/
fwknop.8.in
676 lines (676 loc) · 26.8 KB
/
fwknop.8.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
'\" t
.\" Title: fwknop
.\" Author: [see the "AUTHORS" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
.\" Date: 07/06/2011
.\" Manual: Fwknop Client
.\" Source: Fwknop Client
.\" Language: English
.\"
.TH "FWKNOP" "8" "07/06/2011" "Fwknop Client" "Fwknop Client"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
fwknop \- Firewall Knock Operator
.SH "SYNOPSIS"
.sp
\fBfwknop\fR \fB\-A\fR <\fIproto/ports\fR> \fB\-R\fR|\fB\-a\fR|\fB\-s \-D\fR <\fIhost\fR> [\fIoptions\fR]
.SH "DESCRIPTION"
.sp
\fBfwknop\fR implements an authorization scheme known as Single Packet Authorization (SPA) for Linux systems running iptables\&. This mechanism requires only a single encrypted and non\-replayed packet to communicate various pieces of information including desired access through an iptables or ipfw policy\&. The main application of this program is to use iptables in a default\-drop stance to protect services such as \fISSH\fR with an additional layer of security in order to make the exploitation of vulnerabilities (both 0\-day and unpatched code) much more difficult\&.
.sp
An authorization server \fBfwknopd\fR passively monitors authorization packets via \fIlibpcap\fR and hence there is no \(lqserver\(rq to which to connect in the traditional sense\&. Any service protected by \fBfwknop\fR is inaccessible (by using \fIiptables\fR or \fIipfw\fR to intercept packets within the kernel) before authenticating; anyone scanning for the service will not be able to detect that it is even listening\&. Single Packet Authorization offers many advantages over port knocking, including non\-replayability of SPA packets, ability to use asymmetric ciphers (such as Elgamal), and SPA cannot be broken by simply spoofing packets to duplicate ports within the knock sequence on the server to break port knocking authentication\&.
.sp
SPA packets can easily be spoofed as well (this is a good thing in this context), and this makes it possible to make it appear as though, say, www\&.yahoo\&.com is trying to authenticate to a target system but in reality the actual connection will come from a seemingly unrelated IP\&.
.sp
Authorization packets are either encrypted with the \fIRijndael\fR block cipher or via \fIGnuPG\fR and associated asymmetric ciphers\&. If the symmetric encryption method is chosen, then the encryption key is shared between the client and server (see the fwknopd \fIaccess\&.conf\fR file for details)\&. If the GnuPG method is chosen, then the encryption keys are derived from GnuPG key rings\&. SPA packets generated by fwknop running as a client adhere to the following format (before they are encrypted):
.sp
.if n \{\
.RS 4
.\}
.nf
random number (16 bytes)
username
timestamp
software version
mode (command mode (0) or access mode (1))
if command mode => command to execute
else access mode => IP,proto,port
message digest (SHA512 / SHA384 / SHA256 / SHA1 / MD5)
.fi
.if n \{\
.RE
.\}
.sp
Each of the above fields are separated by a ":" character due to the variable length of several of the fields, and those that might contain ":" characters are base64 encoded\&. The message digest (\fBSHA256\fR by default in all versions of \fBfwknop\fR greater than 1\&.9\&.1) allows the server to check message integrity after decryption, and the 16 bytes of random data ensures (with high probability) that no two messages are identical\&. This ensures that replay attacks are not possible against \fBfwknop\fR\&.
.sp
For each packet coming from an \fBfwknop\fR client, the \fBfwknopd\fR server can cache the digest calculated over the entire packet and compares against previous packet digests in order to detect attempted replay attacks\&. Syslog alerts are generated if a replay is detected\&.
.sp
By default, the \fBfwknop\fR client sends authorization packets over UDP port 62201, but this can be altered with the \fB\-\-server\-port\fR argument\&. The server must first be configured to acquire the SPA data on the changed protocol\-port\&. Also, \fBfwknop\fR can send the SPA packet over a random port via the \fB\-\-rand\-port\fR argument\&. See \fIfwknopd(8)\fR for further details\&. See the \fBEXAMPLES\fR section for example invocations of the \fBfwknop\fR client\&.
