This commit updates all authorship and copyright information to include a
standard header that references the AUTHORS and CREDITS file. This standard
header was written by the Debian legal team at the request of Franck Joncourt.
This commit adds an AppArmor policy that is known to work in Debian and Ubuntu
systems. The original version of this policy was contributed by Radostan Riedel
to the fwknop mailing list.
This change allows fwknopd to write syslog messages to traditional syslog files
while running under upstart. Not forking into the background resulted in
messages meant for syslog were captured under /var/log/upstart/fwknop.log.
For the upstart config make sure only start fwknopd after a non-loopback
network interface is brought up. Also added a commented post-start script
to send an email whenever fwknopd is (re)started.
fwknop can be easily managed with upstart with the addition of this config.
Here is an example:
# service fwknop start
fwknop start/running, process 4269
With the --help command line argument, the following information is printed:
$ ./fwknop-launcher-lsof.pl --help
Usage: fwknop-launcher-lsof.pl [options]
Options:
-c, --config <file> - Path to fwknop-launcher.conf config file.
-l, --lsof-cmd <path> - Path to lsof command.
-f, --fwknop-cmd <path> - Path to fwknop client command.
-s, --sleep <seconds> - Specify sleep interval (default:
1 seconds)
-n --no-daemon - Run in foreground mode.
-u, --user <username> - Specify username (usually this is not
needed).
--home-dir <dir> - Path to user's home directory (usually
this is not needed).
-v --verbose - Print verbose information to the terminal
(requires --no-daemon).
--help - Print usage info and exit.
The fwknop lsof launcher (extras/fwknop-launcher/fwknop-launcher-lsof.pl) is a
lightweight daemon that allows the user to not have to manually run the fwknop
client when attempting to gain access to a service that is protected by Single
Packet Authorization via fwknopd. This is accomplished by checking the output
of lsof to look for pending connections in the SYN_SENT state, which (usually)
indicate that a remote firewall is blocking the attempted connection. At this
point, the launcher executes the fwknop client with the --get-key arg (so the
user must place the key in the local filesystem) to generate an SPA packet for
the attempted connection. The remote fwknopd daemon will reconfigure the
firewall to allow temporary access, and this usually happens fast enough that
the original connection attempt will then succeed.
The idea for this was originally for a pcap-based connection watcher by
Sebastien Jeanquier.
Applied a patch sent from Jonathan Bennett to add fwknop-2.0.0rc2 support to
openwrt. One thing to note about this patch is that the +libgdbm library
dependency has been removed because fwknop now implements its own digest
tracking file without needing gdbm/ndbm on the system.
