1FWKNOP(8) System Manager's Manual FWKNOP(8)
2
6 fwknop - Firewall Knock Operator
7
9 fwknop -A <ports> -R|-a|-s -D <host> [options]
10
12 fwknop implements an authorization scheme known as Single Packet Autho‐
13 rization (SPA) for Linux systems running iptables, and for Mac OS X and
14 FreeBSD systems running ipfw. This mechanism requires only a single
15 encrypted and non-replayed packet to communicate various pieces of
16 information including desired access through an iptables or ipfw pol‐
17 icy. The main application of this program is to use iptables or ipfw
18 in a default-drop stance to protect services such as SSH with an addi‐
19 tional layer of security in order to make the exploitation of vulnera‐
20 bilities (both 0-day and unpatched code) much more difficult. An
21 authorization server fwknopd passively monitors authorization packets
22 via libpcap and hence there is no "server" to which to connect in the
23 traditional sense. Any service protected by fwknop is inaccessible (by
24 using iptables or ipfw to intercept packets within the kernel) before
25 authenticating; anyone scanning for the service will not be able to
26 detect that it is even listening. Single Packet Authorization offers
27 many advantages over port knocking, including non-replayability of SPA
28 packets, ability to use asymmetric ciphers (such as Elgamal), and SPA
29 cannot be broken by simply spoofing packets to duplicate ports within
30 the knock sequence on the server to break port knocking authentication.
31 SPA packets can easily be spoofed as well (this is a good thing in this
32 context), and this makes it possible to make it appear as though, say,
33 www.yahoo.com is trying to authenticate to a target system but in real‐
34 ity the actual connection will come from a seemingly unrelated IP.
35 Although the default data collection method in Single Packet Authoriza‐
36 tion mode is to use libpcap to sniff packets off the wire, fwknop can
37 also read packets out of a file that is written by the iptables ulogd
38 pcap writer (or a separate sniffer process that is writing packet data
39 to a file).
40 Authorization packets are either encrypted with the Rijndael block
42 cipher or via GnuPG and associated asymmetric ciphers. If the symmet‐
43 ric encryption method is chosen, then the encryption key is shared
44 between the client and server (see the /etc/fwknop/access.conf file).
45 If the GnuPG method is chosen, then the encryption keys are derived
46 from GnuPG key rings. SPA packets generated by fwknop running as a
47 client adhere to the following format (before they are encrypted):
48 random number (16 bytes)
50 username
51 timestamp
52 software version
53 mode (command mode (0) or access mode (1))
54 if command mode => command to execute
55 else access mode => IP,proto,port
56 message digest (SHA256 / SHA1 / MD5)
57 Each of the above fields are separated by a ":" character due to the
59 variable length of several of the fields, and those that might contain
60 ":" characters are base64 encoded. The message digest (SHA256 by
61 default in all versions of fwknop greater than 1.9.1) allows the server
62 to check message integrity after decryption, and the 16 bytes of random
63 data ensures (with high probability) that no two messages are identi‐
64 cal. This ensures that replay attacks are not possible against fwknop.
65 For each packet coming from an fwknop client, the fwknopd server caches
66 the SHA256 digest calculated over the entire packet and compares
67 against previous packet digests in order to detect attempted replay
68 attacks. The digest cache file is located at
69 /var/log/fwknop/digest.cache and is not rotated so that the detection
70 of duplicate SPA messages is maximized. Both syslog and email alerts
71 are generated if a replay is detected (although this can be tuned via
72 the ALERTING_METHODS variable in the /etc/fwknop/fwknop.conf file). By
73 default, the fwknop client sends authorization packets over UDP port
74 62201, but this can be altered with the --Server-port argument. The
75 server must first be configured to acquire the SPA data on the changed
76 protocol-port. Also, fwknop can send the SPA packet over a random port
77 via the --rand-port argument. See fwknopd(8) for further details. See
78 the EXAMPLES section for example invocations of the fwknop client.
