Skip to content
Commits on Sep 26, 2011
  1. Added --help usage information

    committed
    With the --help command line argument, the following information is printed:
    
    $ ./fwknop-launcher-lsof.pl --help
    
    Usage: fwknop-launcher-lsof.pl [options]
    
    Options:
    
        -c,  --config     <file>   - Path to fwknop-launcher.conf config file.
        -l,  --lsof-cmd   <path>   - Path to lsof command.
        -f,  --fwknop-cmd <path>   - Path to fwknop client command.
        -s,  --sleep   <seconds>   - Specify sleep interval (default:
                                     1 seconds)
        -n   --no-daemon           - Run in foreground mode.
        -u,  --user   <username>   - Specify username (usually this is not
                                     needed).
             --home-dir <dir>      - Path to user's home directory (usually
                                     this is not needed).
        -v   --verbose             - Print verbose information to the terminal
                                     (requires --no-daemon).
             --help                - Print usage info and exit.
Commits on Sep 25, 2011
  1. Added the fwknop lsof launcher under the extras/ directory

    committed
    The fwknop lsof launcher (extras/fwknop-launcher/fwknop-launcher-lsof.pl) is a
    lightweight daemon that allows the user to not have to manually run the fwknop
    client when attempting to gain access to a service that is protected by Single
    Packet Authorization via fwknopd.  This is accomplished by checking the output
    of lsof to look for pending connections in the SYN_SENT state, which (usually)
    indicate that a remote firewall is blocking the attempted connection.  At this
    point, the launcher executes the fwknop client with the --get-key arg (so the
    user must place the key in the local filesystem) to generate an SPA packet for
    the attempted connection.  The remote fwknopd daemon will reconfigure the
    firewall to allow temporary access, and this usually happens fast enough that
    the original connection attempt will then succeed.
    
    The idea for this was originally for a pcap-based connection watcher by
    Sebastien Jeanquier.
Commits on Sep 22, 2011
  1. Merge pull request #5 from maxkas/master

    committed
    Fwknop client for iPhone devices - contributed by Max Kastanas
Commits on Sep 17, 2011
  1. Codebase of Fwknop client for iOS (iPhone) devices

    Max Kastanas committed
Commits on Sep 13, 2011
  1. minor typo fix: fwkop -> fwknop

    committed
Commits on Sep 10, 2011
  1. @damienstuart
  2. @damienstuart

    Added the cmd_opts.h file to server and client's Makefile.am so they …

    damienstuart committed
    …are included with make dist.
  3. Replaced all strcpy() calls with strlcpy()

    committed
    OpenBSD especially gives compiler warnings whenever strcpy() is used.  All such
    calls have been replaced with strlcpy().
Commits on Sep 9, 2011
  1. Added read-only relocations and immediate bindings

    committed
    Commit 4248b26 removed read-only relocations
    and immediate bindings for FreeBSD systems (and the same was done for OpenBSD
    systems too).  This commit adds these security features back in as linker
    options by only changing LDFLAGS as opposed to also adding the corresponding
    flags to CFLAGS.  The end result is that the following errors are fixed:
    
    gcc: -z: linker input file unused because linking not done
    gcc: relro: linker input file unused because linking not done
  2. Check for active_rules > 0 before decrementing

    committed
    In the fw_config struct the active_rules member is unsigned, so this change
    ensures that we don't try to decrement it below zero whenever a firewall rule
    is deleted or an error condition occurs.
Commits on Sep 8, 2011
  1. Update to make _exp_ string a #define

    committed
    Replaced all instances of "_exp_" with the #define EXPIRE_COMMENT_PREFIX so
    that the prefix can easily be changed. so
    that the prefix can easily be changed. so
    that the prefix can easily be changed. so
    that the prefix can easily be changed.
  2. Added the ability to delete PF rules

    committed
    This commit adds the ability to fwknopd to delete PF rules after the SPA timer
    expires.  The strategy implemented is similar to iptables and ipfw, except
    that all PF rules are added to an 'anchor', and deleting a specific expired
    rule is done by listing all rules in the anchor and reinstantiating it via
    'pfctl -a <anchor> -f -' with the expired rule deleted.  fwknopd uses the
    "_exp_<expire time>" convention in a PF rule label similarly to how fwknopd
    interfaces with iptables (via the 'comment' match), and ipfw (via the
    "//<comment>" feature).
Commits on Sep 4, 2011
  1. minor comment typo fixes

    committed
Commits on Sep 3, 2011
  1. PF rules are now added to the fwknop anchor

    committed
    This commit implements the ability to add PF firewall rules to the fwknop
    anchor after a valid SPA packet is sniffed off the wire.  A subsequent commit
    will add the ability to delete these rules.
Commits on Aug 28, 2011
  1. Minor copyright holder update

    committed
    Minor copyright holder update
  2. For PF firewalls implemented a check for an active fwknop anchor

    committed
    This commit ensures that for PF firewalls that the fwknop anchor is active and
    linked into the running PF policy.  This is accomplished by looking for the
    string 'anchor "fwknop"' in the output of "pfctl -s rules".  If the anchor
    exists, then fwknopd will be able to influence traffic via rules added and
    removed from the fwknop anchor.
Commits on Aug 27, 2011
  1. Added --fw-list info to --help

    committed
    Added --fw-list output to usage info when --help is specified from the command
    line.
  2. PF support on OpenBSD in progress, fwknop --fw-list now works

    committed
    This is the first commit that has fwknopd interact with the PF firewall on
    OpenBSD (via fwknopd --fw-list to show any active fwknopd rules).
Commits on Aug 25, 2011
  1. Added autoconf check for pf firewalls

    committed
    On OpenBSD systems fwknop now checks for pf firewalls via autoconf.  The next
    step will be to fill in support for pf via the C code.
  2. Disabled read-only relocations and immediate binding compiler protect…

    committed
    …ions
    
    Similarly to FreeBSD systems, gcc throws the following warnings with read-only
    relcations and immediate binding protections - disbabled for now:
    
    gcc: -z: linker input file unused because linking not done
    gcc: relro: linker input file unused because linking not done
    gcc: -z: linker input file unused because linking not done
    gcc: now: linker input file unused because linking not done
Commits on Aug 23, 2011
Commits on Aug 21, 2011
  1. bumped version to 2.0.0rc4

    committed
  2. Added version specific ChangeLog, ShortLog, and diffstat files.

    committed
    Added version specific ChangeLog, ShortLog, and diffstat files (these go all
    the way back to the beginning of the svn import since 2.0.0 will be the
    first official non-"rc" release of the new C code).
  3. Updated ChangeLog with all changes from 2.0.0-rc3

    committed
    Updated ChangeLog with all changes from 2.0.0-rc3
  4. Bug fix for ipfw firewalls to not always require seeing 'Dynamic' rules

    committed
    This commit fixes an issue on ipfw firewalls where fwknopd would always require
    seeing ipfw 'Dynamic' rules associated with newly added connections.  But, such
    connections may never be established for various reasons.  Previous to this
    commit the following warning was frequently generated by fwknopd:
    
    Unexpected error: did not find 'Dynamic rules' string in list output.
  5. Bug fix for missing set existence check on ipfw firewalls

    committed
    This commit fixes an issues on systems running the ipfw firewall where the
    'set' where fwknopd puts new access rules was attempted to be deleted without
    first checking to see whether it exists.  The following errors would be
    generated (now fixed):
    
    ipfw: rule 16777217: setsockopt(IP_FW_DEL): Invalid argument
    Error 17664 from cmd:'/sbin/ipfw delete set 1':
    Fatal: Errors detected during ipfw rules initialization.
  6. Bug fix to create the digest.cache file at init

    committed
    Bug fix to ensure that the digest.cache file gets created at fwknopd init time
    so fwknopd does not throw the following error:
    
    Error opening digest cache file. Incoming digests will not be remembered.
  7. On FreeBSD, made gpgme header path inclusion optional

    committed
    If gpgme is installed on FreeBSD systems it appears that
    -I/usr/local/include/gpgme must be added to the include path, but this change
    only adds the path if gpgme is installed and going to be used.
Commits on Aug 20, 2011
  1. Fixed a few minor compiler warnings on FreeBSD

    committed
    This commit fixes a few warnings about possible uninitialized and unused
    variables.
  2. On FreeBSD disable read-only relocations and immediate binding protec…

    committed
    …tions
    
    gcc on FreeBSD generates the following errors when the -Wl,-z,relro -Wl,-z,now
    flags are used:
    
    gcc: -z: linker input file unused because linking not done
    gcc: relro: linker input file unused because linking not done
    gcc: -z: linker input file unused because linking not done
    gcc: now: linker input file unused because linking not done
  3. Update to suppress additional compiler warning

    committed
    This change fixes the following compiler warning that was seen with many of
    the source files in server/
    
    fwknopd_common.h:223: warning: ‘config_map’ defined but not used
  4. Minor restructuring to suppress compiler "defined but not used warnings"

    committed
    This commit fixes several compiler warnings like the following (now that -Wall
    is the default):
    
    config_init.h:68: warning: ‘cmd_opts’ defined but not used
  5. Added -Wall for all gcc warnings during compile

    committed
    Enable gcc compilation to include -Wall for all warnings (can be disabled
    with --disable-wall to ./configure).
Something went wrong with that request. Please try again.