rpms/fwknop/devel fwknop-1.9.6-initscript.patch, NONE, 1.1 fwknop-1.9.6-no-NetPacket.patch, NONE, 1.1 fwknop-1.9.6-optflags.patch, NONE, 1.1 fwknop-1.9.6-pcap-api.patch, NONE, 1.1 fwknop-1.9.6-serv-config.patch, NONE, 1.1 fwknop.logrotate, NONE, 1.1 fwknop.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
Peter Vrabec (pvrabec)
fedora-extras-commits at redhat.com
Thu Aug 14 09:17:51 UTC 2008
Author: pvrabec
Update of /cvs/extras/rpms/fwknop/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20279
Modified Files:
.cvsignore sources
Added Files:
fwknop-1.9.6-initscript.patch fwknop-1.9.6-no-NetPacket.patch
fwknop-1.9.6-optflags.patch fwknop-1.9.6-pcap-api.patch
fwknop-1.9.6-serv-config.patch fwknop.logrotate fwknop.spec
Log Message:
new package uploaded
fwknop-1.9.6-initscript.patch:
--- NEW FILE fwknop-1.9.6-initscript.patch ---
diff -up fwknop-1.9.6/init-scripts/fwknop-init.redhat.initscript fwknop-1.9.6/init-scripts/fwknop-init.redhat
--- fwknop-1.9.6/init-scripts/fwknop-init.redhat.initscript 2006-07-07 06:17:31.000000000 +0200
+++ fwknop-1.9.6/init-scripts/fwknop-init.redhat 2008-08-01 07:11:30.000000000 +0200
@@ -2,7 +2,7 @@
#
# Startup script for fwknop
#
-# chkconfig: 345 99 05
+# chkconfig: - 99 05
# description: The FireWall KNock OPerator (fwknop)
# processname: fwknop
# pidfile: /var/run/fwknopd.pid
@@ -26,7 +26,7 @@ start)
RETVAL=$?
echo
if [ $RETVAL -eq 0 ]; then
- touch /var/lock/subsys/fwknopd
+ touch /var/lock/subsys/fwknop
fi
;;
stop)
@@ -36,7 +36,7 @@ stop)
echo -n "Shutting down the fwknop daemon: "
killproc fwknopd
RETVAL=$?
- [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/fwknopd
+ [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/fwknop
echo
if [ -f /var/run/fwknop/knopmd.pid ]; then
echo -n "Shutting down the fwknop knopmd daemon: "
@@ -67,10 +67,10 @@ status)
restart|reload)
restart
;;
-condrestart)
- [ -f /var/lock/subsys/fwknopd ] && restart || :
+condrestart|try-restart)
+ [ -f /var/lock/subsys/fwknop ] && restart || :
;;
*)
echo "Usage: fwknop {start|stop|status|restart|reload|condrestart}"
- exit 1
+ exit 3
esac
fwknop-1.9.6-no-NetPacket.patch:
--- NEW FILE fwknop-1.9.6-no-NetPacket.patch ---
diff -up fwknop-1.9.6/fwknopd.no-NetPacket fwknop-1.9.6/fwknopd
--- fwknop-1.9.6/fwknopd.no-NetPacket 2008-07-19 05:46:42.000000000 +0200
+++ fwknop-1.9.6/fwknopd 2008-08-01 12:43:02.000000000 +0200
@@ -45,11 +45,6 @@ use Crypt::CBC;
use Unix::Syslog qw(:subs :macros);
use Net::IPv4Addr qw(ipv4_in_network);
use Net::Pcap;
-use NetPacket::IP;
-use NetPacket::UDP;
-use NetPacket::TCP;
-use NetPacket::ICMP;
-use NetPacket::Ethernet;
use IO::Socket;
use IO::Handle;
use MIME::Base64;
@@ -392,7 +387,7 @@ sub pcap_process_pkt() {
my $ip = '';
my $src_ip = '';
my $proto = '';
- my $transport_obj = '';
+ my $transport_data = '';
if ($debug) {
print STDERR localtime() . " [+] Received packet ***[" .
@@ -420,7 +415,7 @@ sub pcap_process_pkt() {
if ($config{'AUTH_MODE'} eq 'ULOG_PCAP') {
### The ulogd pcap writer does not include link layer information
- $ip = NetPacket::IP->decode($pkt) or return;
+ $ip = &ip_decode($pkt) or return;
} else {
if ($config{'FIREWALL_TYPE'} eq 'ipfw' and $cmdline_intf eq 'lo0') {
@@ -428,14 +423,14 @@ sub pcap_process_pkt() {
### over loopback
$pkt =~ s/^.{4}// if $pkt =~ /^[^\x45].{3}\x45/;
- $ip = NetPacket::IP->decode($pkt) or return;
+ $ip = &ip_decode($pkt) or return;
} else {
if ($PCAP_COOKED_INTF) {
$ether_data = unpack("x[16]a*", $pkt);
} else {
- $ether_data = NetPacket::Ethernet::strip($pkt) or return;
+ $ether_data = ðernet_strip($pkt) or return;
}
- $ip = NetPacket::IP->decode($ether_data) or return;
+ $ip = &ip_decode($ether_data) or return;
}
}
@@ -446,11 +441,11 @@ sub pcap_process_pkt() {
$proto = $ip->{'proto'} or return;
if ($proto == 1) {
- $transport_obj = NetPacket::ICMP->decode($ip->{'data'});
+ $transport_data = &icmp_decode_data($ip->{'data'});
} elsif ($proto == 6) {
- $transport_obj = NetPacket::TCP->decode($ip->{'data'});
+ $transport_data = &tcp_decode_data($ip->{'data'});
} elsif ($proto == 17) {
- $transport_obj = NetPacket::UDP->decode($ip->{'data'});
+ $transport_data = &udp_decode_data($ip->{'data'});
} else {
return;
}
@@ -458,10 +453,10 @@ sub pcap_process_pkt() {
### make sure we have _some_ data in the packet; in practice
### any valid SPA message will be longer than 10 bytes, but this
### check is better than nothing
- return unless defined $transport_obj->{'data'};
+ return if $transport_data eq "";
my $enc_msg_len = 0;
- $enc_msg_len = length($transport_obj->{'data'});
+ $enc_msg_len = length($transport_data);
if (10 < $enc_msg_len and $enc_msg_len < 1500) {
print STDERR localtime() . " [+] Data len: $enc_msg_len bytes\n"
if $debug;
@@ -473,7 +468,7 @@ sub pcap_process_pkt() {
if ($debug) {
### make sure not to print non-printable stuff
- my $data_tmp = $transport_obj->{'data'};
+ my $data_tmp = $transport_data;
$data_tmp =~ s/[^\x20-\x7e]/NA/g;
print STDERR localtime() .
" [+] Raw packet data (single line): $data_tmp\n";
@@ -482,19 +477,82 @@ sub pcap_process_pkt() {
if ($verbose) {
print STDERR localtime() .
" Raw packet data (hex dump, minus packet headers):\n";
- &hex_dump($transport_obj->{'data'});
+ &hex_dump($transport_data);
}
}
### see if this packet is worthy of being granted access through
### the firewall
- &SPA_check_grant_access($src_ip, $enc_msg_len, $transport_obj->{'data'});
+ &SPA_check_grant_access($src_ip, $enc_msg_len, $transport_data);
&collect_warn_die_msgs();
return;
}
+sub ethernet_strip() {
+ my $pkt = shift;
+
+ ### Silently return '' for short frames
+ return substr($pkt, 14);
+}
+
+sub ip_addr_bytes_to_string() {
+ my $bytes = shift;
+
+ my ($a, $b, $c, $d) = unpack('C[4]', $bytes);
+ return "$a.$b.$c.$d";
+}
+
+sub ip_decode() {
+ my $pkt = shift;
+
+ my $ip = {};
+ (my $ver_ihl, $ip->{'tos'}, $ip->{'len'}, $ip->{'id'}, my $flags_frag,
+ $ip->{'ttl'}, $ip->{'proto'}, $ip->{'cksum'}, my $src_ip, my $dest_ip)
+ = unpack("CCnnnCCna[4]a[4]", $pkt);
+ $ip->{'ver'} = $ver_ihl >> 4;
+ $ip->{'hlen'} = $ver_ihl & 0x0F;
+ $ip->{'flags'} = $flags_frag >> 13;
+ $ip->{'foffset'} = ($flags_frag & 0x1FFF) * 8;
+ $ip->{'src_ip'} = &ip_addr_bytes_to_string($src_ip);
+ $ip->{'dest_ip'} = &ip_addr_bytes_to_string($dest_ip);
+ my $data_start = $ip->{'hlen'} * 4;
+ if ($data_start < 20) {
+ $data_start = 20;
+ }
+ $ip->{'data'} = substr($pkt, $data_start);
+ return $ip;
+}
+
+sub icmp_decode_data() {
+ my $icmp = shift;
+
+ ### Silently return '' for short packets
+ return substr($icmp, 4);
+}
+
+sub tcp_decode_data() {
+ my $tcp = shift;
+
+ ### Silently return '' for short packets
+ if (length($tcp) < 20) {
+ return '';
+ }
+ my $data_start = 4 * (ord(substr($tcp, 12, 1)) >> 4);
+ if ($data_start < 20) {
+ $data_start = 20;
+ }
+ return substr($tcp, $data_start);
+}
+
+sub udp_decode_data() {
+ my $udp = shift;
+
+ ### Silently return '' for short packets
+ return substr($udp, 8);
+}
+
sub SPA_check_grant_access() {
my ($src_ip, $enc_msg_len, $pkt_data) = @_;
fwknop-1.9.6-optflags.patch:
--- NEW FILE fwknop-1.9.6-optflags.patch ---
diff -up fwknop-1.9.6/Makefile~ fwknop-1.9.6/Makefile
--- fwknop-1.9.6/Makefile~ 2006-09-03 13:34:28.000000000 +0200
+++ fwknop-1.9.6/Makefile 2008-07-30 10:31:01.000000000 +0200
@@ -24,10 +24,12 @@
# $Id: Makefile 512 2006-09-03 11:34:28Z mbr $
#
+OPTS = -Wall -O
+
### default
all : knopmd.c knopwatchd.c fwknop_funcs.c strlcpy.c strlcat.c fwknop.h
- /usr/bin/gcc -Wall -O knopmd.c fwknop_funcs.c strlcpy.c strlcat.c -o knopmd
- /usr/bin/gcc -Wall -O knopwatchd.c fwknop_funcs.c strlcpy.c strlcat.c -o knopwatchd
+ /usr/bin/gcc $(OPTS) knopmd.c fwknop_funcs.c strlcpy.c strlcat.c -o knopmd
+ /usr/bin/gcc $(OPTS) knopwatchd.c fwknop_funcs.c strlcpy.c strlcat.c -o knopwatchd
### debug mode
debug : knopmd.c knopwatchd.c fwknop_funcs.c strlcpy.c strlcat.c fwknop.h
fwknop-1.9.6-pcap-api.patch:
--- NEW FILE fwknop-1.9.6-pcap-api.patch ---
diff -urN fwknop/fwknopd fwknop-1.9.6/fwknopd
--- fwknop/fwknopd 2008-08-03 15:44:25.000000000 +0200
+++ fwknop-1.9.6/fwknopd 2008-08-03 15:57:00.000000000 +0200
@@ -298,8 +298,8 @@
### Check for "cooked" Linux datalink layers (i.e. rp-pppoe)
eval {
if (not $PCAP_COOKED_INTF and $Net::Pcap::VERSION > 0.05) {
- if (Net::Pcap::pcap_datalink_val_to_name(
- Net::Pcap::pcap_datalink($pcap_t)) eq 'LINUX_SLL') {
+ if (Net::Pcap::datalink_val_to_name(
+ Net::Pcap::datalink($pcap_t)) eq 'LINUX_SLL') {
print STDERR "[+] Detected Linux Cooked Interface.\n" if $debug;
$PCAP_COOKED_INTF = 1;
}
fwknop-1.9.6-serv-config.patch:
--- NEW FILE fwknop-1.9.6-serv-config.patch ---
diff -urN fwknop/fwknop_serv fwknop-1.9.6/fwknop_serv
--- fwknop/fwknop_serv 2008-07-19 05:46:42.000000000 +0200
+++ fwknop-1.9.6/fwknop_serv 2008-08-03 15:42:53.000000000 +0200
@@ -94,6 +94,9 @@
### import config
&import_config();
+ ### expand any embedded vars within config values
+ &expand_vars();
+
### make sure all the vars we need are actually in the config file.
&required_vars();
@@ -169,12 +172,41 @@
"config file $config_file: $!";
while (<C>) {
next if /^\s*#/;
- for my $var (@required_vars) {
- if (/^\s*$var\s+(\S+);/) {
- $config{$var} = $1;
- }
+ if (/^\s*(\S+)\s+(\S+);/) {
+ $config{$1} = $2;
}
}
close C;
return;
}
+
+sub expand_vars() {
+
+ my $has_sub_var = 1;
+ my $resolve_ctr = 0;
+
+ while ($has_sub_var) {
+ $resolve_ctr++;
+ $has_sub_var = 0;
+ if ($resolve_ctr >= 20) {
+ die "[*] Exceeded maximum variable resolution counter.";
+ }
+ for my $var (keys %config) {
+ my $val = $config{$var};
+ if ($val =~ m|\$(\w+)|) {
+ my $sub_var = $1;
+ die "[*] sub-ver $sub_var not allowed within same ",
+ "variable $var" if $sub_var eq $var;
+ if (defined $config{$sub_var}) {
+ $val =~ s|\$$sub_var|$config{$sub_var}|;
+ $config{$var} = $val;
+ } else {
+ die "[*] sub-var \"$sub_var\" not defined in ",
+ "config for var: $var."
+ }
+ $has_sub_var = 1;
+ }
+ }
+ }
+ return;
+}
--- NEW FILE fwknop.logrotate ---
/var/log/fwknop {
missingok
notifempty
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/fwknop/knopmd.pid 2>/dev/null` 2> /dev/null || true
endscript
}
--- NEW FILE fwknop.spec ---
Summary: A Single Packet Authorization (SPA) implementation
Name: fwknop
Version: 1.9.6
Release: 3%{?dist}
License: GPL+
Group: System Environment/Daemons
Url: http://www.cipherdyne.org/fwknop/
Source0: http://www.cipherdyne.org/fwknop/download/fwknop-%{version}.tar.bz2
Source1: fwknop.logrotate
Patch0: fwknop-1.9.6-initscript.patch
Patch1: fwknop-1.9.6-optflags.patch
Patch2: fwknop-1.9.6-no-NetPacket.patch
Patch3: fwknop-1.9.6-serv-config.patch
Patch4: fwknop-1.9.6-pcap-api.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
# The automatic dependency generator doesn't find this
Requires: perl(Digest::SHA)
Requires(post): chkconfig
Requires(preun): chkconfig, initscripts
Requires(postun): initscripts
%description
fwknop implements an authorization scheme known as Single Packet
Authorization (SPA) that requires only a single encrypted packet to
communicate various pieces of information including desired access through an
iptables policy and/or specific commands to execute on the target system.
The main application of this program is to protect services such as SSH with
an additional layer of security in order to make the exploitation of
vulnerabilities (both 0-day and unpatched code) much more difficult. The
authorization server passively monitors authorization packets via libpcap and
hence there is no "server" to which to connect in the traditional sense. Any
service protected by fwknop is inaccessible (by using iptables to
intercept packets within the kernel) before authenticating; anyone scanning for
the service will not be able to detect that it is even listening. This
authorization scheme offers many advantages over port knocking, include being
non-replayable, much more data can be communicated, and the scheme cannot be
broken by simply connecting to extraneous ports on the server in an effort to
break knock sequences. The authorization packets can easily be spoofed as
well, and this makes it possible to make it appear as though, say,
www.yahoo.com is trying to authenticate to a target system but in reality the
actual connection will come from a seemingly unrelated IP. Although the
default data collection method is to use libpcap to sniff packets off the
wire, fwknop can also read packets out of a file that is written by the
iptables ulogd pcap writer or by a separate sniffer process.
%prep
%setup -q
%patch0 -p1 -b .initscript
%patch1 -p1 -b .optflags
%patch2 -p1 -b .no-NetPacket
%patch3 -p1 -b .serv-config
%patch4 -p1 -b .pcap-api
sed -i 's,_CHANGEME_,localhost,' fwknop.conf
%build
make %{?_smp_mflags} OPTS="$RPM_OPT_FLAGS"
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/fwknop \
$RPM_BUILD_ROOT%{_initrddir} \
$RPM_BUILD_ROOT%{_bindir} \
$RPM_BUILD_ROOT%{_mandir}/man8 \
$RPM_BUILD_ROOT%{_sbindir} \
$RPM_BUILD_ROOT%{_localstatedir}/lib/fwknop \
$RPM_BUILD_ROOT%{_localstatedir}/log/fwknop \
$RPM_BUILD_ROOT%{_localstatedir}/run/fwknop
install -p -m 644 access.conf fwknop.conf pf.os $RPM_BUILD_ROOT%_sysconfdir/fwknop
install -p -m 755 init-scripts/fwknop-init.redhat \
$RPM_BUILD_ROOT%{_initrddir}/fwknop
install -p -m 755 fwknop $RPM_BUILD_ROOT%{_bindir}
install -p -m 644 *.8 $RPM_BUILD_ROOT%{_mandir}/man8/
install -p -m 755 fwknopd fwknop_serv knopmd knoptm knopwatchd \
$RPM_BUILD_ROOT%{_sbindir}
#install logrotate stuff
mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d
install -p -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/fwknop
%clean
rm -rf $RPM_BUILD_ROOT
%post
/sbin/chkconfig --add fwknop
%preun
if [ $1 = 0 ]; then
/sbin/service fwknop stop >/dev/null 2>&1
/sbin/chkconfig --del fwknop
fi
%postun
if [ $1 -ge 1 ]; then
/sbin/service fwknop condrestart >/dev/null 2>&1 || :
fi
%files
%defattr(-,root,root)
%doc CREDITS ChangeLog ChangeLog.svn LICENSE README README.ACCESS README.GPG
%doc README.PK TODO
%dir %{_sysconfdir}/fwknop
%config(noreplace) %{_sysconfdir}/fwknop/*.conf
%config(noreplace) %{_sysconfdir}/fwknop/pf.os
%config(noreplace) %{_sysconfdir}/logrotate.d/fwknop
%{_initrddir}/fwknop
%{_bindir}/fwknop
%{_sbindir}/*kno*
%{_mandir}/man8/*
%dir %{_localstatedir}/lib/fwknop
%dir %{_localstatedir}/log/fwknop
%dir %{_localstatedir}/run/fwknop
%changelog
* Wed Aug 13 2008 Peter Vrabec <pvrabec at redhat.com> - 1.9.6-3
- fix sed cmd in spec file
* Mon Aug 11 2008 Peter Vrabec <pvrabec at redhat.com> - 1.9.6-2
- add logrotate file
- do not set hostname during install
* Wed Jul 30 2008 Miloslav TrmaÄ <mitr at redhat.com> - 1.9.6-1
- Initial Fedora package, based on Michael Rash's spec file (heavily modified
since).
* Fri Jul 18 2008 Michael Rash <mbr at cipherdyne.org>
- Release of fwknop-1.9.6
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/fwknop/devel/.cvsignore,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- .cvsignore 13 Aug 2008 17:21:47 -0000 1.1
+++ .cvsignore 14 Aug 2008 09:17:20 -0000 1.2
@@ -0,0 +1 @@
+fwknop-1.9.6.tar.bz2
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/fwknop/devel/sources,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sources 13 Aug 2008 17:21:47 -0000 1.1
+++ sources 14 Aug 2008 09:17:20 -0000 1.2
@@ -0,0 +1 @@
+b55a0a4eb5212ac17ca780536c71017e fwknop-1.9.6.tar.bz2
More information about the fedora-extras-commits
mailing list