Download List

Sponsored link


fwknop implements an authorization scheme called Single Packet Authorization that requires only a single encrypted packet to communicate various pieces of information, including desired access through an iptables, ipfw, or pf firewall policy and/or specific commands to execute on the target system. The main application of this program is to protect services such as SSH with an additional layer of security in order to make the exploitation of vulnerabilities much more difficult. The authorization server works by passively monitoring authorization packets via libpcap. Also supported is a robust port knocking implementation based around iptables log messages.

System Requirements

System requirement is not defined
Information regarding Project Releases and Project Resources. Note that the information here is a quote from page, and the downloads themselves may not be hosted on OSDN.

2012-12-10 11:07

On the server side, this release adds a chain_exists() check to SPA rule creation so that if any of the fwknop chains are deleted out from under fwknopd, they will be recreated on the fly. It adds new SPA packet fuzzing capability to the test suite to assist in validation of SPA operations. It adds upstart config for systems running the upstart daemon. An OpenBSD ndbm/gdbm usage bugfix. ICMP type/code client command line arguments have been added for when SPA packets are sent over ICMP.
標籤: Stable

2012-01-04 03:09

This is the production release of the fwknop C rewrite. It brings Single Packet Authorization to three different Open Source firewalls (iptables, ipfw, and pf), embedded systems, and mobile devices. The fwknopd server runs on Linux, Mac OS X, FreeBSD, and OpenBSD. The client runs on all of these platforms as well as Android, the iPhone, and Cygwin under Windows. In addition, the client is portable, and can be compiled as a native Windows binary.

2011-12-15 07:35

This release adds OpenBSD PF support, adds a new FORCE_NAT mode to transparently force authenticated connections to specified internal systems, adds a comprehensive test suite, and adds the ability to automatically expire SPA keys. Several memory handling bugfixes were made.

2009-09-09 22:35

The FKO module that is part of the libfko library was fully integrated for all SPA routines: encryption/decryption, digest calculation, replay attack detection, etc. The ability to recover from interface error conditions was added, such as when fwknopd sniffs a ppp interface (say, associated with a VPN) that goes away and then is recreated. The fwknop client was updated to include the SPA destination before DNS resolution when sending an SPA packet over an HTTP request.

2009-05-13 19:10

Support was added for ipfw "sets" on FreeBSD and Mac OS X systems. A segfault on Debian systems that was exposed in some circumstances with older versions of libpcap was fixed. The --icmp-type and --icmp-code command line arguments were added for the fwknop client in order to manually set the ICMP type/code values when using "--Spoof-proto icmp" or "--Server-proto icmp". Support was added for multiple include/exclude test identifying strings (separated by commas).
標籤: Major

Project Resources