fwknop

On Jul 24, 2010, William Price wrote:

> Hello all,

Hi Will,

> This is my first time trying to set up fwknopd; I'm installing into a new Fedora 13 box.  I've been searching the archives and other Web sources, but haven't been able to come across this particular problem.  Any assistance would be greatly appreciated.

This is an interesting one.

> Essentially, I can get fwknopd to add a rule to the iptables firewall but it fails to remove the rule(s) after they expire.  I don't recall seeing this in the instructions, but I found that I had to define the FWKNOP_INPUT chain manually in the iptables configuration, though fwknop takes care of adding the rules itself.

Typically the FWKNOP_INPUT chain is not created by fwknopd until
it actually needs to be there - i.e. when it receives the first
valid SPA packet.  And, fwknopd runs a check to see if the FWKNOP_INPUT
chain is there whenever an SPA packet is received because it is
possible that an iptables-restore (or usage of "iptables -X") could
have removed the chain out from under fwknopd as it runs.

> This is pretty much a virgin box, with very little changed other than updating packages with yum and adding a few firewall rules.  It's currently on my home network but will be eventually hosted in a proper environment.  I mention this because I'm not entirely sure what the correct value of the 'hostname' parameter should be in fwknop.conf; right now I have it set to 'localhost'.  That file is essentially unchanged from the RPM install, except that I set the following:
> 
> EMAIL_ADDRESS            sysadmin@...;
> ENABLE_PROC_IP_FORWARD   N;
> ENABLE_VOLUNTARY_EXITS   Y;  # have tried with this set 'N' as well
> LOCALE                   NONE;
> ALERTING_METHODS         noemail;
> IPT_EXEC_SLEEP           1;
> IPT_EXEC_STYLE           waitpid; # default, listed in case someone asks

Those settings look fine.  We'll get things working without enabling
the ENABLE_VOLUNTARY_EXITS feature - I would recommend setting that
to N.

More below...

