All releases of fwknop
Release Notes: This is the production release of the fwknop C rewrite. It brings Single Packet Authorization to three different Open Source firewalls (iptables, ipfw, and pf), embedded systems, and mobile devices. The fwknopd server runs on Linux, Mac OS X, FreeBSD, and OpenBSD. The client runs on all of these platforms as well as Android, the iPhone, and Cygwin under Windows. In addition, the client is portable, and can be compiled as a native Windows binary.
Release Notes: This release adds OpenBSD PF support, adds a new FORCE_NAT mode to transparently force authenticated connections to specified internal systems, adds a comprehensive test suite, and adds the ability to automatically expire SPA keys. Several memory handling bugfixes were made.
Release Notes: The FKO module that is part of the libfko library was fully integrated for all SPA routines: encryption/decryption, digest calculation, replay attack detection, etc. The ability to recover from interface error conditions was added, such as when fwknopd sniffs a ppp interface (say, associated with a VPN) that goes away and then is recreated. The fwknop client was updated to include the SPA destination before DNS resolution when sending an SPA packet over an HTTP request.
Release Notes: Support was added for ipfw "sets" on FreeBSD and Mac OS X systems. A segfault on Debian systems that was exposed in some circumstances with older versions of libpcap was fixed. The --icmp-type and --icmp-code command line arguments were added for the fwknop client in order to manually set the ICMP type/code values when using "--Spoof-proto icmp" or "--Server-proto icmp". Support was added for multiple include/exclude test identifying strings (separated by commas).
Release Notes: The ability to send SPA packets over HTTP requests was added. The fwknopd server was updated to support sniffing interfaces that have no IP address assigned, and also to support sniffing ppp interfaces on Linux systems. A bug was fixed to make sure to properly construct a hash reference for the "include" command list for the check_commands() function when checking for the mail command. A bug was fixed to add --Override configuration support to knopwatchd. A bug was fixed to properly support SPA packets over ICMP.
Release Notes: Support was added to fwknop for the Linux "any" interface, which allows SPA packets to be received on multiple interfaces on a Linux system. Support was added for interfacing fwknop with third party software through the addition of three new variables in the access.conf file (or set globally in the fwknop.conf file): EXTERNAL_CMD_OPEN, EXTERNAL_CMD_CLOSE, and EXTERNAL_CMD_ALARM. The IPTables::* modules were updated to the latest versions, which are now available via CPAN as well. IPT_EXEC_STYLE was added to control the execution method used for iptables commands in the IPTables::ChainMgr module.
Release Notes: This release adds support for gpg2 and fixes a bug where fwknop would allow GnuPG to reference an options file (new directives --gpg-use-options and GPG_USE_OPTIONS were added to override this). The Windows UI has been updated to fix a bug in the timezone calculation from the Windows system sending an SPA packet. GnuPG 'hQ' base64 encoded prefixes are configurable. A bug in the handling of blacklisted IP addresses has been fixed. The path to gpg or gpg2 is configurable via the command line or access.conf file (so SOURCE stanzas can reference different gpg paths).
Release Notes: The NetPacket module dependency was removed since fwknopd now decodes packet headers itself. All Perl modules were moved into the deps/ directory so that it is easy to build fwknop on distributions where Perl modules are already available as a separate package. Base64 data in SPA messages is validated better before running the data through decryption routines. The ability to ignore GnuPG options was added with --gpg-no-options on the fwknop client command line and GPG_NO_OPTIONS for the fwknopd server.
Release Notes: This release implemented various strategies for making it harder to detect SPA traffic on the wire even if an IDS is watching. Full support was added to the test suite for testing port knocking authentication. Code was added for randomizing the UDP source port for all SPA packets generated by the fwknop client. A --test-include argument was added to the test suite so that certain classes of tests can be executed independently. The port knocking mode was updated to parse an iptables log file directly without needing to send iptables log messages to a named pipe via syslog.
Release Notes: This release adds the LOCALE variable to fwknop.conf and sets the "C" locale by default so that gpg process output is always correctly interpreted, removes the legacy knopmd.conf file since knopmd (which is only used in the legacy port knocking mode) uses the fwknop.conf file instead, and updates Crypt::CBC to 2.29, Crypt::Rijndael to 1.06, GnuPG::Interface to 0.36, and Net::RawIP to 0.23.
