Hi everyone,
I've recently been implementing fwknop on our servers, and I've come across a
problem.
Initially, I installed and ran fwknop on a VM to test out its capabilities.
Once I was satisfied with everything, I began installation on the
pre-production server. With everything completed, I ran into the issue. When
sending the SPA packet over the terminal interface, the rules to allow my IP
were added and removed without returning any errors. Everything ran smoothly
until I attempted to use the Windows GUI 'Morpheus'. First issue was a time
difference between the server and the client that did not exist. I of course
solved this by disabling SPA packet aging. With the next problem , the
following would occur after the servers receipt of the packet:
Jul 2 15:50:03 ioc fwknopd[23273]: (stanza #1) SPA Packet from IP: 12.23.34.45
received with access source match
Jul 2 15:50:03 ioc fwknopd[23273]: process_spa_request() CMD: '/sbin/iptables
-t filter -A FWKNOP_INPUT -p 6 -s --dport 22 -m comment --comment
_exp_1341258633 -j ACCEPT 2>&1' (res: 0, err: Try `iptables -h' or 'iptables
--help' for more information. Bad argument `22' )
Jul 2 15:50:03 ioc fwknopd[23273]: Added Rule to FWKNOP_INPUT for , tcp/22
expires at 1341258633
Jul 2 15:50:33 ioc fwknopd[23273]: check_firewall_rules() CMD: '/sbin/iptables
-t filter -L FWKNOP_INPUT --line-numbers -n 2>&1' (res: 0, err: )
Jul 2 15:50:33 ioc fwknopd[23273]: Did not find expire comment in rules list 0.
(The only line that was changed was line 1. The IP address was scrubbed for
confidentiality reasons.)
Have you noticed it yet? The server receives the packet, notices the IP
address, and yet does not attempt to insert it into the 'process_spa_request'.
For troubleshooting reasons, I tried setting the PCAP_FILTER to a UDP port as
well, and the same problem occurred. If you have any ideas on what I could try,
I would love ideas. I appreciate any help you may have to offer!
Morpheus variables:
- Resolve External IP
- Destination set using domain name
- Access Parameter: TCP/22
- Send over TCP protocol
- Destination Port: ***
Config dump:
Current fwknopd config settings:
0. CONFIG_FILE =
'/usr/local/etc/fwknop/fwknopd.conf'
1. OVERRIDE_CONFIG = '<not set>'
2. PCAP_INTF = 'eth0'
3. ENABLE_PCAP_PROMISC = 'N'
4. PCAP_FILTER = 'tcp port ***'
5. PCAP_DISPATCH_COUNT = '0'
6. PCAP_LOOP_SLEEP = '10000'
7. MAX_SNIFF_BYTES = '1500'
8. ENABLE_SPA_PACKET_AGING = 'N'
9. MAX_SPA_PACKET_AGE = '120'
10. ENABLE_DIGEST_PERSISTENCE = 'Y'
11. CMD_EXEC_TIMEOUT = '<not set>'
12. ENABLE_SPA_OVER_HTTP = 'N'
13. ENABLE_TCP_SERVER = 'Y'
14. TCPSERV_PORT = '***'
15. LOCALE = '<not set>'
16. SYSLOG_IDENTITY = 'fwknopd'
17. SYSLOG_FACILITY = 'LOG_DAEMON'
18. ENABLE_IPT_FORWARDING = 'N'
19. ENABLE_IPT_LOCAL_NAT = 'Y'
20. ENABLE_IPT_SNAT = 'N'
21. SNAT_TRANSLATE_IP = '<not set>'
22. ENABLE_IPT_OUTPUT = 'N'
23. FLUSH_IPT_AT_INIT = 'Y'
24. FLUSH_IPT_AT_EXIT = 'Y'
25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT,
1, FWKNOP_INPUT, 1'
26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1,
FWKNOP_OUTPUT, 1'
27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1,
FWKNOP_FORWARD, 1'
28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING,
1, FWKNOP_PREROUTING, 1'
29. IPT_SNAT_ACCESS = 'SNAT, nat,
POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1,
FWKNOP_POSTROUTING, 1'
31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
33. ACCESS_FILE =
'/usr/local/etc/fwknop/access.conf'
34. FWKNOP_PID_FILE =
'/usr/local/var/run/fwknop/fwknopd.pid'
35. DIGEST_FILE =
'/usr/local/var/run/fwknop/digest.cache'
36. GPG_HOME_DIR = '/root/.gnupg'
37. FIREWALL_EXE = '/sbin/iptables'
Current fwknopd access settings:
SOURCE (1): ANY
==============================================================
OPEN_PORTS: tcp/22
RESTRICT_PORTS: <not set>
KEY: <see
the access.conf file>
FW_ACCESS_TIMEOUT: 30
ENABLE_CMD_EXEC: No
CMD_EXEC_USER: <not set>
REQUIRE_USERNAME: <not set>
REQUIRE_SOURCE_ADDRESS: No
ACCESS_EXPIRE: <not set>
GPG_HOME_DIR: <not set>
GPG_DECRYPT_ID: <not set>
GPG_DECRYPT_PW: <see the access.conf file>
GPG_REQUIRE_SIG: No
GPG_IGNORE_SIG_VERIFY_ERROR: No
GPG_REMOTE_ID: <not set>
-Aldan
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
