Hello Richard,

I was able to find the changes I made to make it work on my Mac.  I have incorporated them into 2.0.1-pre4.  You can download it from http://www.cipherdyne.org/fwknop/download/fwknop-2.0.1-pre4.tar.gz.

You will find that many of the tests still fail.  However, basic access request do work (as long as the existing firewall rules allow established TCP traffic in a set or rule before the fwknop rules (default set 1 rule 10000 - though they can be changed in the fwknopd.conf file).


Regards,

-Damien



On Jul 14, 2012, at 8:20 AM, rhaas wrote:

The pre-release fix is great, gets all the way through to the ipfw tests (which Damien Stuart mentioned was a known issue):

$ sudo ./test-fwknop.pl 
Password:

[+] Starting the fwknop test suite...

    args: 

[build] [client] binary exists......................................pass (1)
[build security] [client] Position Independent Executable (PIE).....pass (2)
[build security] [client] stack protected binary....................pass (3)
[build security] [client] fortify source functions..................pass (4)
[build security] [client] read-only relocations.....................pass (5)
[build security] [client] immediate binding.........................pass (6)
[build] [server] binary exists......................................pass (7)
[build security] [server] Position Independent Executable (PIE).....pass (8)
[build security] [server] stack protected binary....................pass (9)
[build security] [server] fortify source functions..................pass (10)
[build security] [server] read-only relocations.....................pass (11)
[build security] [server] immediate binding.........................pass (12)
[build] [libfko] binary exists......................................pass (13)
[build security] [libfko] stack protected binary....................pass (14)
[build security] [libfko] fortify source functions..................pass (15)
[build security] [libfko] read-only relocations.....................pass (16)
[build security] [libfko] immediate binding.........................pass (17)
[preliminaries] [client] usage info.................................pass (18)
[preliminaries] [client] getopt() no such argument..................pass (19)
[preliminaries] [client] --test mode, packet not sent...............pass (20)
[preliminaries] [client] expected code version......................pass (21)
[preliminaries] [server] usage info.................................pass (22)
[preliminaries] [server] getopt() no such argument..................pass (23)
[preliminaries] [server] expected code version......................pass (24)
[preliminaries] collecting system specifics.........................pass (25)
[basic operations] dump config......................................pass (26)
[basic operations] override config..................................pass (27)
[basic operations] [client] --get-key path validation...............pass (28)
[basic operations] [client] require [-s|-R|-a]......................pass (29)
[basic operations] [client] --allow-ip <IP> valid IP................pass (30)
[basic operations] [client] -A <proto>/<port> specification.........pass (31)
[basic operations] [client] generate SPA packet.....................pass (32)
[basic operations] [server] list current fwknopd fw rules...........pass (33)
[basic operations] [server] list all current fw rules...............pass (34)
[basic operations] [server] flush current firewall rules............pass (35)
[basic operations] [server] start...................................ipfw: invalid set command 1

... I'll poke around the ipfw syntax as I have time ... if Damien doesn't unearth his previous correction before I get there.

Thanks, everyone.

--
 Richard Haas <rhaas@rhaas.us>
 GnuPG public key ID: 1CB7F0E2
 blog: http://richardhaas.wordpress.com
 Twitter: @rahaas
--



On Jul 12, 2012, at 10:32 PM, Michael Rash wrote:



On Thu, Jul 12, 2012 at 9:51 PM, Damien Stuart <dstuart@dstuart.org> wrote:
Hi,


Hi Damien,
 
The shared libraries on Mac OS X system use a different extension (.dylib vs. .so).  If you edit the test-fwknop.pl script at line xx and make change "libfko.so" to "libfko.dylib", the test will run.  However, on my Mac, when it gets to the 'ipfw'-related tests, I get "ipfw: invalid set command X" (where X is '1' or '2').

Ah, cool.  I've updated the test suite to account for the different .dylib extension:

http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=e250776107d09352765b04cc74113c0bfe3a17de

Here is a new -pre release that contains the fix:

http://www.cipherdyne.org/fwknop/download/fwknop-2.0.1-pre3.tar.gz

$ sha1sum fwknop-2.0.1-pre3.tar.gz
62770f4f1c48b2d99e3f42d8c77d350968973578  fwknop-2.0.1-pre3.tar.gz


I had played with getting fwknopd to work on a Mac several months ago.  I did get it to work after modifying the syntax of the ipfw commands.  I will see if I can find that code and post the specifics here…


Very cool - wish I had a Mac to help develop on.  :)

--Mike

 
Regards,

-Damien Stuart




On Jul 12, 2012, at 9:09 PM, Michael Rash wrote:


On Thu, Jul 12, 2012 at 11:43 AM, rhaas <rhaas@rhaas.us> wrote:
Greetings.

Hello,
 
Is there a pointer to Mac OS X specific build/install instructions for
fwknop?

Nothing specific for Mac OS X currently.
 

Sorry for the noob-ish question, but a search of the list archives
didn't turn anything up.

The client and server build fine but the perl test suite aborts at the
libfko binary check:

./test-fwknop.pl

[+] Starting the fwknop test suite...

     args:

     Saved results from previous run to: output.last/

[build] [client] binary
exists......................................pass (1)
[build security] [client] Position Independent Executable
(PIE).....pass (2)
[build security] [client] stack protected
binary....................pass (3)
[build security] [client] fortify source
functions..................pass (4)
[build security] [client] read-only
relocations.....................pass (5)
[build security] [client] immediate
binding.........................pass (6)
[build] [server] binary
exists......................................pass (7)
[build security] [server] Position Independent Executable
(PIE).....pass (8)
[build security] [server] stack protected
binary....................pass (9)
[build security] [server] fortify source
functions..................pass (10)
[build security] [server] read-only
relocations.....................pass (11)
[build security] [server] immediate
binding.........................pass (12)
[build] [libfko] binary
exists......................................fail (13)
[*] required test failed, exiting. at ./test-fwknop.pl line 1314.


The test suite is looking for the file (usually a symbolic link) "../lib/.libs/libfko.so" from the test/ directory.  Can you post the output of 'ls -l ../lib/.libs/libfko*'?  It should look something like:

$ ls -l ../lib/.libs/libfko*
-rw-r--r-- 1 mbr mbr 589656 Jul 10 22:07 lib/.libs/libfko.a
lrwxrwxrwx 1 mbr mbr     12 Jul 10 22:07 lib/.libs/libfko.la -> ../libfko.la
-rw-r--r-- 1 mbr mbr    987 Jul 10 22:07 lib/.libs/libfko.lai
lrwxrwxrwx 1 mbr mbr     15 Jul 10 22:07 lib/.libs/libfko.so -> libfko.so.0.0.3
lrwxrwxrwx 1 mbr mbr     15 Jul 10 22:07 lib/.libs/libfko.so.0 -> libfko.so.0.0.3
-rwxr-xr-x 1 mbr mbr 282950 Jul 10 22:07 lib/.libs/libfko.so.0.0.3

This is on an Ubuntu system, so there may be some differences on Mac OS X that the test suite will need to account for.

Thanks,

--Mike


 

... presumably there are still some pieces to build.

Thanks.

--
  Richard Haas <rhaas@rhaas.us>
  GnuPG public key ID: 1CB7F0E2
  blog: http://richardhaas.wordpress.com
  Twitter: @rahaas
--



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss



--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss




--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss