On Wed, Jul 1, 2015 at 6:36 PM, Jeremiah Rothschild <[email protected]>
wrote:
> Today I attempted to upgrade my legacy 2.0.4 fwknop-server (32 bit) to
> 2.6.6-1 (64 bit). My experience afterwards is that it is having difficulty
> properly injecting more than 1 rule into the FWKNOP_FORWARD chain.
>
> To illustrate...
>
> At the top of my FORWARD chain, is a reference to the FWKNOP_FORWARD chain:
>
> Chain FORWARD (policy DROP 3 packets, 180 bytes)
> pkts bytes target prot opt in out source
> destination
> 249K 134M FWKNOP_FORWARD all -- any any anywhere anywhere
>
> I then send a knock from "Site A". It is successful and this happens once
> it hits the correct stanza:
>
> Added FORWARD rule to FWKNOP_FORWARD for 1.2.3.4 -> 192.168.10.1 tcp/1234,
> expires at 1435789117
>
> which is verified by looking at iptables itself:
>
> Chain FWKNOP_FORWARD (1 references)
> pkts bytes target prot opt in out source
> destination
> 41 5087 ACCEPT tcp -- any any 1.2.3.4 desthost
> tcp dpt:ssh /* _exp_1435789117 */
>
> Then I send a knock from "Site B". It finds the matching stanza. Then
> nothing happens. It doesn't log anything further about adding a FORWARD
> rule and nothing is actually added to iptables. It just stops here at the
> stanza:
>
> (stanza #3) SPA Packet from IP: 2.3.4.5 received with access source match
>
> I tried from multiple sites and encountered the same behavior. Unable to
> provide access to more than 1 IP at a time, I had to downgrade back to
> 2.0.4.
>
> Seen anything like this before? Any ideas?
>
Hmm, I would like to reproduce this. Could you send me (off-list) your
access.conf file with keys and IP addresses obfuscated? Then I'll respond
on-list with what I've been able to find. Please note that when you
obfuscate the keys, it would help if you could use consistent mappings -
that is, replace all instances of each key with the same "keyN" string
wherever they are. This will allow me to know whether the same key is used
in multiple stanzas.
Thanks,
--Mike
>
> Thanks much!
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> Fwknop-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