79
82 -D, --Destination <IP-address>
83 Direct the fwknop client to authenticate with the fwknopd dae‐
84 mon/service at the destination address <IP> . The connection
85 mode is discovered by the fwknopd daemon/service when it
86 decrypts and parses the authentication packet.
87 -A, --Access <port list>
89 Provide a list of ports and protocols to access on a remote com‐
90 puter running fwknopd. The format of this list is
91 '<proto>/<port>...<proto>/<port>, e.g. "tcp/22,udp/53". NOTE:
92 The vast majority of usages for fwknop require the -A argument,
93 but sending full commands with the --Server-cmd argument via an
94 SPA packet to be executed by fwknopd does not require this argu‐
95 ment.
96 -R|-a|-s
98 One of these options (see below) is required to tell the remote
99 fwknopd daemon what IP should be let through the local firewall.
100 It is recommend to use the -R or -a options instead of -s in
101 order to harden SPA communications against possible MITM
102 attacks.
103
106 -a, --allow-IP <IP-address>
107 Specify IP address that should be permitted through the destina‐
108 tion fwknopd server firewall (this IP is encrypted within the
109 SPA packet itself). This is useful to prevent a Man-In-The-Mid‐
110 dle (MTIM) attack where an SPA packet can be intercepted en-
111 route and sent from a different IP than the original. Hence, if
112 the fwknopd server trusts the source address on the SPA packet
113 IP header then the attacker gains access. The -a option puts
114 the source address within the encrypted SPA packet, and so
115 thwarts this attack. The -a option is also useful to specify
116 the IP that will be granted access when SPA packet itself is
117 spoofed with the --Spoof-src option. Another related option is
118 -R (see below) which instructs the fwknop client to automati‐
119 cally resolve the externally routable IP address the local sys‐
120 tem is connected to by querying the http://www.whatismyip.com
121 website.
122 -R, --Resolve-external-IP
124 This is an important option, and instructs the fwknop client and
125 the fwknopd daemon/service to query http://www.whatismyip.com to
126 determine the IP address that should be allowed through the ipt‐
127 ables policy at the remote fwknopd server side. This is useful
128 if the fwknop client is being used on a system that is behind an
129 obscure NAT address. Note that you can use the --URL option to
130 have fwknop resolve an externally routable address by using the
131 specific web service instead of http://www.whatismyip.org (see
132 below).
133 --NAT-access <internalIP:forwardPort>
136 The fwknopd server offers the ability to provide SPA access
137 through an iptables firewall to an internal service by interfac‐
138 ing with the iptables NAT capabilities. So, if the fwknopd
139 server is protecting an internal network on RFC 1918 address
140 space, an external fwknop client can request that the server
141 port forward an external port to an internal IP, i.e. "--NAT-
142 access 192.168.10.2:55000". In this case access will be granted
143 to 192.168.10.2 via port 55000 to whatever service is requested
144 via the --Access argument (usually tcp/22). Hence, after sending
145 such an SPA packet, one would then do "ssh -p 55000 user@host"
146 and the connection would be forwarded on through to the internal
147 192.168.10.2 system automatically. Note that the port "55000"
148 can be randomly generated via the --NAT-rand-port argument
149 (described later).
150 --NAT-local
152 On the fwknopd server, a NAT operation can apply to the local
153 system instead of being forwarded through the system. That is,
154 for iptables firewalls, a connection to, say, port 55,000 can be
155 translated to port 22 on the local system. By making use of the
156 --NAT-local argument, the fwknop client can be made to request
157 such access. This means that any external attacker would only
158 see a connection over port 55,000 instead of the expected port
159 22 after the SPA packet is sent.
160 --URL <web resolution URL>
162 This option is used in conjunction with the -R option so that
163 fwknop will resolve the externally routable IP address (useful
164 if fwknop is run on a system being a NAT) via a web service URL
165 supplied on the command line. A custom web resolution CGI script
166 is available at the URL below if http://www.whatismyip.org is
167 not available: http://www.cipherdyne.org/cgi/clientip.cgi
168 --gpg-agent
170 Instruct fwknop to acquire GnuPG key password from a running
171 gpg-agent instance.
172 --gpg-agent-info <connection info>
174 Specify the value of the GPG_AGENT_INFO environment variable as
175 returned by the gpg-agent --daemon command. If the fwknop --gpg-
176 agent command line argument is used instead of --gpg-agent-info,
177 then fwknop assumes that the GPG_AGENT_INFO environment variable
178 has already been set in the current shell.
179 --gpg-default-key
181 Use the key that GnuPG defines as the default, i.e. the key that
182 is specified by the default-key variable in ~/.gnupg/options.
183 If the default-key variable is not defined within
184 ~/.gnupg/options , then GnuPG tries to use the first suitable
185 key on its key ring. If the user does not know the password for
186 this key, then the standard password error will be thrown by
187 GnuPG and reported back to the user.
188 --gpg-home-dir <dir>
190 Specify the path to the GnuPG directory; normally this path is
191 derived from the home directory of the user that is running the
192 fwknop client. This is useful when a 'root' user wishes to log
193 into a remote machine whose sshd daemon/service does not permit
194 'root' login.
195 --gpg-recipient <key ID>
197 Specify the GnuPG key ID, e.g. "1234ABCD" (see the output of
198 "gpg --list-keys") of the recipient of the Single Packet Autho‐
199 rization message. This key is imported by the fwknopd server
200 and the associated private key is used to decrypt the SPA
201 packet. The recipient's key must first be imported into the
202 client GnuPG key ring.
203 --gpg-signing-key <key ID>
205 Specify the GnuPG key ID, e.g. "ABCD1234" (see the output of
206 "gpg --list-keys") to use when signing the SPA message. The
207 user is prompted for the associated GnuPG password to create the
208 signature. This adds a cryptographically strong mechanism to
209 allow the fwknopd daemon on the remote server to authenticate
210 who created the SPA message.
211 --gpg-verbose
213 Instruct fwknop to allow all output from the gpg process that is
214 used by fwknop in GnuPG mode. This is primarily used for debug‐
215 ging purposes if it appears that the GnuPG encrypt/decrypt is
216 not performing correctly.
217 --gpg-use-options
219 By default the fwknop client instructs gpg to not reference any
220 options file in gpg mode, but this command line argument can be
221 used to re-enable them.
222 --Home-dir <dir>
224 Specify the path to the user home directory where files such as
225 .fwknop.hosts or .fwknop.run should be stored or retrieved.
226 -l, --last-cmd
228 Instruct fwknop client to run with the same command line argu‐
229 ments that were used in a previous execution. This option is
230 useful because the clients' fwknop command line can be complex
231 and difficult to recall.
232 --Last-host <host>
234 Instruct fwknop to use the same command line arguments that were
235 used to authenticate to host.
236 -q, --quiet
238 This option instructs the fwknop to be as quiet as possible and
239 only print absolutely necessary information to the terminal.
240 -s, --source-ip
242 Instruct the fwknop client to form an SPA packet that contains
243 the special-case IP address "0.0.0.0" which will inform the des‐
244 tination fwknopd SPA server to use the source IP address from
245 which the SPA packet originates as the IP that will be allowed
246 through upon modification of the firewall ruleset. This option
247 is useful if the fwknop client is deployed on a machine that is
248 behind a NAT device. The permit-address options -s (default), -R
249 and -a are mutually exclusive.
250 --Server-port <port>
252 Specify the port number where fwknopd accepts packets via libp‐
253 cap or ulogd pcap writer. By default fwknopd looks for autho‐
254 rization packets over UDP port 62201.
255 --rand-port
257 Instruct the fwknop client to send an SPA packet over a random
258 destination port between 10,000 and 65535. The fwknopd server
259 must use a PCAP_FILTER variable that is configured to accept
260 such packets. For example, the PCAP_FILTER variable could be
261 set to: udp dst portrange 10000-65535
262 --NAT-rand-port
264 Usually fwknop is used to request access to a specific port such
265 as tcp/22 on a system running fwknopd. However, by using the
266 --NAT-rand-port argument, it is possible to request access to a
267 particular service (again, such as tcp/22), but have this access
268 granted via a random translated port. That is, once the fwknop
269 client has been executed in this mode and the random port
270 selected by fwknop is displayed, the destination port used by
271 the follow-on client must be changed to match this random port.
272 For SSH, this is accomplished via the -p argument. See the
273 --NAT-local and --NAT-access command line arguments to fwknop
274 for additional details on gaining access to services via a NAT
275 operation.
276 --Save-packet
278 Instruct the fwknop client to write a newly created SPA packet
279 out to a file so that it can be examined off-line. The default
280 path is ~/fwknop_save_packet.<pid> where <pid> is the process ID
281 of the fwknop client process, but this can be changed with the
282 --Save-packet-file argument (see below).
283 --Save-packet-file <file>
285 Specify the file to write a new SPA packet to in --Save-packet
286 mode.
287 --Save-packet-append
289 In --Save-packet mode fwknop normally overwrite the file used to
290 save a new SPA packet, but this command line argument instructs
291 fwknop to append a new SPA packet to the file instead. This is
292 useful for generating large sets of SPA packets in order to test
293 randomness or encryption properties.
294 --time-offset-plus <time>
296 By default, the fwknopd daemon on the server side enforces time
297 synchronization between the clocks running on client and server
298 systems. The fwknop client places the local time within each
299 SPA packet as a time stamp to be validated by the fwknopd server
300 after decryption. However, in some circumstances, if the clocks
301 are out of sync and the user on the client system does not have
302 the required access to change the local clock setting, it can be
303 difficult to construct and SPA packet with a time stamp the
304 server will accept. In this situation, the --time-offset-plus
305 option can allow the user to specify an offset (e.g. "60sec",
306 "60min", "2days", etc.) that is added to the local time.
307 --time-offset-minus <time>
309 This is similar to the --time-offset-plus option (see above),
310 but subtracts the specified time offset instead of adding it to
311 the local time stamp.
312 --Show-last-cmd
314 Display the last command-line arguments used by fwknop.
315 --Show-host-cmd <host>
317 Display the last command-line arguments used to contact a SPA
318 server running on a specific host.
319 --Spoof-proto <protocol>
321 Send an SPA packet over a raw socket of the specified protocol.
322 Accepted values are tcp, udp, and icmp. This is useful if you
323 want to send the SPA packet over an orphaned TCP ACK or an ICMP
324 packet.
325 --Spoof-src <IP>
327 Spoof the source address from which the fwknop client sends SPA
328 packets. This requires root on the client side access since a
329 raw socket is required to accomplish this. Note that the
330 --Spoof-user argument can be given in this mode in order to pass
331 any REQUIRE_USERNAME keyword that might be specified in
332 /etc/fwknop/access.conf.
333 --Spoof-user <user>
335 Specify the username that is included within SPA packet. This
336 allows the fwknop client to satisfy any non-root REQUIRE_USER‐
337 NAME keyword on the fwknopd server ( --Spoof-src mode requires
338 that the fwknop client is executed as root).
339 --icmp-type <type>
341 When using the --Spoof-proto argument to send an SPA packet over
342 and ICMP packet, the ICMP type may be set with this command line
343 argument. The default is "8" for an ICMP echo-request (see also
344 the --icmp-code argument below).
345 --icmp-code <code>
347 When using the --Spoof-proto argument to send an SPA packet over
348 and ICMP packet, the ICMP code may be set with this command line
349 argument. The default is "0" for an ICMP echo-request (see also
350 the --icmp-type argument above).
351 --Max-packet-size <size>
353 Instruct fwknop to restrict message length to size bytes, and
354 the client will not send an SPA packet that is larger than this
355 (i.e. perhaps a long command was included in --Server-cmd mode).
356 This alters the default value of 1500 bytes. See also the
357 MAX_SNIFF_BYTES variable in fwknop.conf on the SPA server.
358 --HTTP Have the fwknop client send an SPA packet as a web request over
360 HTTP. This requires that the system running fwknopd is also
361 running a webserver to receive the SPA web request. The web
362 request is built as a modified version of base64-encoded data
363 where the "+" and "/" chars are replace with "-" and "_" respec‐
364 tively (to avoid URL encoding issues).
365 --HTTP-proxy <proxy host>
367 The HTTP-proxy option allows the fwknop client to send SPA pack‐
368 ets through an HTTP proxy when the --HTTP option is also used.
369 The expected format for the argument is http://some.host.com and
370 an optional port number is supported with the
371 http://some.host.com:PORT format.
372 --HTTP-user-agent <agent string>
374 Specify the HTTP user-agent whenver the fwknop client is used to
375 send an SPA packet over an HTTP request, or when the --Resolve-
376 external-IP option is used. The default user-agent is
377 "Fwknop/VERSION", so "Fwknop/1.9.12" for the 1.9.12 release.
378 -T, --TCP-sock
380 Have the fwknop client send an SPA packet over an established
381 TCP connection (created by the fwknop client to the specified
382 listening port on the server with the --Server-port argument).
383 This is not normally done, but is useful for compatibility with
384 the Tor for strong anonymity; see http://tor.eff.org/. In this
385 case, the fwknopd server uses the fwknop_serv daemon to listen
386 on a TCP port (62201 by default).
387 -h, --help
389 Display usage information and exit.
390 -V, --Version
392 Display version information and exit.
393 -v, --verbose
395 Run the fwknop client in verbose mode.
396 --locale <locale>
398 Provide a locale setting other than the default "C" locale.
399 --no-locale
401 Do not set the locale at all so that the default system locale
402 will apply.
403 --Server-cmd <cmd>
405 NOTE: This is for command mode only (i.e. when you want to send
406 a command across to a system running fwknopd and have it execute
407 the command). This option is not needed when trying to gain
408 access to a service via the SPA mechanism. To use this feature,
409 please ensure that ENABLE_CMD_EXEC; is set in the file
410 /etc/fwknop/access.conf on the fwknopd server you are sending
411 the command to. The --Server-cmd argument allows a complete
412 command (e.g. "ping -c 1 www.yahoo.com", or "iptables -t nat -A
413 PREROUTING -p tcp -s 65.x.x.x --dport 443 -i eth0 -j DNAT --to
414 192.168.10.20:443") to be send to an fwknop server, which will
415 execute the command as root. Command execution is enabled only
416 if the ENABLE_CMD_EXEC keyword is given in
417 /etc/fwknop/access.conf (note that commands can easily be
418 restricted with the CMD_REGEX keyword as well).
419 Legacy Port-knock mode only
422 All of the following options in this section are for the tradi‐
424 tional port knocking mode mode. This is a legacy mode and is
425 not the preferred or recommended mode next to Single Packet
426 Authorization ( see http://www.cipher‐
427 dyne.org/fwknop/docs/SPA.html for details on why).
428 --offset <port>
430 Specify a port offset to use when running fwknop in
431 encrypted knock mode. The default is 61000.
432 -r, --rotate-proto
434 Rotate the protocol across tcp and udp for encrypted
435 sequences. This just adds one more additional layer of
436 obfuscation to an encrypted sequence.
437 --Server-mode <mode>
439 This command line switch provides an interface to the old
440 port knocking method if the mode argument is "knock". If
441 the --Server-mode argument is not given then the fwknop
442 client defaults to using the SPA method which provides
443 much better security characteristics than port knocking
444 (encrypted or not).