.SH "REQUIRED ARGUMENTS"
.sp
These required arguments can be specified via command\-line or from within the \fI\&.fwknoprc\fR file (see \fI\-n, \-\-named\-config\fR option and the FWKNOPRC FILE section below\&.
.PP
\fB\-D, \-\-destination\fR=\fI<IP\-address>\fR
.RS 4
Direct the
\fBfwknop\fR
client to authenticate with the
\fBfwknopd\fR
daemon/service at the specified destination hostname or IP address\&. The connection mode is discovered by the
\fBfwknopd\fR
daemon/service when it decrypts and parses the authentication packet\&.
.RE
.PP
\fB\-A, \-\-access\fR=\fI<port list>\fR
.RS 4
Provide a list of ports and protocols to access on a remote computer running
\fBfwknopd\fR\&. The format of this list is \(lq<proto>/<port>\&...<proto>/<port>\(rq, e\&.g\&. \(lqtcp/22,udp/53\(rq\&.
\fBNOTE:\fR
The vast majority of usages for
\fBfwknop\fR
require the
\fB\-A\fR
argument, but sending full commands with the
\fB\-\-server\-cmd\fR
argument via an SPA packet to be executed by
\fBfwknopd\fR
does not require this argument\&.
.RE
.PP
\fB\-R|\-a|\-s\fR
.RS 4
One of these options (see below) is required to tell the remote
\fBfwknopd\fR
daemon what IP should be let through the local firewall\&. It is recommend to use the
\fB\-R\fR
or
\fB\-a\fR
options instead of
\fB\-s\fR
in order to harden SPA communications against possible
\fIMan\-In\-The\-Middle\fR
(MITM) attacks\&.
.RE
.SH "GENERAL OPTIONS"
.PP
\fB\-h, \-\-help\fR
.RS 4
Print a usage summary message and exit\&.
.RE
.PP
\fB\-B, \-\-save\-packet\fR=\fI<file>\fR
.RS 4
Instruct the
\fBfwknop\fR
client to write a newly created SPA packet out to the specified file so that it can be examined off\-line\&.
.RE
.PP
\fB\-G, \-\-get\-key\fR=\fI<file>\fR
.RS 4
Load an encryption key/password from the specified file\&. The key file contains a line for each destination hostname or IP address, a colon (":"), optional space and the password, followed by a newline\&. Note that the last line has to have a terminating newline character\&. Also note: though this is a convenience, have a file on your system with cleartext passwords is not a good idea and is not recommended\&.
.RE
.PP
\fB\-l, \-\-last\-cmd\fR
.RS 4
Execute
\fBfwknop\fR
with the command\-line arguments from the previous invocation (if any)\&. The previous arguments are parsed out of the
\fI~/\&.fwknop\&.run\fR
file\&.
.RE
.PP
\fB\-n, \-\-named\-config\fR=\fI<stanza name>\fR
.RS 4
Specify the name of the configuration stanza in the \(lq$HOME/\&.fwknoprc\(rq file to pull configuration and command directives\&. These named stanzas alleviate the need for remembering the various command\-line arguments for frequently used invocations of
\fBfwknop\fR\&. See the section labeled, FWKNOPRC FILE below for a list of the valid configuration directives in the
\fI\&.fwknoprc\fR
file\&.
.RE
.PP
\fB\-\-show\-last\fR
.RS 4
Display the last command\-line arguments used by
\fBfwknop\fR\&.
.RE
.PP
\fB\-T, \-\-test\fR
.RS 4
Test mode\&. Generate the SPA packet data, but do not send it\&. Instead, print a break\-down of the SPA data fields, then run the data through the decryption and decoding process and print the break\-down again\&. This is primarily a debugging feature\&.
.RE
.PP
\fB\-v, \-\-verbose\fR
.RS 4
Run the
\fBfwknop\fR
client in verbose mode\&. This causes
\fBfwknop\fR
to print some extra information about the current command and the resulting SPA data\&.
.RE
.PP
\fB\-V, \-\-Version\fR
.RS 4
Display version information and exit\&.
.RE
.SH "SPA OPTIONS"
.PP
\fB\-a, \-\-allow\-ip\fR=\fI<IP\-address>\fR
.RS 4
Specify IP address that should be permitted through the destination
\fBfwknopd\fR
server firewall (this IP is encrypted within the SPA packet itself)\&. This is useful to prevent a MTIM attack where a SPA packet can be intercepted enroute and sent from a different IP than the original\&. Hence, if the
\fBfwknopd\fR
server trusts the source address on the SPA packet IP header then the attacker gains access\&. The
\fB\-a\fR
option puts the source address within the encrypted SPA packet, and so thwarts this attack\&. The
\fB\-a\fR
option is also useful to specify the IP that will be granted access when the SPA packet itself is spoofed with the
\fB\-\-spoof\-src\fR
option\&. Another related option is
\fB\-R\fR
(see below) which instructs the
\fBfwknop\fR
client to automatically resolve the externally routable IP address the local system is connected to by querying a website that returns the actual IP address it sees from the calling system\&.
.RE
.PP
\fB\-C, \-\-server\-cmd\fR=\fI<command to execute>\fR
.RS 4
Instead of requesting access to a service with an SPA packet, the
\fB\-\-server\-cmd\fR
argument specifies a command that will be executed by the
\fBfwknopd\fR
server\&. The command is encrypted within the SPA packet and sniffed off the wire (as usual) by the
\fBfwknopd\fR
server\&.
.RE
.PP
\fB\-g, \-\-gpg\-encryption\fR
.RS 4
Use GPG encryption on the SPA packet (default if not specified is Rijndael)\&.
\fBNote:\fR
Use of this option will require the specification of a GPG recipient (see
\fB\-\-gpg\-recipient\fR
along with other GPG\-related options below)\&.
.RE
.PP
\fB\-H, \-\-http\-proxy\fR=\fI<proxy\-host>[:port]\fR
.RS 4
Specify an HTTP proxy that the
\fBfwknop\fR
client will use to send the SPA packet through\&. Using this option will automatically set the SPA packet transmission mode (usually set via the
\fB\-\-server\-proto\fR
argument) to "http"\&. You can also specify the proxy port by adding ":<port>" to the proxy host name or ip\&.
.RE
.PP
\fB\-m, \-\-digest\-type\fR=\fI<digest>\fR
.RS 4
Specify the message digest algorithm to use in the SPA data\&. Choices are:
\fBMD5\fR,
\fBSHA1\fR,
\fBSHA256\fR
(the default),
\fBSHA384\fR, and
\fBSHA512\fR\&.
.RE
.PP
\fB\-N, \-\-nat\-access\fR=\fI<internalIP:forwardPort>\fR
.RS 4
The
\fBfwknopd\fR
server offers the ability to provide SPA access through an iptables firewall to an internal service by interfacing with the iptables NAT capabilities\&. So, if the
\fBfwknopd\fR
server is protecting an internal network on an RFC\-1918 address space, an external
\fBfwknop\fR
client can request that the server port forward an external port to an internal IP, i\&.e\&. \(lq\-\-NAT\-access 192\&.168\&.10\&.2,55000\(rq\&. In this case, access will be granted to 192\&.168\&.10\&.2 via port 55000 to whatever service is requested via the
\fB\-\-access\fR
argument (usually tcp/22)\&. Hence, after sending such an SPA packet, one would then do \(lqssh \-p 55000
user@host\(rq and the connection would be forwarded on through to the internal 192\&.168\&.10\&.2 system automatically\&. Note that the port \(lq55000\(rq can be randomly generated via the
\fB\-\-nat\-rand\-port\fR
argument (described later)\&.
.RE
.PP
\fB\-\-nat\-local\fR
.RS 4
On the
\fBfwknopd\fR
server, a NAT operation can apply to the local system instead of being forwarded through the system\&. That is, for iptables firewalls, a connection to, say, port 55,000 can be translated to port 22 on the local system\&. By making use of the
\fB\-\-nat\-local\fR
argument, the
\fBfwknop\fR
client can be made to request such access\&. This means that any external attacker would only see a connection over port 55,000 instead of the expected port 22 after the SPA packet is sent\&.
.RE
.PP
\fB\-\-nat\-rand\-port\fR
.RS 4
Usually
\fBfwknop\fR
is used to request access to a specific port such as tcp/22 on a system running
\fBfwknopd\fR\&. However, by using the
\fB\-\-nat\-rand\-port\fR
argument, it is possible to request access to a particular service (again, such as tcp/22), but have this access granted via a random translated port\&. That is, once the
\fBfwknop\fR
client has been executed in this mode and the random port selected by
\fBfwknop\fR
is displayed, the destination port used by the follow\-on client must be changed to match this random port\&. For SSH, this is accomplished via the
\fB\-p\fR
argument\&. See the
\fB\-\-nat\-local\fR
and
\fB\-\-nat\-access\fR
command line arguments to
\fBfwknop\fR
for additional details on gaining access to services via a NAT operation\&.
.RE
.PP
\fB\-p, \-\-server\-port\fR=\fI<port>\fR
.RS 4
Specify the port number where
\fBfwknopd\fR
accepts packets via libpcap or ulogd pcap writer\&. By default
\fBfwknopd\fR
looks for authorization packets over UDP port 62201\&.
.RE
.PP
\fB\-P, \-\-server\-proto\fR=\fI<protocol>\fR
.RS 4
Set the protocol (udp, tcp, http, tcpraw, or icmp) for the outgoing SPA packet\&. Note: The
\fBtcpraw\fR
and
\fBicmp\fR
modes use raw sockets and thus require root access to run\&. Also note: The
\fBtcp\fR
mode expects to establish a TCP connection to the server before sending the SPA packet\&. This is not normally done, but is useful for compatibility with the Tor for strong anonymity; see
\fIhttp://tor\&.eff\&.org/\fR\&. In this case, the
\fBfwknopd\fR
server will need to be configured to listen on the target TCP port (which is 62201 by default)\&.
.RE
.PP
\fB\-Q, \-\-spoof\-src\fR=\fI<IP>\fR
.RS 4
Spoof the source address from which the
\fBfwknop\fR
client sends SPA packets\&. This requires root on the client side access since a raw socket is required to accomplish this\&. Note that the
\fB\-\-spoof\-user\fR
argument can be given in this mode in order to pass any
\fBREQUIRE_USERNAME\fR
keyword that might be specified in
\fI/etc/fwknop/access\&.conf\fR\&.
.RE
.PP
\fB\-r, \-\-rand\-port\fR
.RS 4
Instruct the
\fBfwknop\fR
client to send an SPA packet over a random destination port between 10,000 and 65535\&. The
\fBfwknopd\fR
server must use a
\fBPCAP_FILTER\fR
variable that is configured to accept such packets\&. For example, the
\fBPCAP_FILTER\fR
variable could be set to: \(lqudp dst portrange 10000\-65535\(rq\&.
.RE
.PP
\fB\-R, \-\-resolve\-ip\-http\fR
.RS 4
This is an important option, and instructs the
\fBfwknop\fR
client and the
\fBfwknopd\fR
daemon/service to query a web server that returns the caller\(cqs IP address (as seen by the web server)\&. In some cases, this is needed to determine the IP address that should be allowed through the iptables policy at the remote fwknopd server side\&. This is useful if the
\fBfwknop\fR
client is being used on a system that is behind an obscure NAT address\&. Presently,
\fBfwknop\fR
uses the URL:
\fIhttp://www\&.cipherdyne\&.org/cgi\-bin/myip\fR
to resolve the caller IP\&.
.RE
.PP
\fB\-\-resolve\-url\fR
.RS 4
Override the default URL used for resolving the source IP address\&. For best results, the URL specified here should point to a web service that provides just an IP address in the body of the HTTP response\&.
.RE
.PP
\fB\-s, \-\-source\-ip\fR
.RS 4
Instruct the
\fBfwknop\fR
client to form an SPA packet that contains the special\-case IP address \(lq0\&.0\&.0\&.0\(rq which will inform the destination
\fBfwknopd\fR
SPA server to use the source IP address from which the SPA packet originates as the IP that will be allowed through upon modification of the firewall ruleset\&. This option is useful if the
\fBfwknop\fR
client is deployed on a machine that is behind a NAT device\&. The permit\-address options
\fB\-s\fR,
\fB\-R\fR
and
\fB\-a\fR
are mutually exclusive\&.
.RE
.PP
\fB\-\-time\-offset\-plus\fR=\fI<time>\fR
.RS 4
By default, the
\fBfwknopd\fR
daemon on the server side enforces time synchronization between the clocks running on client and server systems\&. The
\fBfwknop\fR
client places the local time within each SPA packet as a time stamp to be validated by the fwknopd server after decryption\&. However, in some circumstances, if the clocks are out of sync and the user on the client system does not have the required access to change the local clock setting, it can be difficult to construct and SPA packet with a time stamp the server will accept\&. In this situation, the
\fB\-\-time\-offset\-plus\fR
option can allow the user to specify an offset (e\&.g\&. \(lq60sec\(rq \(lq60min\(rq \(lq2days\(rq etc\&.) that is added to the local time\&.
.RE
.PP
\fB\-\-time\-offset\-minus\fR=\fI<time>\fR
.RS 4
This is similar to the
\fB\-\-time\-offset\-plus\fR
option (see above), but subtracts the specified time offset instead of adding it to the local time stamp\&.
.RE
.PP
\fB\-u, \-\-user\-agent\fR=\fI<user\-agent\-string>\fR
.RS 4
Set the HTTP User\-Agent for resolving the external IP via
\fB\-R\fR, or for sending SPA packets over HTTP\&.
.RE
.PP
\fB\-U, \-\-spoof\-user\fR=\fI<user>\fR
.RS 4
Specify the username that is included within SPA packet\&. This allows the
\fBfwknop\fR
client to satisfy any non\-root
\fBREQUIRE_USERNAME\fR
keyword on the fwknopd server (\fB\-\-spoof\-src\fR
mode requires that the
\fBfwknop\fR
client is executed as root)\&.
.RE
.SH "GPG-RELATED OPTIONS"
.PP
\fB\-\-gpg\-agent\fR
.RS 4
Instruct
\fBfwknop\fR
to acquire GnuPG key password from a running gpg\-agent instance (if available)\&.
.RE
.PP
\fB\-\-gpg\-home\-dir\fR=\fI<dir>\fR
.RS 4
Specify the path to the GnuPG directory; normally this path is derived from the home directory of the user that is running the
\fBfwknop\fR
client\&. This is useful when a \(lqroot\(rq user wishes to log into a remote machine whose sshd daemon/service does not permit root login\&.
.RE
.PP
\fB\-\-gpg\-recipient\fR=\fI<key ID or Name>\fR
.RS 4
Specify the GnuPG key ID, e\&.g\&. \(lq1234ABCD\(rq (see the output of "gpg\(emlist\-keys") or the key name (associated email address) of the recipient of the Single Packet Authorization message\&. This key is imported by the
\fBfwknopd\fR
server and the associated private key is used to decrypt the SPA packet\&. The recipient\(cqs key must first be imported into the client GnuPG key ring\&.
.RE
.PP
\fB\-\-gpg\-signer\-key\fR=\fI<key ID or Name>\fR
.RS 4
Specify the GnuPG key ID, e\&.g\&. \(lqABCD1234\(rq (see the output of "gpg \-\-list\-keys") or the key name to use when signing the SPA message\&. The user is prompted for the associated GnuPG password to create the signature\&. This adds a cryptographically strong mechanism to allow the
\fBfwknopd\fR
daemon on the remote server to authenticate who created the SPA message\&.
.RE
.SH "FWKNOPRC FILE"
.sp
The \fI\&.fwknoprc\fR file is used to set various parameters to override default program parameters at runtime\&. It also allows for additional named configuration \fIstanzas\fR for setting program parameters for a particular invocation\&.
.sp
The \fBfwkop\fR client will create this file if it does not exist in the user\(cqs home directory\&. This initial version has some sample directives that are commented out\&. It is up to the user to edit this file to meet their needs\&.
.sp
The \fI\&.fwkoprc\fR file contains a default configuration area or stanza which holds global configuration directives that override the program defaults\&. You can edit this file and create additonal \fInamed stanzas\fR that can be specified with the \fB\-n\fR or \fB\-\-named\-config\fR option\&. Parameters defined in the named stanzas will override any matching \fIdefault\fR stanza directives\&. Note that command\-line options will still override any corresponding \fI\&.fwknoprc\fR directives\&.
.sp
There are directives to match most of the command\-line parameters \fBfwknop\fR supports\&. Here is the current list of each directive along with a brief description and its matching command\-line option(s):
.PP
\fBDIGEST_TYPE\fR
.RS 4
Set the SPA message digest type (\fI\-m, \-\-digest\-type\fR)\&.
.RE
.PP
\fBSPA_SERVER_PROTO\fR
.RS 4
Set the protocol to use for sending the SPA packet (\fI\-P, \-\-server\-proto\fR)\&.
.RE
.PP
\fBSPA_SERVER\fR
.RS 4
Specify the IP or hostname of the destination (\fBfwknopd\fR) server (\'\-D, \-\-destination)\&.
.RE
.PP
\fBSPA_SERVER_PORT\fR
.RS 4
Set the server port to use for sending the SPA packet (\fI\-p, \-\-server\-port\fR)\&.
.RE
.PP
\fBSPA_SOURCE_PORT\fR
.RS 4
Set the source port to use for sending the SPA packet (\fI\-S, \-\-source\-port\fR)\&.
.RE
.PP
\fBFW_TIMEOUT\fR
.RS 4
Set the firewall rule timeout value (\fI\-f, \-\-fw\-timeout\fR)\&.
.RE
.PP
\fBALLOW_IP\fR
.RS 4
Specify the address to allow within the SPA data\&. Note: This parameter covers the
\fB\-a\fR,
\fB\-s\fR, and
\fB\-R\fR
command\-line options\&. You can specify a hostname or IP address (the
\fB\-a\fR
option), specify the word "source" to tell the
\fBfwknopd\fR
server to accept the source IP of the packet as the IP to allow (the
\fB\-s\fR
option), or use the word "resolve" to have
\fBfwknop\fR
resolve the external network IP via HTTP request (the
\fB\-R\fR
option)\&.
.RE
.PP
\fBRESOLVE_URL\fR
.RS 4
Set to a URL that will be used for resolving the source IP address (\-\-resolve\-url)\&.
.RE
.PP
\fBTIME_OFFSET\fR
.RS 4
Set a value to apply to the timestamp in the SPA packet\&. This can be either a positive or negative value (\fI\-\-time\-offset\-plus/minus\fR)\&.
.RE
.PP
\fBUSE_GPG\fR
.RS 4
Set to
\fIY\fR
to specify the use of GPG for encryption (\fI\-\-gpg\-encryption\fR)\&.
.RE
.PP
\fBGPG_SIGNER\fR
.RS 4
Specify the GPG key name or ID for signing the GPG\-encrypted SPA data (\fI\-\-gpg\-signer\-key\fR)\&.
.RE
.PP
\fBGPG_RECIPIENT\fR
.RS 4
Specify the GPG key name or ID for the recipient of the GPG\-encrypted SPA data (\fI\-\-gpg\-recipient\-key\fR)\&.
.RE
.PP
\fBGPG_HOMEDIR\fR
.RS 4
Specify the GPG home directory (\fI\-\-gpg\-home\-dir\fR)\&.
.RE
.PP
\fBSPOOF_USER\fR
.RS 4
Set the username in the SPA data to the specified value (\fI\-U, \-\-spoof\-user\fR)\&.
.RE
.PP
\fBSPOOF_SOURCE_IP\fR
.RS 4
Set the source IP of the outgoing SPA packet to the specified value (\fI\-Q, \-\-spoof\-source\fR)\&.
.RE
.PP
\fBACCESS\fR
.RS 4
Set the one or more protocol/ports to open on the firewall (\fI\-A, \-\-access\fR)\&.
.RE
.PP
\fBRAND_PORT\fR
.RS 4
Send the SPA packet over a randomly assigned port (\fI\-r, \-\-rand\-port\fR)\&.
.RE
.PP
\fBKEY_FILE\fR
.RS 4
Load an encryption key/password from a file (\fI\-G, \-\-get\-key\fR)\&.
.RE
.PP
\fBHTTP_USER_AGENT\fR
.RS 4
Set the HTTP User\-Agent for resolving the external IP via \-R, or for sending SPA packets over HTTP (\fI\-u, \-\-user\-agent\fR)\&.
.RE
.PP
\fBNAT_ACCESS\fR
.RS 4
Gain NAT access to an internal service protected by the fwknop server (\fI\-N, \-\-nat\-access\fR)\&.
.RE
.PP
\fBNAT_LOCAL\fR
.RS 4
Access a local service via a forwarded port on the fwknopd server system (\fI\-\-nat\-local\fR)\&.
.RE
.PP
\fBNAT_PORT\fR
.RS 4
Specify the port to forward to access a service via NAT (\fI\-\-nat\-port\fR)\&.
.RE
.PP
\fBNAT_RAND_PORT\fR
.RS 4
Have the fwknop client assign a random port for NAT access (\fI\-\-nat\-rand\-port\fR)\&.
.RE
.SH "ENVIRONMENT"
.sp
\fBSPOOF_USER\fR, \fBGPG_AGENT_INFO\fR (only used in \fB\-\-gpg\-agent\fR mode)\&.
.SH "EXAMPLES"
.sp
The following examples illustrate the command line arguments that could be supplied to the fwknop client in a few situations:
.SS "Access mode examples"
.sp
Packet contents printed to stdout at the fwknop client when creating an \(lqaccess mode\(rq SPA packet:
.sp
.if n \{\
.RS 4
.\}
.nf
Random data: 6565240948266426
Username: mbr
Timestamp: 1203863233
Version: 1\&.9\&.2
Type: 1 (access mode)
Access: 127\&.0\&.0\&.2,tcp/22
SHA256 sum: gngquSL8AuM7r27XsR4qPmJhuBo9pG2PYwII06AaJHw
.fi
.if n \{\
.RE
.\}
.sp
Use the Single Packet Authorization mode to gain access to tcp/22 (ssh) and udp/53 running on the system 10\&.0\&.0\&.123 from the IP 192\&.168\&.10\&.4:
.sp
.if n \{\
.RS 4
.\}
.nf
$ fwknop \-A "tcp/22,udp/53" \-a 192\&.168\&.10\&.4 \-D 10\&.0\&.0\&.123
.fi
.if n \{\
.RE
.\}
.sp
Same as above example, but gain access from whatever source IP is seen by the fwknop server (useful if the fwknop client is behind a NAT device):
.sp
.if n \{\
.RS 4
.\}
.nf
$ fwknop \-A "tcp/22,udp/53" \-s \-D 10\&.0\&.0\&.123
.fi
.if n \{\
.RE
.\}
.sp
