Hello, first, thank you for fwknop! We will use it on linux based PLCs. As we also have PLCs based on Windows, we needed FwKnop for Windows. Thus, i've implemented a version, which is compatible with yours (only those functions we require).
But i've added some functionality, your fwknop has not included... Yes, this is bad, but was required. We currently don't want to modify your linux version, but use the original from distributions. If you ever plan to add some similar functions, maybe you can try to solve it the same way to stay compatible... - created etc and usr directory. Where etc holds access.conf and fwknopd.conf. Usr holds access.conf (again) and fwknopd.rul. Configuration in usr\access.conf "overwrites" them in etc\access.conf. This is important, as end users should be able to configure their own password, and this files won't be updated during deinstall/install-sequence of our product. - fix firewall rules usr\fwknopd.rul can include fix ports (ranges) to open on every start (think of another PLC (some, or no operating system) trying to communicate with our PLC - no client available). As we don't know them, but must configure the firewall during installation of our product this is an easy solution to deploy on multiple PLCs for end users... - Replay buffer size is configurable. PLCs typically run over months/years without restarts. Thus, memory is limited (RAM and file system). - Logging and statistics. Replay buffer is not ideal for support teams. My logging buffer also filters "updates". When our "ConnectionManager" connects to the PLC(s), it resends the SPA-packets just before the firewall-rule-timeout expires. These "updates" are not logged into the file to keep it small. (PS: Windows firewall does not allow to add similar ports more times). Created a statistics file for TCP and UDP in ini-file format. Some pictures/files, hopefully helping to understand: Konfiguration of the service in the registry: The fwknopd.conf extensions: # The max number of SPA digests to hold in memory. # When this amount of messages is received, the digest cache file is written # to disk. MAX_DIGEST_COUNT=30000; # After this time (in seconds) has elapsed, the digest cache file is written # to disk, even if MAX_DIGEST_COUNT was not reached. MAX_DIGEST_TIME=900; # Enable logging and statistical records of messages. # The logfiles are written to the LogPath-Directory, defined in the services # registry configuration. ENABLE_LOGGING=Y; # When this amount of logfile-entries is reached, the logfile is written to disk. # The logging mechanism filters 'updates' of ports. # Thus the amount can be smaller than that of tracking digests. MAX_LOG_COUNT=1000; # After this time (in seconds) has elapsed, the digest log files are written # to disk, even if MAX_LOG_COUNT was not reached. MAX_LOG_TIME=900; The fwknopd.rul file: #FwKnop configuration file for fixed firewall rules. #fromPort;toPort;protocol;IP address to allow;comment/rule name; #Where protocol can be "tcp" or "udp". #The comment will be used as a part of the firewall rule name. #Examples: #812;815;tcp;10.150.22.8;range required for PLC XYZ; #42;42;udp;10.150.22.8;life, the universe and everything Example of a log file: #<time> <src_ip> <message> Sat Mar 05 04:17:15 2011 10.150.22.8 <10.150.22.8,tcp/652,tcp/653,tcp/654,tcp/655> Sat Mar 05 04:17:16 2011 10.150.22.8 <10.150.22.8,tcp/736,tcp/737,tcp/738,tcp/739,tcp/740> Example of TCP statistics file: Where PortNumber=count within [Ports]. [Info] Type=Single Packet Authorization (SPA) - Statistics Created=Fri Mar 04 07:06:04 2011 [Ports] 22=14 111=128 137=128 139=128 445=128 600=3190 Example of a UDP statistics file: Where PortNumber=count within [Ports]. [Info] Type=Single Packet Authorization (SPA) - Statistics Created=Fri Mar 04 07:06:04 2011 [Ports] 111=1 137=3193 138=3193 Maybe you can get a few ideas... Regards, - Bernhard Ruhsam PS: Sorry for the 3 email-adresses - not sure, where to send...
<<attachment: Picture (Metafile) 1.jpg>>
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