445 -t, --time-delay <seconds>
447 Specify a time delay to introduce between successive con‐
448 nection attempts. This option is used by the fwknop
449 client. On the server side, fwknopd uses the variables
450 MIN_TIME_DIFF and MAX_TIME_DIFF to control whether the
451 time delay actually means something (i.e. if the
452 MIN_TIME_DIFF is 2 seconds for a SOURCE block, then the
453 argument to the --time-delay option must be at least 2 at
454 the client side).
455 -u, --user-rc <rc-file>
457 The default connection rc file the fwknop client uses to
458 know what shared port knocking sequence to send to a des‐
459 tination machine is defined in the file ~/.fwknoprc. The
460 path to this file can be changed with the --user-rc com‐
461 mand line option.
462
465 ~/.fwknop.run
466 Contains the last command line arguments that the fwknop client
467 was invoked with.
468 ~/.fwknop.hosts
471 Contains the last command line arguments for individual hosts
472 that the fwknop client has been used to gain access to. By
473 using the --Last-host switch, these arguments can be recalled
474 and used.
475
478 GPG_AGENT_INFO (only used in --gpg-agent mode).
479
482 The following examples illustrate the command line arguments that could
483 be supplied to the fwknop client in a few situations:
484 Access mode examples
486 Packet contents printed to stdout at the fwknop client when cre‐
487 ating a 'access mode' SPA packet:
488 Random data: 6565240948266426
490 Username: mbr
491 Timestamp: 1203863233
492 Version: 1.9.2
493 Type: 1 (access mode)
494 Access: 127.0.0.2,tcp/22
495 SHA256 sum:
496 gngquSL8AuM7r27XsR4qPmJhuBo9pG2PYwII06AaJHw
497 Use the Single Packet Authorization mode to gain access to
499 tcp/22 (ssh) and udp/53 running on the system 10.0.0.123 from
500 the IP 192.168.10.4:
501 $ fwknop -A 'tcp/22,udp/53' -a 192.168.10.4 -D 10.0.0.123
503 Same as above example, but gain access from whatever source IP
505 is seen by the fwknop server (useful if the fwknop client is
506 behind a NAT device):
507 $ fwknop -A 'tcp/22,udp/53' -s -D 10.0.0.123
509 Same as above example, but use the IP identification website
511 http://www.whatismyip.com/ to derive the client IP address.
512 This is a safer method of acquiring the client IP address than
513 using the -s option because the source IP is put within the
514 encrypted packet instead of having the fwknopd daemon grant the
515 requested access from whatever IP address the SPA packet origi‐
516 nates:
517 $ fwknop -A 'tcp/22,udp/53' -R -D 10.0.0.123
519 Use the Single Packet Authorization mode to gain access to
521 tcp/22 (ssh) and udp/53 running on the system 10.0.0.123, and
522 use GnuPG keys to encrypt and decrypt:
523 $ fwknop -A 'tcp/22,udp/53' --gpg-sign ABCD1234 --gpg--recipient
525 1234ABCD -R -D 10.0.0.123
526 Instruct the fwknop server running at 10.0.0.123 to allow
528 172.16.5.4 to connect to TCP/22, but spoof the authorization
529 packet from an IP associated with www.yahoo.com:
530 # fwknop --Spoof-src 'www.yahoo.com' -A tcp/22 -a 172.16.5.4 -D
532 10.0.0.123
533 Command mode examples
535 NOTE: Please ensure that ENABLE_CMD_EXEC; is set in the file
536 /etc/fwknop/access.conf on the fwknopd server you are attempting
537 to connect to. Packet contents printed to stdout at the fwknop
538 client when creating a 'command mode' SPA packet:
539 Random data: 4621962433020664
541 Username: mbr
542 Timestamp: 1203864394
543 Version: 1.9.2
544 Type: 0 (command mode)
545 Cmd: echo "The commands sent - minus quote
546 charaters around the command" & sleep 10; echo "The End"
547 SHA256 sum: eN8c8mNArZxF066iulbxlTK4Gt/EO0ALLY‐
548 wzVzCkXww
549 Instruct the fwknop server running at 10.0.0.123 to send a sin‐
551 gle ICMP echo request to www.yahoo.com:
552 $ fwknop --Server-cmd 'ping -c 1 www.yahoo.com' -D 10.0.0.123
554 Port-knock mode (legacy) examples
556 This connection mode is a legacy mode and is not the preferred
557 or recommended mode.
