Hi all,
first of all @developers thanks for your great work.

I'm currently using an iptables approach on one of my machines
which is DROP-ing everything, so explicit ACCEPTs should be generated
for traffic to occur.

# Set the default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# FTP in

iptables -A INPUT -i $INTERNAL_INTERFACE -p TCP -m state --state NEW,ESTABLISHED \
--sport $UNPRIVPORTS --dport 21 -s $MY_INT_FTP_CLIENT -d $INTERNAL_IP -j ACCEPT

iptables -A OUTPUT -o $INTERNAL_INTERFACE -p TCP -m state --state ESTABLISHED,RELATED \
--sport 21 --dport $UNPRIVPORTS -s $INTERNAL_IP -d $MY_INT_FTP_CLIENT -j ACCEPT

however fwknop/SPA implementation is injecting only one rule for the INPUT subchain. I need also a OUPUT rule
to be injected so traffic could occur between both sides (client server)

Is there any way of doing it / hacking the fwknop code so this could occur?
I thought of implementing it by sending it packed as a command using ENABLE_CMD_EXEC but my target is having a win32 client
doing it, and this isn't yet implemented in the gui fwknopclient.exe (excelent work also)

any ideas where i should start looking?
thanks a lot.

Marius Rugan