/
fwknopd.8.in
484 lines (484 loc) · 19.7 KB
/
fwknopd.8.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
'\" t
.\" Title: fwknopd
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
.\" Date: 08/28/2010
.\" Manual: Fwknop Server
.\" Source: Fwknop Server
.\" Language: English
.\"
.TH "FWKNOPD" "8" "08/28/2010" "Fwknop Server" "Fwknop Server"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
fwknopd \- Firewall Knock Operator Daemon
.SH "SYNOPSIS"
.sp
\fBfwknopd\fR [\fIoptions\fR]
.SH "DESCRIPTION"
.sp
\fBfwknopd\fR is the server component for the FireWall Knock Operator, and is responsible for monitoring and processing Single Packet Authorization (SPA) packets that are generated by \fBfwknop\fR clients, modifying a firewall or ACL policy to allow the desired access after decrypting a valid SPA packet, and removing access after a configurable timeout\&.
.sp
The main application of this program is to protect services such as \fISSH\fR with an additional layer of security in order to make the exploitation of vulnerabilities (both 0\-day and unpatched code) much more difficult\&.
.sp
The main configuration for \fBfwknopd\fR is maintained within two files: \fIfwknopd\&.conf\fR and \fIaccess\&.conf\fR\&. The default location for these files is determined at package configuration (typically \fI@sysconfdir@/fwknop\fR)The configuration variables within these files are desribed below\&.
.SH "COMMAND-LINE OPTIONS"
.PP
\fB\-a, \-\-access\-file\fR=\fI<access\-file>\fR
.RS 4
Specify the location of the
\fIaccess\&.conf\fR
file\&. If this option is not given,
\fIfwkopd\fR
will use the compile\-time default location (typically
\fI@sysconfdir@/fwknop/access\&.conf\fR\&.
.RE
.PP
\fB\-c, \-\-config\fR=\fI<config\-file>\fR
.RS 4
Specify the location of the
\fIfwknopd\&.conf\fR
file\&. If this option is not given,
\fIfwkopd\fR
will use the default location (typically
\fI@sysconfdir@/fwknop/fwknopd\&.conf\fR\&.
.RE
.PP
\fB\-C, \-\-packet\-limit\fR=\fI<n>\fR
.RS 4
Specify the number of candidate SPA packets to process and exit when this limit is reached\&.
.RE
.PP
\fB\-D, \-\-Dump\-config\fR
.RS 4
Dump the configuration values that
\fBfwknopd\fR
derives from the
\fIfwknop\&.conf\fR
(or override files) and
\fIaccess\&.conf\fR
on stderr\&.
.RE
.PP
\fB\-i, \-\-interface\fR=\fI<interface>\fR
.RS 4
Manually specify interface on which to sniff, e\&.g\&. \(lq\-i eth0\(rq\&. This option is not usually needed because the \(lqPCAP_INTF\(rq keyword in the
\fIfwknopd\&.conf\fR
file defines the sniffing interface\&.
.RE
.PP
\fB\-f, \-\-foreground\fR
.RS 4
Run
\fBfwknopd\fR
in the foreground instead of becoming a daemon\&. When run in the foreground, message that would go to the log would instead be sent to stderr\&. This mode is usually used when testing and/or debugging\&.
.RE
.PP
\fB\-\-fw\-list\fR
.RS 4
List all firewall rules that any running
\fBfwknopd\fR
daemon has created and then exit\&.
.RE
.PP
\fB\-K, \-\-Kill\fR
.RS 4
Kill the current
\fBfwknopd\fR
process\&. This provides a quick and easy way to stop
\fBfwknopd\fR
without having to look in the process table\&.
.RE
.PP
\fB\-l, \-\-locale\fR=\fI<locale>\fR
.RS 4
Set/override the system default locale setting\&.
.RE
.PP
\fB\-O, \-\-Override\-config\fR=\fI<file>\fR
.RS 4
Override config variable values that are normally read from the
\fIfwknop\&.conf\fR
file with values from the specified file\&. Multiple override config files can be given as a comma\-separated list\&.
.RE
.PP
\fB\-R, \-\-Restart\fR
.RS 4
Restart the currently running
\fBfwknopd\fR
processes\&. This option will preserve the command line options that were supplied to the original
\fBfwknopd\fR
process but will force
\fBfwknopd\fR
to re\-read the
\fIfwknopd\&.conf\fR
and
\fIaccess\&.conf\fR
files\&. This will also force a flush of the current \(lqFWKNOP\(rq iptables chain(s)\&.
.RE
.PP
\fB\-\-rotate\-digest\-cache\fR
.RS 4
Rotate the digest cache file by renaming it to \(lq<name>\-old\(rq, and starting a new one\&. The digest cache file is typically found in
\fI@localstatedir@/run/fwknop/digest\&.cache\fR\&.
.RE
.PP
\fB\-S, \-\-Status\fR
.RS 4
Display the status of any
\fBfwknopd\fR
processes that may or not be running\&.
.RE
.PP
\fB\-v, \-\-verbose\fR
.RS 4
Run
\fBfwknopd\fR
in verbose mode\&. This can option can be specified multiple times to increase the verbosity of the output to the system log file (or to the screen if running in the foreground)\&.
.RE
.PP
\fB\-h, \-\-help\fR
.RS 4
Display usage information and exit\&.
.RE
.PP
\fB\-V, \-\-Version\fR
.RS 4
Display version information and exit\&.
.RE
.SH "FWKNOPD CONFIG AND ACCESS VARIABLES"
.sp
\fBfwknopd\fR references the \fIfwknopd\&.conf\fR file for configuration variables that define its operational parameters (what network interface and port to sniff, what features to enable/disable, etc\&.)\&. The \fIfwknopd\&.conf\fR file does not define any access control directives\&.
.sp
The access control directives are contained in the \fIaccess\&.conf\fR file\&. Access control directives define encryption keys and level of access that is granted to an fwknop client that has generated the appropriate encrypted SPA message\&.
.SS "FWKNOPD\&.CONF VARIABLES"
.sp
This section list the more prominent configuration variables used by \fBfwknopd\fR\&. It is not a complete list\&. There are directives for the type of firewall used by \fBfwknopd\fR (i\&.e\&. \fIiptables\fR or \fIipfw\fR)\&. You will want to make sure to check these to make sure they have appropriate values\&. See the \fIfwknopd\&.conf\fR file for the full list and corresponding details\&.
.PP
\fBPCAP_INTF\fR \fI<interface>\fR
.RS 4
Specify the ethernet interface on which
\fBfwknopd\fR
will sniff packets\&.
.RE
.PP
\fBENABLE_PCAP_PROMISC\fR \fI<Y/N>\fR
.RS 4
By default
\fBfwknopd\fR
puts the pcap interface into promiscuous mode\&. Set this to \(lqN\(rq to disable that behavior (non\-promiscuous)\&.
.RE
.PP
\fBPCAP_FILTER\fR \fI<pcap filter spec>\fR
.RS 4
Define the filter used for
\fIPCAP\fR
modes;
\fBfwknopd\fR
defaults to UDP port 62201\&. However, if an
\fBfwknop\fR
client uses the
\fB\-\-rand\-port\fR
option to send the SPA packet over a random port, then this variable should be updated to something like \(lqudp dst portrange 10000\-65535\(rq\&.
.RE
.PP
\fBENABLE_SPA_PACKET_AGING\fR \fI<Y/N>\fR
.RS 4
This instructs
\fBfwknopd\fR
to not honor SPA packets that have an old time stamp\&. The value for \(lqold\(rq is defined by the \(lqMAX_SPA_PACKET_AGE\(rq variable\&. If \(lqENABLE_SPA_PACKET_AGING\(rq is set to \(lqN\(rq,
\fBfwknopd\fR
will not use the client time stamp at all\&.
