Thanks Jonathan,

This is great!

I agree with you on separating the server and client packages, as well as foregoing the GPG authentication in the initial release(s) (less dependencies, significant reduction in size, etc., makes initial adoption a bit easier).

-Damien


On 07/19/2011 10:52 PM, Jonathan Bennett wrote:
Damien, I have put together the patch that adds fwknopd to openwrt. It
may need a few tweaks, but I'm volunteering to keep the openwrt
version up to date.

I've sent it on to the openwrt guys. Hopefully it will get added
soon-ish. I have a bit more testing to do before I'm totally
satisfied, but it is running on my router right now.

I've opted to just compile the server half of the program, and not
include the gpg authentication in this first version. I'd like to go
back and try to add gpg as an option in the openwrt build. (and add
the client as a separate package)

Feel free to add any comments.
~Jonathan Bennett

Just in case you want it, here's the patch

Index: net/fwknop/Makefile
===================================================================
--- net/fwknop/Makefile (revision 0)
+++ net/fwknop/Makefile (revision 0)
@@ -0,0 +1,61 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fwknopd
+PKG_VERSION:=2.0.0rc2
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/fwknop-$(PKG_VERSION)
+PKG_SOURCE:=fwknop-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=http://www.cipherdyne.org/fwknop/download
+PKG_MD5SUM:=c78252216fa9627cacf61b453da915a8
+PKG_CAT:=zcat
+include $(INCLUDE_DIR)/package.mk
+
+define Package/fwknopd
+       SECTION:=net
+       CATEGORY:=Network
+       DEFAULT:=n
+       TITLE:=Firewall Knock Operator Daemon
+       URL:=http://http://www.cipherdyne.org/fwknop/
+       MAINTAINER:=Jonathan Bennett <jbscience87@gmail.com>
+       DEPENDS:=+libpcap +libgdbm +iptables
+endef
+
+define Package/fwknopd/description
+       Firewall Knock Operator Daemon
+       Fwknop implements an authorization scheme known as Single Packet
+       Authorization (SPA) for Linux systems running iptables.  This mechanism
+       requires only a single encrypted and non-replayed packet to communicate
+       various pieces of information including desired access through
an iptables
+       policy. The main application of this program is to use iptables in a
+       default-drop stance to protect services such as SSH with an additional
+       layer of security in order to make the exploitation of vulnerabilities
+       (both 0-day and unpatched code) much more difficult.
+endef
+
+define Package/Conffiles
+       fwknopd.conf
+endef
+
+CONFIGURE_ARGS += \
+       --disable-client \
+       --without-gpgme \
+       --with-iptables=/usr/sbin/iptables
+
+
+
+define Package/fwknopd/install
+       $(INSTALL_DIR) $(1)/usr/sbin
+       $(INSTALL_DIR) $(1)/etc/fwknop
+       $(INSTALL_DIR) $(1)/etc/init.d
+       $(INSTALL_DIR) $(1)/usr/lib
+       $(INSTALL_BIN) $(PKG_BUILD_DIR)/extras/fwknop.init.openwrt
$(1)/etc/init.d/fwknopd
+       $(INSTALL_BIN) $(PKG_BUILD_DIR)/server/.libs/fwknopd $(1)/usr/sbin/
+       $(INSTALL_BIN) $(PKG_BUILD_DIR)/lib/.libs/libfko.so.0.0.2
$(1)/usr/lib/libfko.so.0
+       $(INSTALL_BIN) $(PKG_BUILD_DIR)/lib/.libs/libfko.so.0.0.2
$(1)/usr/lib/libfko.so.0.0.2
+       $(INSTALL_CONF) $(PKG_BUILD_DIR)/server/fwknopd.conf $(1)/etc/fwknop/
+       $(INSTALL_CONF) $(PKG_BUILD_DIR)/server/access.conf $(1)/etc/fwknop/
+
+endef
+
+$(eval $(call BuildPackage,fwknopd))