Michael Rash wrote: > On Jul 22, 2009, J. Bakshi wrote: > > >> Hello All, >> > > Hi - > > >> I am already implemented the fwknop successfully in both suse and debian >> servers. Both are remote linux box. Special thanks to Michael for his >> suggestions which always shown me the right track. I may be permitted to >> asks some questions to clear some doubts regarding fwknop. >> >> issue with whatismyip.com >> ( Could not extract external IP from http://www.whatismyip.org/ ) >> ====================================================== >> >> -R or -w with --debug; fwknop ( version 1.9.11) >> reports as below >> >> >> ``````````````````````````````````````````````````` >> ad...@linux-12ml:~> fwknop -A tcp/22 -R --debug --User-agent >> Fwknop/1.9.11 -k 192.168.1.3 ; ssh [email protected] >> >> [+] import_perl_modules(): The @INC array: >> /usr/lib/fwknop >> /usr/lib/fwknop/. >> /usr/lib/fwknop/x86_64-linux-thread-multi >> /usr/lib/perl5/5.10.0/x86_64-linux-thread-multi >> /usr/lib/perl5/5.10.0 >> /usr/lib/perl5/site_perl/5.10.0/x86_64-linux-thread-multi >> /usr/lib/perl5/site_perl/5.10.0 >> /usr/lib/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi >> /usr/lib/perl5/vendor_perl/5.10.0 >> /usr/lib/perl5/vendor_perl >> . >> [+] Term::ReadKey::VERSION 2.30 >> >> [+] ***DEBUG*** Starting fwknop client (SPA mode)... >> Resolving external IP via: http://www.whatismyip.org/ >> [+] Web server data from: http://www.whatismyip.org/ >> >> [*] Could not extract external IP from http://www.whatismyip.org/ >> >> ````````````````````````` >> >> But if I straight forward visit http://www.whatismyip.org/ I get the >> IP. I have then no problem to connect the fwknop server with that IP >> >> ``````````````````````` >> ad...@linux-12ml:~> fwknop -A tcp/22 -a 121.247.128.171 -k 192.168.1.3 >> ; ssh [email protected] >> >> [+] Starting fwknop client (SPA mode)... >> [+] Enter an encryption key. This key must match a key in the file >> /etc/fwknop/access.conf on the remote system. >> >> Encryption Key: >> ````````````````````````````````` >> > > The IP resolution issue is essentially a bug, and I have attached a > small patch that implements a temporary fix. Most likely the fwknop client > will be updated to resolve against a different server than > www.whatismyip.org since they don't appear to like automated requests so > much (Damien Stuart noticed this a couple of weeks ago). > > >> Issue with dynamic IP of fwknop server >> ====================================== >> >> What to do with those servers having dynamic IP address and pointed with a >> domain from dydns.org or myip.com ? >> > > Do you mean that it becomes difficult to know what the latest fwknop > server IP is, or that there is an issue continuing to sniff packets on > an interface where the IP has changed? The upcoming 1.9.12 release has > new code to recover from interface changes, and I can send you a -pre > release of 1.9.12 if that is the issue. > > >> Issue with psad >> ============ >> >> both fwknop and psad control iptable. Can we have both psad and fwknop >> working in a same box ? >> >From theory they should but I don't know if they really co-exists. >> > > fwknop and psad can co-exist on the same system. They both create their > own custom iptables chains for all rule manipulations, so there is no > conflict. > > >> Issue with multiple fwknop client >> ========================= >> >> Please bear with me, I am not very clear about GnuPG technology. Say one >> more admin needs access to the fwknop server. Hope giving my client key >> which >> I use to communicate with the fwknop server will solve the problem. That >> admin should place that key in his keyring and communicate with that >> key. Hope I am >> in the right track. >> > > There is a key-exchange and signing process to use GnuPG with fwknop. > The best instructions for this are here: > > http://www.cipherdyne.org/fwknop/docs/gpghowto.html > > Thanks, > > --Mike >
Hello Michael, Thanks a lot for all the clarifications . IP resolution by whatismyip.com ============================= Thanks for the patch. I am also eagerly waiting for 1.9.12 because I also have some debian boxes and debian do provide fwknop as .deb dynamic IP of fwknop server ======================= Yes, your first assumption is right. There are some servers ( mainly home/office servers ) which has dynamic WAN IP and pointed by domains from dydns.org due to the firewall those servers also drop the ping but the ddclient installed in those servers updated their WAN IP. Is there any way to communicate those fwknop servers by their domainname ? Nice to know upcoming fwknop server can detect the inteface change too. Great !! multiple fwknop client ======================= Thanks for the link. I'll look into it. One new question ================== Generally we use fwknop to protect the ssh port. How can I protect multiple port with fwknop ? ---- I am eagerly waiting for the final release of 1.9.12 to use in my production servers. Once again millions of thanks. Wish you a nice time. ------------------------------------------------------------------------------ _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
