Release Notes: Support was added for ipfw "sets" on FreeBSD and Mac OS X systems. A segfault on Debian systems that was exposed in some circumstances with older versions of libpcap was fixed. The --icmp-type and --icmp-code command line arguments were added for the fwknop client in order to manually set the ICMP type/code values when using "--Spoof-proto icmp" or "--Server-proto icmp". Support was added for multiple include/exclude test identifying strings (separated by commas).
Release Notes: The ability to send SPA packets over HTTP requests was added. The fwknopd server was updated to support sniffing interfaces that have no IP address assigned, and also to support sniffing ppp interfaces on Linux systems. A bug was fixed to make sure to properly construct a hash reference for the "include" command list for the check_commands() function when checking for the mail command. A bug was fixed to add --Override configuration support to knopwatchd. A bug was fixed to properly support SPA packets over ICMP.
Release Notes: Support was added to fwknop for the Linux "any" interface, which allows SPA packets to be received on multiple interfaces on a Linux system. Support was added for interfacing fwknop with third party software through the addition of three new variables in the access.conf file (or set globally in the fwknop.conf file): EXTERNAL_CMD_OPEN, EXTERNAL_CMD_CLOSE, and EXTERNAL_CMD_ALARM. The IPTables::* modules were updated to the latest versions, which are now available via CPAN as well. IPT_EXEC_STYLE was added to control the execution method used for iptables commands in the IPTables::ChainMgr module.
Release Notes: This release adds support for gpg2 and fixes a bug where fwknop would allow GnuPG to reference an options file (new directives --gpg-use-options and GPG_USE_OPTIONS were added to override this). The Windows UI has been updated to fix a bug in the timezone calculation from the Windows system sending an SPA packet. GnuPG 'hQ' base64 encoded prefixes are configurable. A bug in the handling of blacklisted IP addresses has been fixed. The path to gpg or gpg2 is configurable via the command line or access.conf file (so SOURCE stanzas can reference different gpg paths).
Release Notes: The NetPacket module dependency was removed since fwknopd now decodes packet headers itself. All Perl modules were moved into the deps/ directory so that it is easy to build fwknop on distributions where Perl modules are already available as a separate package. Base64 data in SPA messages is validated better before running the data through decryption routines. The ability to ignore GnuPG options was added with --gpg-no-options on the fwknop client command line and GPG_NO_OPTIONS for the fwknopd server.
Release Notes: This release implemented various strategies for making it harder to detect SPA traffic on the wire even if an IDS is watching. Full support was added to the test suite for testing port knocking authentication. Code was added for randomizing the UDP source port for all SPA packets generated by the fwknop client. A --test-include argument was added to the test suite so that certain classes of tests can be executed independently. The port knocking mode was updated to parse an iptables log file directly without needing to send iptables log messages to a named pipe via syslog.
Release Notes: This release adds the LOCALE variable to fwknop.conf and sets the "C" locale by default so that gpg process output is always correctly interpreted, removes the legacy knopmd.conf file since knopmd (which is only used in the legacy port knocking mode) uses the fwknop.conf file instead, and updates Crypt::CBC to 2.29, Crypt::Rijndael to 1.06, GnuPG::Interface to 0.36, and Net::RawIP to 0.23.
Release Notes: Two new port randomization features, --NAT-rand-port and --rand-port, were added to allow fwknop clients to request a random port to be assigned both for the SPA packet destination port and for the forwarded port in a NAT operation against an incoming connection. This makes traffic analysis of the SPA system more difficult. A bug was fixed to add a check for "keep-state" in ipfw policies in addition to the existing "check-state" check. It is now possible to specify the port that SPA packets are sent over with the fwknop client by using the syntax "<host|IP>:<port>".
Release Notes: MASQUERADE and SNAT support were added to complement inbound DNAT connections for SPA packets that request --Forward-access to internal systems. A hex_dump() feature was added for the fwknop client so that raw encrypted SPA packet data is displayed in --verbose mode. When ENABLE_IPT_FORWARDING is set, a check was added for the value of the /proc/sys/net/ipv4/ip_forward file to ensure that the local system allows packets to be forwarded. Unless ENABLE_PROC_IP_FORWARD is disabled, fwknopd will automatically set the ip_forward file to "1" if it is set to "0".
Release Notes: The "Salted__" prefix was removed from Crypt::CBC encrypted SPA messages. More granular source IP and allowed IP tests were added so that access to particular internal IP addresses can be excluded in --Forward-access mode. A new keyword, INTERNAL_NET_ACCESS, is now parsed from the access.conf file in order to implement these restrictions. BLACKLIST functionality was added to allow source IP addresses to be excluded from the authentication process easily. Firewall rule access timeouts that are defined by the fwknop client were added. SHA-256 and SHA-1 digest algorithms were added for replay attack detection.