On Mar 28, 2013, Kevin Hilton wrote:
> I can't seem to get the random port option working. I'm using 2.0.4 both
> on server and client (both linux).
> My client syntax is the following:
> fwknop -r -A tcp/2223 -R -D xxxx.com
That client command line syntax looks good.
> On the server, my fwknopd.conf file has the following:
> ENABLE_PCAP_PROMISC Y;
> # Define the filter used for PCAP modes; we default to udp port 62201.
> # However, if an fwknop client uses the --rand-port option to send the
> # SPA packet over a random port, then this variable should be updated to
> # something like "udp dst portrange 10000-65535;".
> # Default is "udp port 62201".
> #PCAP_FILTER udp port 62201;
> PCAP_FILTER udp dst portrange 10000-65535;
> I restarted the fwknop daemon and still couldn't connect when using the -r
> option from the client.
> Is their something I'm missing?
> Do I need to set pcap into promiscuous mode?
You don't need promiscuous mode if you have an IP assigned to the
interface where fwknopd is sniffing (and that is where you are sending
the SPA packet). I've seen cases where older libpcap libraries don't
understand the 'portrange' BPF stuff - just for testing, can you set the
PCAP_FILTER to just 'udp' and give it a try? I just ran the
fwknop-2.0.4 test suite, and the "[Rijndael SPA] [client+server] random
SPA port (tcp/22 ssh)" does appear to work.