Skip to content
Fetching contributors…
Cannot retrieve contributors at this time
94 lines (93 sloc) 4.96 KB

fwknop tasks

This is the main todo org mode file for the fwknop project


This bucket is for completed tasks.

[client] Add –icmp-type and –icmp-code args

For SPA packets sent over ICMP via raw socket, allow the user to specify the ICMP type and code.

[server] For Ubuntu systems, have fwknopd managed by upstart

fwknopd can benefit from upstart management and monitoring on Ubuntu systems.
  • Added the extras/upstart/fwknop.conf file so that standard upstart

commands like “service fwknop start” can be issued.

[server] ipfw active/expire sets cannot be the same

Add a check to ensure that active and expire sets are not the same value in fwknopd.conf, and add a corresponding test in the test suite.

Release fwknop-2.0.2

Make the fwknop-2.0.2 release.

Release fwknop-2.0.3

Make the fwknop-2.0.3 release.

Update fwknopd man page for GPG_ALLOW_NO_PW

Preserve existing configs under ‘make install’

  • The current ‘make install’ behavior overwrites any existing fwknopd config

files from a previous installation.

  • Updated to install fwknopd.conf -> /etc/fwknop/fwknopd.conf.inst if the fwknopd.conf file already exists, and similarly for the access.conf file.

fwknopd iptables comment match detection

Hank Leininger suggested that fwknopd do better detection for the iptables comment match since it is required for the expiration of SPA rules.

Set restrictive permissions on etc/fwknop directory and /etc/fwknop/* files

Current default permissions on etc/fwknop and /etc/fwknop/* are too lax.

[server] access.c parsing: allow no KEY variable if GPG keys are used.

The access.c parsing code currently throws an error if there is not KEY variable in an access stanza even if GPG_ALLOW_NO_PW is set.

Add ‘enable’ to ipfw active set at init time

Currently fwknopd does not do a check to ensure that the active set is enabled at init time (‘ipfw set enable 1’).

Update fwknopd man page to include IPFW* vars

None of the ipfw variables are currently documented in the fwknopd man page.

Use assert() in various places

Use assert() to validate expected values wherever possible.

[server] Include files for access.conf

Hank Leininger suggested that the main access.conf file have an option to include other files in which access stanzas can be specified. This makes it easy to wrap additional controls around access information particularly in multi-user environments.

[test suite] Remove lib check for test suite when running in –enable-recompile mode

When creating a release tarball under ‘make dist’, the test suite performs a check for existing lib/ directory even under –enable-recompile.

[test suite] SPA packet fuzzer

Add a series of patches to the fwknop client that break how it produces SPA data in subtle ways in order to ensure proper validation by fwknopd.

[test suite] backwards compatibility tests

The test suite should have the ability to test backwards compatibility between fwknop versions.

For Linux/Unix - a GNOME or KDE GUI app for the fwknop client.

Although there is currently a functioning web proxy that can serve as a UI via a browser, it would be nice to have native GNOME and KDE GUI wrappers for the fwknop client.

For Windows - VB and/or C# class wrappers around libfko.dll

Extend Windows support with VB and/or C# class wrappers around the libfko.dll

Ruby bindings to libfko

Perl and Python bindings already exist for libfko, so add Ruby to this list as well.

[client] Update to not send SPA packet if Ctrl-C is used

The client currently sends an SPA packet when an encryption key is requested but the user tries to exit out with Ctrl-C.

Add –disable-gpg arg to the autoconf configure script

There needs to be a way to easily disable libgpgme usage even if it is installed - this could be done with a new –disablegpg argument to the configure script.

[test suite] client/server only tests

When only the client or server is being installed on a system, the test suite should be able to run only the relevant tests.

[server] Add access variable to require particular IP’s even when REQUIRE_SOURCE is used

The SOURCE variable only applies to the IP header. Add analogous filtering for the allow IP that is encrypted within an SPA payload.

[client] Fix ‘Could not set destination IP.’ in hostname resolution in ‘-P icmp’ mode

It seems that hostname resolution is not working when SPA packets are spoofed. Here is the command line to trigger the problem:

Jump to Line
Something went wrong with that request. Please try again.