses the
"_exp_<expire time>" convention in a PF rule label similarly to how fwknopd
interfaces with iptables (via the 'comment' match), and ipfw (via the
"//<comment>" feature).
This commit implements the ability to add PF firewall rules to the fwknop
anchor after a valid SPA packet is sniffed off the wire. A subsequent commit
will add the ability to delete these rules.
This commit ensures that for PF firewalls that the fwknop anchor is active and
linked into the running PF policy. This is accomplished by looking for the
string 'anchor "fwknop"' in the output of "pfctl -s rules". If the anchor
exists, then fwknopd will be able to influence traffic via rules added and
removed from the fwknop anchor.
Similarly to FreeBSD systems, gcc throws the following warnings with read-only
relcations and immediate binding protections - disbabled for now:
gcc: -z: linker input file unused because linking not done
gcc: relro: linker input file unused because linking not done
gcc: -z: linker input file unused because linking not done
gcc: now: linker input file unused because linking not done
Added version specific ChangeLog, ShortLog, and diffstat files (these go all
the way back to the beginning of the svn import since 2.0.0 will be the
first official non-"rc" release of the new C code).
This commit fixes an issue on ipfw firewalls where fwknopd would always require
seeing ipfw 'Dynamic' rules associated with newly added connections. But, such
connections may never be established for various reasons. Previous to this
commit the following warning was frequently generated by fwknopd:
Unexpected error: did not find 'Dynamic rules' string in list output.
This commit fixes an issues on systems running the ipfw firewall where the
'set' where fwknopd puts new access rules was attempted to be deleted without
first checking to see whether it exists. The following errors would be
generated (now fixed):
ipfw: rule 16777217: setsockopt(IP_FW_DEL): Invalid argument
Error 17664 from cmd:'/sbin/ipfw delete set 1':
Fatal: Errors detected during ipfw rules initialization.
Bug fix to ensure that the digest.cache file gets created at fwknopd init time
so fwknopd does not throw the following error:
Error opening digest cache file. Incoming digests will not be remembered.
If gpgme is installed on FreeBSD systems it appears that
-I/usr/local/include/gpgme must be added to the include path, but this change
only adds the path if gpgme is installed and going to be used.
gcc on FreeBSD generates the following errors when the -Wl,-z,relro -Wl,-z,now
flags are used:
gcc: -z: linker input file unused because linking not done
gcc: relro: linker input file unused because linking not done
gcc: -z: linker input file unused because linking not done
gcc: now: linker input file unused because linking not done
This change fixes the following compiler warning that was seen with many of
the source files in server/
fwknopd_common.h:223: warning: ‘config_map’ defined but not used
This commit fixes several compiler warnings like the following (now that -Wall
is the default):
config_init.h:68: warning: ‘cmd_opts’ defined but not used
The ./configure script would generate the following error for the attempted
use of the --without-stackprotector (and other related options like
--without-pie):
configure: WARNING: unrecognized options: --without-stackprotect