.RE
.PP
\fBMAX_SPA_PACKET_AGE\fR \fI<seconds>\fR
.RS 4
Defines the maximum age (in seconds) that an SPA packet will be accepted\&. This requires that the client system is in relatively close time synchronization with the
\fBfwknopd\fR
server system (NTP is good)\&. The default age is 120 seconds (two minutes)\&.
.RE
.PP
\fBENABLE_DIGEST_PERSISTENCE\fR \fI<Y/N>\fR
.RS 4
Track digest sums associated with previous SPA packets processed by
\fBfwknopd\fR\&. This allows digest sums to remain persistent across executions of
\fBfwknopd\fR\&. The default is \(lqY\(rq\&. If set to \(lqN\(rq,
\fBfwknopd\fR
will not check incoming SPA packet data against any previously save digests\&. It is a good idea to leave this feature on to reduce the possibility of being vulnerable to a replay attack\&.
.RE
.PP
\fBENABLE_IPT_FORWARDING\fR \fI<Y/N>\fR
.RS 4
Allow SPA clients to request access to services through an iptables firewall instead of just to it (i\&.e\&. access through the FWKNOP_FORWARD chain instead of the INPUT chain)\&.
.RE
.PP
\fBENABLE_IPT_LOCAL_NAT\fR \fI>Y/N>\fR
.RS 4
Allow SPA clients to request access to a local socket via NAT\&. This still puts an ACCEPT rule into the FWKNOP_INPUT chain, but a different port is translated via DNAT rules to the real one\&. So, the user would do \(lqssh \-p <port>\(rq to access the local service (see the
\fB\-\-NAT\-local\fR
and
\fB\-\-NAT\-rand\-port\fR
on the
\fBfwknop\fR
client command line)\&.
.RE
.PP
\fBENABLE_IPT_SNAT\fR \fI<Y/N>\fR
.RS 4
Set this to \(lqY\(rq to enable a corresponding SNAT rule\&. By default, if forwarding access is enabled (see the \(lqENABLE_IPT_FORWARDING\(rq variable above), then
\fBfwknopd\fR
creates DNAT rules for incoming connections, but does not also complement these rules with SNAT rules at the same time\&. In some situations, internal systems may not have a route back out for the source address of the incoming connection, so it is necessary to also apply SNAT rules so that the internal systems see the IP of the internal interface where
\fBfwknopd\fR
is running\&.
.RE
.PP
\fBSNAT_TRANSLATE_IP\fR \fI<ip_address>\fR
.RS 4
Specify the IP address for SNAT\&. This functionality is only enabled when \(lqENABLE_IPT_SNAT\(rq is set to \(lqY\(rq and by default SNAT rules are built with the MASQUERADE target (since then the internal IP does not have to be defined here in the
\fIfwknopd\&.conf\fR
file), but if you want
\fBfwknopd\fR
to use the SNAT target, you mus also define an IP address with the \(lqSNAT_TRANSLATE_IP\(rq variable\&.
.RE
.PP
\fBENABLE_IPT_OUTPUT\fR \fI<Y/N>\fR
.RS 4
Add ACCEPT rules to the FWKNOP_OUTPUT chain\&. This is usually only useful if there are no state tracking rules to allow connection responses out and the OUTPUT chain has a default\-drop stance\&.
.RE
.PP
\fBMAX_SNIFF_BYTES\fR \fI<bytes>\fR
.RS 4
Specify the the maximum number of bytes to sniff per frame\&. 1500 is the default\&.
.RE
.PP
\fBFLUSH_IPT_AT_INIT\fR \fI<Y/N>\fR
.RS 4
Flush all existing rules in the fwknop chains at
\fBfwknopd\fR
start time\&. The default is \(lqY\(rq\&.
.RE
.PP
\fBFLUSH_IPT_AT_EXIT\fR \fI<Y/N>\fR
.RS 4
Flush all existing rules in the fwknop chains when
\fBfwknopd\fR
is stopped or otherwise exits cleanly\&. The default is \(lqY\(rq\&.
.RE
.PP
\fBGPG_HOME_DIR\fR \fI<path>\fR
.RS 4
If GPG keys are used instead of a Rijndael symmetric key, this is the default GPG keys directory\&. Note that each access block in
\fIaccess\&.conf\fR
can specify its own GPG directory to override this default\&. If not set here or in an
\fIaccess\&.conf\fR
stanza, then the
\fI$HOME/\&.gnupg\fR
directory of the user running
\fBfwknopd\fR
(most likely root)\&.
.RE
.PP
\fBLOCALE\fR \fI<locale>\fR
.RS 4
Set the locale (via the LC_ALL variable)\&. This can be set to override the default system locale\&.
.RE
.PP
\fBENABLE_SPA_OVER_HTTP\fR \fI<Y/N>\fR
.RS 4
Allow
\fBfwknopd\fR
to acquire SPA data from HTTP requests (generated with the fwknop client in
\fB\-\-HTTP\fR
mode)\&. Note that when this is enabled, the \(lqPCAP_FILTER\(rq variable would need to be updated to sniff traffic over TCP/80 connections and a web server should be running on the same server as
\fBfwknopd\fR\&.
.RE
.PP
\fBENABLE_TCP_SERVER\fR \fI<Y/N>\fR
.RS 4
Enable the fwknopd TCP server\&. This is a "dummy" TCP server that will accept TCP connection requests on the specified TCPSERV_PORT\&. If set to "Y", fwknopd will fork off a child process to listen for, and accept incoming TCP request\&. This server only accepts the request\&. It does not otherwise communicate\&. This is only to allow the incoming SPA over TCP packet which is detected via PCAP\&. The connection is closed after 1 second regardless\&. Note that fwknopd still only gets its data via pcap, so the filter defined by PCAP_FILTER needs to be updated to include this TCP port\&.
.RE
.PP
\fBTCPSERV_PORT\fR \fI<port>\fR
.RS 4
Set the port number that the \(lqdummy\(rq TCP server listens on\&. This server is only spawned when \(lqENABLE_TCP_SERVER\(rq is set to \(lqY\(rq\&.
.RE
.PP
\fBSYSLOG_IDENTITY\fR \fI<identity>\fR
.RS 4
Override syslog identity on message logged by
\fBfwknopd\fR\&. The defaults are usually ok\&.
.RE
.PP
\fBSYSLOG_FACILITY\fR \fI<facility>\fR
.RS 4
Override syslog facility\&. The \(lqSYSLOG_FACILITY\(rq variable can be set to
.RE
.SS "ACCESS\&.CONF VARIABLES"
.sp
This section describes the access control directives in the \fIaccess\&.conf\fR file\&. Theses directives define encryption keys and level of access that is granted to \fBfwknop\fR clients that have generated the appropriate encrypted message\&.
.sp
The \fIaccess\&.conf\fR variables described below provide the access directives for the SPA packets with a source (or embeded request) IP that matches an address or network range defined by the \(lqSOURCE\(rq variable\&. All variables following \(lqSOURCE\(rq apply to the source \fIstanza\fR\&. Each \(lqSOURCE\(rq directive starts a new stanza\&.
.PP
\fBSOURCE\fR: \fI<IP,\&.\&.,IP/NET,\&.\&.,NET/ANY>\fR
.RS 4
This defines the source address from which the SPA packet will be accepted\&. The string \(lqANY\(rq is also accepted if a valid SPA packet should be honored from any source IP\&. Every authorization stanza in
\fIaccess\&.conf\fR
definition must start with the \(lqSOURCE\(rq keyword\&. Networks should be specified in CIDR notation (e\&.g\&. \(lq192\&.168\&.10\&.0/24\(rq), and individual IP addresses can be specified as well\&. Also, multiple IP\(cqs and/or networks can be defined as a comma separated list (e\&.g\&. \(lq192\&.168\&.10\&.0/24,10\&.1\&.1\&.123\(rq)
.RE
.PP
\fBOPEN_PORTS\fR: \fI<proto/port>,\&...,<proto/port>\fR
.RS 4
Define a set of ports and protocols (tcp or udp) that will be opened if a valid knock sequence is seen\&. If this entry is not set,
\fBfwknopd\fR
will attempt to honor any proto/port request specified in the SPA data (unless of it matches any \(lqRESTRICT_PORTS\(rq entries)\&. Multiple entries are comma\-separated\&.
.RE
.PP
\fBRESTRICT_PORTS\fR: \fI<proto/port>,\&...,<proto/port>\fR
.RS 4
Define a set of ports and protocols (tcp or udp) that are explicitly
\fBnot\fR
allowed regardless of the validity of the incoming SPA packet\&. Multiple entries are comma\-separated\&.
.RE
.PP
\fBKEY\fR: \fI<password>\fR
.RS 4
Define the key used for decrypting an incoming SPA packet that is using its built\-in (Rijndael) encryption\&. This variable is required for all non\-GPG\-encrypted SPA packets\&.
.RE
.PP
\fBFW_ACCESS_TIMEOUT\fR: \fI<seconds>\fR
.RS 4
Define the length of time access will be granted by
\fBfwknopd\fR
through the firewall after a valid knock sequence from a source IP address\&. If \(lqFW_ACCESS_TIMEOUT\(rq is not set then the default timeout of 30 seconds will automatically be set\&.
.RE
.PP
\fBENABLE_CMD_EXEC\fR: \fI<Y/N>\fR
.RS 4
This instructs
\fBfwknopd\fR
to accept complete commands that are contained within an authorization packet\&. Any such command will be executed on the
\fBfwknopd\fR
server as the user specified by the \(lqCMD_EXEC_USER\(rq or as the user that started
\fBfwknopd\fR
if that is not set\&.
.RE
.PP
\fBCMD_EXEC_USER\fR: \fI<username>\fR
.RS 4
This specifies the user that will execute commands contained within a SPA packet\&. If not specified, fwknopd will execute it as the user it is running as (most likely root)\&. Setting this to a non\-root user is highly recommended\&.
.RE
.PP
\fBREQUIRE_USERNAME\fR: \fI<username>\fR
.RS 4
Require a specific username from the client system as encoded in the SPA data\&. This variable is optional and if not specified, the username data in the SPA data is ignored\&.
.RE
.PP
\fBREQUIRE_SOURCE_ADDRESS\fR: \fI<Y/N>\fR
.RS 4
Force all SPA packets to contain a real IP address within the encrypted data\&. This makes it impossible to use the
\fB\-s\fR
command line argument on the
\fBfwknop\fR
client command line, so either
\fB\-R\fR
has to be used to automatically resolve the external address (if the client behind a NAT) or the client must know the external IP\&.
.RE
.PP
\fBGPG_HOME_DIR\fR: \fI<path>\fR
.RS 4
Define the path to the GnuPG directory to be used by the
\fBfwknopd\fR
server\&. If this keyword is not specified within
\fIaccess\&.conf\fR
then
\fBfwknopd\fR
will default to using the
\fI/root/\&.gnupg\fR
directory for the server key(s) for incoming SPA packets handled by the matching
\fIaccess\&.conf\fR
stanza\&.
.RE
.PP
\fBGPG_DECRYPT_ID\fR: \fI<keyID>\fR
.RS 4
Define a GnuPG key ID to use for decrypting SPA messages that have been encrypted by an
\fBfwknop\fR
client\&. This keyword is required for authentication that is based on GPG keys\&. The GPG key ring on the client must have imported and signed the
\fBfwknopd\fR
server key, and vice versa\&. It is ok to use a sensitive personal GPG key on the client, but each
\fBfwknopd\fR
server should have its own GPG key that is generated specifically for fwknop communications\&. The reason for this is that the decryption password for the server key must be placed within the
\fIaccess\&.conf\fR
file for
\fBfwknopd\fR
to function (it has to be able to decrypt SPA messages that have been encrypted with the server\(cqs public key)\&. For more information on using fwknop with GnuPG keys, see the following link: \(lqhttp://www\&.cipherdyne\&.org/fwknop/docs/gpghowto\&.html\(rq\&.
.RE
.PP
\fBGPG DECRYPT_PW\fR: \fI<decrypt password>\fR
.RS 4
Specify the decryption password for the gpg key defined by the \(lqGPG_DECRYPT_ID\(rq above\&. This is a required field for gpg\-based authentication\&.
.RE
.PP
\fBGPG_REQUIRE_SIG\fR: \fI<Y/N>\fR
.RS 4
With this setting set to
\fIY\fR, fwknopd check all GPG\-encrypted SPA messages for a signature (signed by the sender\(cqs key)\&. If the incoming message is not signed, the decryption process will fail\&. If not set, the default is
\fIN\fR\&.
.RE
.PP
\fBGPG_IGNORE_SIG_VERIFY_ERROR\fR: \fI<Y/N>\fR
.RS 4
Setting this will allow fwknopd to accept incoming GPG\-encrypted packets that are signed, but the signature did not pass verification (i\&.e\&. the signer key was expired, etc\&.)\&. This setting only applies if the GPG_REQUIRE_SIG is also set to
\fIY\fR\&.
.RE
.PP
\fBGPG_REMOTE_ID\fR: \fI<keyID,\&...,keyID>\fR
.RS 4
Define a list of gpg key ID\(cqs that are required to have signed any incoming SPA message that has been encrypted with the
\fBfwknopd\fR
server key\&. This ensures that the verification of the remote user is accomplished via a strong cryptographic mechanism\&. This setting only applies if the \(lqGPG_REQUIRE_SIG\(rq is set to
\fIY\fR\&. Separate multiple entries with a comma\&.
.RE
.SH "FILES"
.PP
\fBfwknop\&.conf\fR
.RS 4
The main configuration file for fwknop\&.
.RE
.PP
\fBaccess\&.conf\fR
.RS 4
Defines all knock sequences and access control directives\&.
.RE
.SH "DEPENDENCIES"
.sp
The \fBfwknopd\fR daemon requires a functioning firewall on the underlying operating system\&.
Supported firewalls as of the fwknop\-2\&.0 release are iptables, ipfw, and pf\&.
.SH "DIAGNOSTICS"
.sp
\fBfwknopd\fR can be run in debug mode by combining the \fB\-f, \-\-foreground\fR and the \fB\-v, \-\-verbose\fR command line options\&. This will disable daemon mode execution, and print verbose information to the screen on stderr as packets are received\&.
.SH "SEE ALSO"
.sp
fwknop(8), iptables(8), libfko docmentation\&.
.SH "AUTHOR"
.sp
Damien Stuart <dstuart@dstuart\&.org>, Michael Rash <mbr@cipherdyne\&.org>
.SH "CREDITS"
.sp
This \(lqC\(rq version of \fBfwknopd\fR was derived from the original Perl\-based version on which many people who are active in the open source community have contributed\&. See the \fICREDITS\fR file in the fwknop sources, or visit \fIhttp://www\&.cipherdyne\&.org/fwknop/docs/contributors\&.html\fR to view the online list of contributors\&.
.sp
The phrase \(lqSingle Packet Authorization\(rq was coined by MadHat and Simple Nomad at the BlackHat Briefings of 2005 (see: \fIhttp://www\&.nmrc\&.org\fR)\&.
.SH "BUGS"
.sp
Send bug reports to dstuart@dstuart\&.org\&. Suggestions and/or comments are always welcome as well\&.
.SH "DISTRIBUTION"
.sp
\fBfwknopd\fR is distributed under the GNU General Public License (GPL), and the latest version may be downloaded from \fIhttp://www\&.cipherdyne\&.org\fR\&.