558 Packet contents printed to stdout at the fwknop client when in
560 'port-knock mode': <TODO>
561 Send an encrypted knock sequence to the IP "10.0.0.123"
563 instructing the fwknop daemon running there to open tcp port 22
564 to source address 192.168.10.4:
565 $ fwknop --Server-mode 'knock' -A tcp/22 -a 192.168.10.4 -D
567 10.0.0.123
568 Same as above, but this time instruct the remote fwknop daemon
570 to open tcp port 22 to whatever source address the encrypted
571 sequence originates from (useful if the fwknop client is behind
572 a NAT device):
573 $ fwknop --Server-mode 'knock' -A tcp/22 -s -D 10.0.0.123
575 Same as above, but rotate the knock sequence through the tcp and
577 udp protocols (remember that iptables must be configured to log
578 both tcp and udp packets to the default port range of
579 61000-61255):
580 $ fwknop --Server-mode 'knock' -A tcp/22 -s -r -D 10.0.0.123
582 Same as above, but change the base port for the encrypted
584 sequence to 55000 (the default is 61000):
585 $ fwknop --Server-mode 'knock' -A tcp/22 -s -r --offset 55000 -D
587 10.0.0.123
588 Send a shared knock sequence to the IP 10.11.11.123. The fwknop
590 client will read the sequence out of the file ~/.fwknoprc and
591 the server will read the sequence out of
592 /etc/fwknop/access.conf:
593 $ fwknop --Server-mode 'knock' -D 10.11.11.123
595
598 fwknop requires perl. To take advantage of all of the authentication
599 and access management features of the fwknopd daemon/service a func‐
600 tioning iptables firewall is required on the underlying operating sys‐
601 tem. If fwknop is being run in the legacy port knocking mode, then
602 iptables must log packets via syslog, and ideally the --log-tcp-options
603 argument will be specified in the iptables logging rule so that the
604 fwknopd daemon/service will be able to use a strategy similar to p0f to
605 passively fingerprint operating systems.
606
609 fwknop can be run in debug mode with the --debug command line option.
610 This will disable daemon mode execution, and print verbose information
611 to the screen on STDERR as packets are received.
612
615 fwknopd(8), iptables(8), gpg(1), gpg-agent(1), knopmd(8), knopwatchd(8)
616 p0f(1), More information on the differences between port knocking and
617 Single Packet Authorization can be found in the paper "Single Packet
618 Authorization with fwknop" available here: http://www.cipher‐
619 dyne.org/fwknop/docs/SPA.html
620
623 Michael Rash <mbr@cipherdyne.org>
624
627 Many people who are active in the open source community have contrib‐
628 uted to fwknop. See the CREDITS file in the fwknop sources, or visit
629 http://www.cipherdyne.org/fwknop/docs/contributors.html to view the
630 online list of contributors.
631 The phrase "Single Packet Authorization" was coined by MadHat and Sim‐
633 ple Nomad at the BlackHat Briefings of 2005 (see:
634 http://www.nmrc.org/). The term "port knocking" was coined by Martin
635 Krzywinski (see: http://www.portknocking.org/). The original p0f pas‐
636 sive OS fingerprinter was written by Michal Zalewski, and is available
637 here: http://lcamtuf.coredump.cx/p0f.shtml
638
641 Send bug reports to mbr@cipherdyne.org. Suggestions and/or comments
642 are always welcome as well.
643
646 fwknop is distributed under the GNU General Public License (GPL), and
647 the latest version may be downloaded from http://www.cipherdyne.org/
648Linux August, 2009 FWKNOP(8)