Same as above example, but use an IP identification website to derive the client IP address\&. This is a safer method of acquiring the client IP address than using the \fB\-s\fR option because the source IP is put within the encrypted packet instead of having the \fBfwknopd\fR daemon grant the requested access from whatever IP address the SPA packet originates:
.sp
.if n \{\
.RS 4
.\}
.nf
$ fwknop \-A "tcp/22,udp/53" \-R \-D 10\&.0\&.0\&.123
.fi
.if n \{\
.RE
.\}
.sp
Use the Single Packet Authorization mode to gain access to tcp/22 (ssh) and udp/53 running on the system 10\&.0\&.0\&.123, and use GnuPG keys to encrypt and decrypt:
.sp
.if n \{\
.RS 4
.\}
.nf
$ fwknop \-A "tcp/22,udp/53" \-\-gpg\-sign ABCD1234 \-\-gpg\-\-recipient
1234ABCD \-R \-D 10\&.0\&.0\&.123
.fi
.if n \{\
.RE
.\}
.sp
Instruct the fwknop server running at 10\&.0\&.0\&.123 to allow 172\&.16\&.5\&.4 to connect to TCP/22, but spoof the authorization packet from an IP associated with www\&.yahoo\&.com:
.sp
.if n \{\
.RS 4
.\}
.nf
# fwknop \-\-Spoof\-src \(cqwww\&.yahoo\&.com\(cq \-A tcp/22 \-a 172\&.16\&.5\&.4 \-D
10\&.0\&.0\&.123
.fi
.if n \{\
.RE
.\}
.SH "DEPENDENCIES"
.sp
\fBfwknop\fR requires \fIlibfko\fR (which is normally included with both source and binary distributions)\&.
.sp
For GPG functionality, GnuPG must also be correctly installed and configured\&.
.sp
To take advantage of all of the authentication and access management features of the \fBfwknopd\fR daemon/service a functioning iptables firewall is required on the underlying operating system\&.
.SH "DIAGNOSTICS"
.sp
fwknop can be run with the \fB\-T\fR (or \fB\-\-test\fR) command line option\&. This will have \fBfwknop\fR simply create and print the SPA packet information, then run it through a decrypt/decode cycle and print it again\&.
.SH "SEE ALSO"
.sp
fwknopd(8), iptables(8), gpg(1), libfko documentation\&.
.sp
More information on Single Packet Authorization can be found in the paper \(lqSingle Packet Authorization with fwknop\(rq available at \fIhttp://www\&.cipherdyne\&.org/fwknop/docs/SPA\&.html\fR\&.
.SH "AUTHORS"
.sp
Damien Stuart <dstuart@dstuart\&.org>, Michael Rash <mbr@cipherdyne\&.org>
.SH "CONTRIBUTORS"
.sp
This \(lqC\(rq version of fwknop was derived from the original Perl\-based version on which many people who are active in the open source community have contributed\&. See the CREDITS file in the fwknop sources, or visit \fIhttp://www\&.cipherdyne\&.org/fwknop/docs/contributors\&.html\fR to view the online list of contributors\&.
.sp
The phrase \(lqSingle Packet Authorization\(rq was coined by MadHat and Simple Nomad at the BlackHat Briefings of 2005 (see: \fIhttp://www\&.nmrc\&.org\fR)\&.
.SH "BUGS"
.sp
Send bug reports to dstuart@dstuart\&.org\&. Suggestions and/or comments are always welcome as well\&.
.SH "DISTRIBUTION"
.sp
\fBfwknop\fR is distributed under the GNU General Public License (GPL), and the latest version may be downloaded from \fIhttp://www\&.cipherdyne\&.org\fR\&.