On Sun, Apr 12, 2015 at 4:08 AM, vwf <[email protected]> wrote:
> Hello,
>
> Fwknop works great, except when I use it in the train. The NAT used by
> the train's wifi seems different. I run fwknop on Debian Stable, both
> sides.
>
> $ fwknop --version
> fwknop client 2.5.1, FKO protocol version 2.0
>
> I use -s to get access:
> $ fwknop -s -D myhost
> on myhost the logfile shows:
>
> Apr 10 14:12:20 myhost fwknopd[2907]: (stanza #1) SPA Packet from IP:
> 145.15.244.30 received with access source match
> Apr 10 14:12:20 myhost fwknopd[2907]: Added Rule to FWKNOP_INPUT for
> 145.15.244.118, tcp/22 expires at 1428668060
>
> The part I do not understand is: Why do I have two different addresses
> in my logfile: 145.15.244.30 and 145.15.244.118 This does not happen in
> any other situation. Can I change something to get access to myhost?
>
Hi,
I believe what is happening here is the you likely have the following line
in your ~/.fwknoprc file:
RESOLVE_IP_HTTP Y
This line would either be in the "[default]" stanza, or in a dedicated
stanza you have for myhost. In fwknop-2.5.1, the "-s" command line argument
was trumped by the RESOLVE_IP_HTTP argument in ~/.fwknoprc. In more recent
versions of fwknop, command line args are always honored over ~/.fwknoprc
values.
So, the solution in your case would be to delete the RESOLVE_IP_HTTP line,
or upgrade your fwknop client.
Now, one additional winkle in this is that some mobile environments appear
to change the externally routable IP's around quite quickly, and this is
likely why the resolved IP of 145.15.244.118 above was different than the
actual source IP of the SPA packet (145.15.244.30). So, even when the
client isn't resolving your external IP (per the above), the actual source
IP that you make your (SSH?) connection from might appear to change too
between the time the SPA packet is sent and when the SSH connection is
made. Unfortunately, there isn't much that fwknop can do about this,
because it is a characteristic of how that mobile network is built. One
idea is to allow the fwknop client to request "subnet" access instead of
"IP" access (note that 145.15.244.118 and 145.15.244.30 are in the same
class C), and this is tracked here:
https://github.com/mrash/fwknop/issues/138
Another way to mitigate this is to make sure you launch your SSH connection
as quickly as possible after the SPA packet is sent, so:
$ fwknop -n myhost && ssh myhost
(The above assumes you have set up a [myhost] stanza in ~/.fwknoprc.)
Thanks,
--Mike
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