> The server is on the local network as: 10.0.1.13
> My workstation is the "remote" client: 10.0.1.10
> 
> [client]$ fwknop -D 10.0.1.13 -s -A tcp/1001
> 
> [+] Starting fwknop client (SPA mode)...
> [+] Enter an encryption key. This key must match a key in the file
>     /etc/fwknop/access.conf on the remote system.
> 
> Encryption Key: 
> 
> [+] Building encrypted Single Packet Authorization (SPA) message...
> [+] Packet fields:
> 
>         Random data:    6294295835114171
>         Username:       xxxxx
>         Timestamp:      1279994273
>         Version:        1.9.12
>         Type:           1   (access mode)
>         Access:         0.0.0.0,tcp/1001
>         SHA256 digest:  0xxTlyesbtI2SYWfBqK9WsxPcAYDnJlp2ep49rgPcNA
> 
> [+] Sending 182 byte message to 10.0.1.13 over udp/62201...
> 
> # about 40 seconds later:
> [client]$ fwknop -Last-host 10.0.1.13
> ... same as above ...
> 
> 
> =====================
> installed packages:
> 
> kernel    2.6.33.6-147.fc13.x86_64
> iptables  1.4.7-2.fc13.x86_64
> 
> perl      5.10.1-114.fc13.x86_64
> 
> fwknop    1.9.12-1.x86_64
> 
> 
> =====================
> /etc/fwknop/access.conf:
> 
> SOURCE: ANY;
> OPEN_PORTS: tcp/22, tcp/1001;
> KEY: xxxx;
> FW_ACCESS_TIMEOUT: 30;
> 
> =====================
> 
> /etc/sysconfig/iptables:
> 
> *filter
> :FORWARD ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :FWKNOP_INPUT - [0:0]
> 
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> 
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> 
> -A INPUT -p tcp -m tcp -m state --state NEW --dport 25 -j ACCEPT
> -A INPUT -p tcp -m tcp -m multiport -m state --state NEW --dports 80,443 -j ACCEPT
> -A INPUT -p tcp -m tcp -m state --state NEW -s 10.0.1.0/24 --dport 22 -j ACCEPT
> 
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> 
> 
> 
> =====================
> 
> syslog:
> 
> kernel: device eth0 entered promiscuous mode
> fwknopd: received valid Rijndael encrypted packet from 10.0.1.10, remote user: xxxxx, client version: 1.9.12 (SOURCE line num: 25)
> fwknopd: add FWKNOP_INPUT 10.0.1.10 -> 0.0.0.0/0(tcp/1001) ACCEPT rule 30 sec
> fwknop(knoptm): exceeded max removal tries for 10.0.1.10 -> 0.0.0.0/0(tcp/1001), deleting from cache
> fwknopd: received valid Rijndael
> encrypted packet from 10.0.1.10, remote user: xxxxx, client version:
> 1.9.12 (SOURCE line num: 25)
> 
> fwknopd: add FWKNOP_INPUT 10.0.1.10 -> 0.0.0.0/0(tcp/1001) ACCEPT rule 30 sec
> 
> fwknop(knoptm): exceeded max removal tries for 10.0.1.10 -> 0.0.0.0/0(tcp/1001), deleting from cache
> 
> 
> =====================
> # iptables -L INPUT
> Chain INPUT (policy ACCEPT)
> target        prot opt source        destination
> FWKNOP_INPUT  all  --  anywhere      anywhere     #note: added by fwknopd
> ACCEPT        all  --  anywhere      anywhere     state RELATED,ESTABLISHED
> ACCEPT        icmp --  anywhere      anywhere
> ACCEPT        all  --  anywhere      anywhere     #note: -i lo rule
> ACCEPT        tcp  --  anywhere      anywhere     tcp dpt:smtp state NEW
> ACCEPT        tcp  --  anywhere      anywhere     tcp multiport dports http,https state NEW
> ACCEPT        tcp  --  10.0.1.0/24   anywhere     tcp dpt:ssh state NEW
> REJECT        all  --  anywhere      anywhere     reject-with icmp-host-prohibited
> 
> =====================
> 
> # iptables -L FWKNOP_INPUT
> 
> Chain FWKNOP_INPUT (2 references)
> 
> target  prot opt source        destination
> 
> ACCEPT  tcp  --  10.0.1.10     anywhere       tcp dpt:1001
> 
> ACCEPT  tcp  --  10.0.1.10     anywhere       tcp dpt:1001
> 
> 
> =====================
> `knoptm --debug` output:
> 
> Received line: 1279996038 30 10.0.1.10 0 0.0.0.0/0 1001 tcp filter FWKNOP_INPUT ACCEPT src 0.0.0.0/0 0 TkE= 0
> 
> ...
> 
> [+] Expiring rule: 1279996038 30 10.0.1.10 0 0.0.0.0/0 1001 tcp filter FWKNOP_INPUT ACCEPT src 0.0.0.0/0 0 TkE= 0
> [+] IPTables::Parse::VERSION 0.7
> [+] IPTables::Parse::exec_iptables(waitpid()) /sbin/iptables -t -filter -v- n -L FWKNOP_INPUT
> [+] IPTables::Parse::exec_iptables() sleep seconds: 1
> [+] IPTables::Parse: sleeping for 1 seconds before executing iptables command.
> [+] IPTables::Parse: Setting SIGCHLD handler to: CODE(0x1d494f8)
>     iptables command stdout:
>     iptables command stderr:
> [-] exceeded max removal tries for 10.0.1.10 -> 0.0.0.0/0(tcp/1001), deleting from cache
> 
> (the above block is repeated multiple times prior to the 'exceeded' message line)

It occurs to me that I need to add more verbose debug output in the
IPTables::ChainMgr and IPTables::Parse modules so that we can have
more visibility.  It looks like find_ip_rule() cannot actually find
the rule that was added by fwknopd.  However, could you run the
fwknop test suite on that system and send me the anonymized output?

You can do this by downloading the fwknop-1.9.12 sources, go to the
test/ directory, then run:

# ./fwknop_test.pl

And then run:

# ./fwknop_test.pl -P

The end result will be a tarball of the test results in the test/
directory.  Can you send that to me?

Thanks,

--Mike


> Thanks in advance!
> -- Will

> Date: Mon, 2 Aug 2010 00:25:35 -0400
> Subject: Re: [Fwknop-discuss] (newbie) knoptm cannot expire iptables rules
> 
> > > Date: Sun, 25 Jul 2010 11:13:55 -0400
> > > From: mbr@...
> > > To: fwknop-discuss@...
> > > Subject: Re: [Fwknop-discuss] (newbie) knoptm cannot expire iptables rules
> > > 
> > > The end result will be a tarball of the test results in the test/
> > > directory.  Can you send that to me?
> > 
> > 
> > Sorry for the delay; it's a side project and I've been busy.
> > Please find the test output attached.
> 
> Thanks for sending that over.  It appears to me that fwknop cannot execute
> any iptables command at all.  Is it possible that SELinux is deployed on
> your system, and it preventing fwknopd and knoptm from executing iptables?
> 
> Thanks,
> 
> --Mike


Gah!  I should've known.  It was SELinux.

However, recall my observed behavior that (once I manually added the FWKNOP_INPUT chain) fwknop could insert rules with SELinux enabled/enforcing.  The FWKNOP_INPUT chain was never created automatically.  Does the logic to create the chain depend on parsing output of iptables?

I ask because it appeared that the SELinux denials were on writing to the .iptout and .ipterr files in /var/log/fwknop:


avc: denied { write } for ... comm="iptables" path="/var/log/fwknop/fwknop.iptout" ... scontext=unconfined_u:system_r:iptables_t  tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file

Repeat the same for fwknop.ipterr, knoptm.iptout, and knoptm.ipterr.
So adding rules to the chain executes without needing to parse iptables output, but deciding whether to create the chain or which rule to remove depends on parsing -- which can't occur because iptables isn't allowed to write to /var/log/fwknop.

I hope that helps.

-- Will

On Aug 04, 2010, William Price wrote:

> 
> > Date: Mon, 2 Aug 2010 00:25:35 -0400
> > Subject: Re: [Fwknop-discuss] (newbie) knoptm cannot expire iptables rules
> > 
> > > > Date: Sun, 25 Jul 2010 11:13:55 -0400
> > > > From: mbr@...
> > > > To: fwknop-discuss@...
> > > > Subject: Re: [Fwknop-discuss] (newbie) knoptm cannot expire iptables rules
> > > > 
> > > > The end result will be a tarball of the test results in the test/
> > > > directory.  Can you send that to me?
> > > 
> > > 
> > > Sorry for the delay; it's a side project and I've been busy.
> > > Please find the test output attached.
> > 
> > Thanks for sending that over.  It appears to me that fwknop cannot execute
> > any iptables command at all.  Is it possible that SELinux is deployed on
> > your system, and it preventing fwknopd and knoptm from executing iptables?
> > 
> > Thanks,
> > 
> > --Mike
> 
> 
> Gah!  I should've known.  It was SELinux.
> 
> However, recall my observed behavior that (once I manually added the FWKNOP_INPUT chain) fwknop could insert rules with SELinux enabled/enforcing.  The FWKNOP_INPUT chain was never created automatically.  Does the logic to create the chain depend on parsing output of iptables?

Yes, indeed the logic does depend on parsing iptables output in the perl fwknop
implementation.  There is a check to see if the FWKNOP_INPUT chain exists, and
if the command to test this (just listing the rules) is met with stuff on stderr,
then fwknopd assumes that it needs to create the chain.

> I ask because it appeared that the SELinux denials were on writing to the .iptout and .ipterr files in /var/log/fwknop:
> 
> 
> avc: denied { write } for ... comm="iptables" path="/var/log/fwknop/fwknop.iptout" ... scontext=unconfined_u:system_r:iptables_t  tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
> 
> Repeat the same for fwknop.ipterr, knoptm.iptout, and knoptm.ipterr.
> So adding rules to the chain executes without needing to parse iptables output, but deciding whether to create the chain or which rule to remove depends on parsing -- which can't occur because iptables isn't allowed to write to /var/log/fwknop.
> 
> I hope that helps.

This sounds like the correct diagnosis.  If you get things working on your
Fedora system, would you be willing to contribute an SELinux policy?  There
is an SELinux policy for psad, but not yet for fwknop:

http://trac.cipherdyne.org/trac/psad/browser/psad/trunk/selinux

Thanks,

--Mike


> -- Will
>  
>  		 	   		  

> ------------------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> of $1 Million in cash or HP Products. Visit us here for more details:
> http://p.sf.net/sfu/dev2dev-palm

> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@...
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss