The fwknop.conf file defines critical configuration variables such as the authentication mode, the firewall type, the interface to sniff packets from, whether packets should be sniffed promiscuously (i.e., whether or not fwknop processes Ethernet frames that are not destined for the MAC address of the local interface), and the email address(es) to which alerts are sent.


The AUTH_MODE variable tells the fwknop daemon how to collect packet data. Several collection modes are supported, including sniffing packets from a live interface via the Net::Pcap Perl module, reading PCAP-formatted packets from a file in the filesystem that is written by ulogd (see, using a separate Ethernet sniffer such as tcpdump, or parsing iptables log messages from the file /var/log/fwknop/fwdata. Possible values for the AUTH_MODE variable are PCAP, FILE_PCAP, ULOG_PCAP, and KNOCK; PCAP is the default.



The PCAP_INTF variable defines the live interface the fwknop daemon uses to monitor packets. This is only used if AUTH_MODE is set to PCAP; the default setting is the etho interface.



A live interface may transmit or receive lots of packet data that is completely unrelated to SPA traffic, and there is no need to force the fwknop daemon to process it. The PCAP_FILTER variable allows you to restrict the types of packets libpcap passes into fwknop based upon criteria such as network layer addresses or transport layer port numbers. Because, by default, fwknop transfers SPA packets over UDP port 62201, this variable is set as follows (this can be modified to acquire SPA packets over different ports and/or protocols).

PCAP_FILTER udp port 62201;


When set to Y, this variable instructs the fwknop daemon to monitor all Ethernet frames that are sent past the live packet capture interface (i.e., the interface is operating in promiscuous mode). This is enabled by default when AUTH_MODE is set to PCAP; however, if the interface where the fwknop daemon is sniffing is active and has an IP address assigned—meaning SPA packets can be sent directly to this interface—then this feature can be disabled as follows:



The FIREWALL_TYPE variable tells fwknopd about the type of firewall that it is responsible for reconfiguring after receiving a valid SPA packet. Supported values are iptables (the default), and ipfw for FreeBSD and Mac OS X systems.



If AUTH_MODE is set to either FILE_PCAP or ULOG_PCAP, then the fwknop daemon acquires packet data from a PCAP-formatted file within the filesystem. The path to this file is defined by the PCAP_PKT_FILE variable and is set to the following default:

PCAP_PKT_FILE /var/log/sniff.pcap;


The IPTables::ChainMgr Perl module is used by fwknop to add and remove ACCEPT rules for legitimate SPA clients. The IPTables::ChainMgr is also used by psad, but instead of adding ACCEPT rules, psad adds DROP rules against IP addresses that send malicious traffic. The default configuration for the IPT_AUTO_CHAIN1 variable is to add ACCEPT rules into the custom iptables chain FWKNOP_INPUT and jump packets into this chain from the built-in INPUT chain.2


2 A detailed explanation of the IPT_AUT0_CHAIN{n} variables can be found in "Configuration Variables" on page 135. The IPT_AUT0_CHAIN{n} variables provide an interface to the IPTables: :ChainMgr module, and this interface is used in both psad and fwknop.


One of the most important features of the SPA protocol is the ability to detect and ignore replay attacks. The ENABLE_MD5_PERSISTENCE variable controls whether or not the fwknop daemon writes the MD5 sums of all successfully decrypted SPA packets to disk. This allows fwknop to detect replay attacks across restarts of fwknop and even across system reboots. This feature is enabled by default, but can be disabled if you wish to verify that replay detection functions correctly (requires sending a duplicate SPA packet over the network to the SPA server).



The MAX_SPA_PACKET_AGE variable defines the maximum age, in seconds, for which the fwknop server will allow an SPA packet to be accepted. The default is two minutes. This variable is only used if ENABLE_SPA_PACKET_AGING is enabled.



By default, the fwknop daemon requires that an SPA packet sent from the fwknop client is less than 120 seconds (two minutes) old, as defined by the MAX_SPA_PACKET_AGE variable discussed above. The fwknop client includes a time-stamp within each SPA packet (see "fwknop SPA Packet Format" on page 241), which the fwknop server uses to determine the age of all SPA packets. This feature requires loose time synchronization between the fwknop client and server, but the robust Network Time Protocol (NTP) makes this easy to do.

If ENABLE_SPA_PACKET_AGING is disabled, an attacker inline with an SPA packet could stop the packet from being forwarded, thus preventing the fwknop server from seeing it and calculating its MD5 sum. Later, the attacker could send the original SPA packet against its destination, and the fwknop server would honor it. Further, if the fwknop -s command-line argument was used to generate the original SPA packet, fwknop would honor the SPA packet from whichever source IP address it came from (see the variable REOUIRE_SOURCE_ADDRESS below), and the attacker would gain access through the iptables policy.3 Therefore, it is highly recommended that you leave this feature enabled.



The REOUIRE_SOURCE_ADDRESS variable tells the fwknop server to require that all SPA packets contain the IP address within the encrypted payload that is to be granted access through iptables. With this feature enabled, the

3 This attack was called to my attention by Sebastien Jeanquier, and the result was the ENABLE_SPA_PACKET_AGING feature (first available in the 0.9.9 release) to implement the time window in which an SPA packet would be accepted by the fwknop server.

wildcard IP address placed within an SPA packet with the -s argument on the fwknop client command line will not be accepted.



The fwknop server sends email alerts under various circumstances, such as when SPA packets are accepted and access to a service is granted, when access is removed, and when a replay attack has been thwarted. Multiple email addresses are supported as a comma-separated list, like so:

EMAIL_ADDRESSES [email protected], [email protected];


The GPG_DEFAULT_HOME_DIR variable specifies the path to the directory where GnuPG keys are kept for digital signature verification and decryption of SPA packets. The default is to use the .gnupg directory in root's home directory.

GPG_DEFAULT_HOME_DIR /root/.gnupg;


The ENABLE_TCP_SERVER variable controls whether or not fwknop binds a TCP server to a port to accept SPA packet data. If you want to route SPA packets over the Tor network, which only uses TCP for data transport, you must enable this feature. (You'll find more on this topic in "SPA over Tor" on page 254.) This feature is disabled by default.



The TCPSERV_PORT variable specifies the port on which the fwknop_serv daemon listens for TCP connections. This is only used by fwknop if ENABLE_TCP_SERVER is enabled. The default is the following:


Was this article helpful?

0 0

Post a comment