fwknop
fwknop implements an authorization scheme called Single Packet Authorization that requires only a single encrypted packet to communicate various pieces of information, including desired access through an iptables, ipfw, or pf firewall policy and/or specific commands to execute on the target system. The main application of this program is to protect services such as SSH with an additional layer of security in order to make the exploitation of vulnerabilities much more difficult. The authorization server works by passively monitoring authorization packets via libpcap. Also supported is a robust port knocking implementation based around iptables log messages.
| Tags | Networking Firewalls Monitoring Security |
|---|---|
| Licenses | GPL |
| Operating Systems | POSIX Linux |
| Implementation | Perl C Python |
Recent releases
- 03 Jan 2012 18:09
Release Notes: This is the production release of the fwknop C rewrite. It brings Single Packet Authorization to three different Open Source firewalls (iptables, ipfw, and pf), embedded systems, and mobile devices. The fwknopd server runs on Linux, Mac OS X, FreeBSD, and OpenBSD. The client runs on all of these platforms as well as Android, the iPhone, and Cygwin under Windows. In addition, the client is portable, and can be compiled as a native Windows binary.
- 14 Dec 2011 22:35
Release Notes: This release adds OpenBSD PF support, adds a new FORCE_NAT mode to transparently force authenticated connections to specified internal systems, adds a comprehensive test suite, and adds the ability to automatically expire SPA keys. Several memory handling bugfixes were made.
- 09 Sep 2009 13:35
Release Notes: The FKO module that is part of the libfko library was fully integrated for all SPA routines: encryption/decryption, digest calculation, replay attack detection, etc. The ability to recover from interface error conditions was added, such as when fwknopd sniffs a ppp interface (say, associated with a VPN) that goes away and then is recreated. The fwknop client was updated to include the SPA destination before DNS resolution when sending an SPA packet over an HTTP request.
- 13 May 2009 10:10
Release Notes: Support was added for ipfw "sets" on FreeBSD and Mac OS X systems. A segfault on Debian systems that was exposed in some circumstances with older versions of libpcap was fixed. The --icmp-type and --icmp-code command line arguments were added for the fwknop client in order to manually set the ICMP type/code values when using "--Spoof-proto icmp" or "--Server-proto icmp". Support was added for multiple include/exclude test identifying strings (separated by commas).
- 14 Jan 2009 14:37
Release Notes: The ability to send SPA packets over HTTP requests was added. The fwknopd server was updated to support sniffing interfaces that have no IP address assigned, and also to support sniffing ppp interfaces on Linux systems. A bug was fixed to make sure to properly construct a hash reference for the "include" command list for the check_commands() function when checking for the mail command. A bug was fixed to add --Override configuration support to knopwatchd. A bug was fixed to properly support SPA packets over ICMP.
Recent comments
Re: Extra external IP source
> You can use as IP source also the
> following Webpage:
>
>
>
Thanks, yes that page works great as an additional auto-resolution URL with the --URL option to the fwknop client.
Extra external IP source
You can use as IP source also the following Webpage:
michaelrash
04 Aug 2004 06:50
Heartbeat
- Popularity Score
- 402.66
- Vitality Score
- 50.73
- Subscriptions
- 73
