Hello all,

This is my first time trying to set up fwknopd; I'm installing into a new Fedora 13 box.  I've been searching the archives and other Web sources, but haven't been able to come across this particular problem.  Any assistance would be greatly appreciated.

Essentially, I can get fwknopd to add a rule to the iptables firewall but it fails to remove the rule(s) after they expire.  I don't recall seeing this in the instructions, but I found that I had to define the FWKNOP_INPUT chain manually in the iptables configuration, though fwknop takes care of adding the rules itself.

This is pretty much a virgin box, with very little changed other than updating packages with yum and adding a few firewall rules.  It's currently on my home network but will be eventually hosted in a proper environment.  I mention this because I'm not entirely sure what the correct value of the 'hostname' parameter should be in fwknop.conf; right now I have it set to 'localhost'.  That file is essentially unchanged from the RPM install, except that I set the following:

EMAIL_ADDRESS            sysadmin@xxxxxx;
ENABLE_PROC_IP_FORWARD   N;
ENABLE_VOLUNTARY_EXITS   Y;  # have tried with this set 'N' as well
LOCALE                   NONE;
ALERTING_METHODS         noemail;
IPT_EXEC_SLEEP           1;
IPT_EXEC_STYLE           waitpid; # default, listed in case someone asks


The server is on the local network as: 10.0.1.13
My workstation is the "remote" client: 10.0.1.10

[client]$ fwknop -D 10.0.1.13 -s -A tcp/1001

[+] Starting fwknop client (SPA mode)...
[+] Enter an encryption key. This key must match a key in the file
    /etc/fwknop/access.conf on the remote system.

Encryption Key:

[+] Building encrypted Single Packet Authorization (SPA) message...
[+] Packet fields:

        Random data:    6294295835114171
        Username:       xxxxx
        Timestamp:      1279994273
        Version:        1.9.12
        Type:           1   (access mode)
        Access:         0.0.0.0,tcp/1001
        SHA256 digest:  0xxTlyesbtI2SYWfBqK9WsxPcAYDnJlp2ep49rgPcNA

[+] Sending 182 byte message to 10.0.1.13 over udp/62201...

# about 40 seconds later:
[client]$ fwknop -Last-host 10.0.1.13
... same as above ...


=====================
installed packages:

kernel    2.6.33.6-147.fc13.x86_64
iptables  1.4.7-2.fc13.x86_64
perl      5.10.1-114.fc13.x86_64
fwknop    1.9.12-1.x86_64

=====================
/etc/fwknop/access.conf:

SOURCE: ANY;
OPEN_PORTS: tcp/22, tcp/1001;
KEY: xxxx;
FW_ACCESS_TIMEOUT: 30;

=====================
/etc/sysconfig/iptables:

*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FWKNOP_INPUT - [0:0]

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m tcp -m state --state NEW --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport -m state --state NEW --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state NEW -s 10.0.1.0/24 --dport 22 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


=====================
syslog:

kernel: device eth0 entered promiscuous mode
fwknopd: received valid Rijndael encrypted packet from 10.0.1.10, remote user: xxxxx, client version: 1.9.12 (SOURCE line num: 25)
fwknopd: add FWKNOP_INPUT 10.0.1.10 -> 0.0.0.0/0(tcp/1001) ACCEPT rule 30 sec
fwknop(knoptm): exceeded max removal tries for 10.0.1.10 -> 0.0.0.0/0(tcp/1001), deleting from cache
fwknopd: received valid Rijndael encrypted packet from 10.0.1.10, remote user: xxxxx, client version: 1.9.12 (SOURCE line num: 25)
fwknopd: add FWKNOP_INPUT 10.0.1.10 -> 0.0.0.0/0(tcp/1001) ACCEPT rule 30 sec
fwknop(knoptm): exceeded max removal tries for 10.0.1.10 -> 0.0.0.0/0(tcp/1001), deleting from cache

=====================
# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target        prot opt source        destination
FWKNOP_INPUT  all  --  anywhere      anywhere     #note: added by fwknopd
ACCEPT        all  --  anywhere      anywhere     state RELATED,ESTABLISHED
ACCEPT        icmp --  anywhere      anywhere
ACCEPT        all  --  anywhere      anywhere     #note: -i lo rule
ACCEPT        tcp  --  anywhere      anywhere     tcp dpt:smtp state NEW
ACCEPT        tcp  --  anywhere      anywhere     tcp multiport dports http,https state NEW
ACCEPT        tcp  --  10.0.1.0/24   anywhere     tcp dpt:ssh state NEW
REJECT        all  --  anywhere      anywhere     reject-with icmp-host-prohibited

=====================
# iptables -L FWKNOP_INPUT
Chain FWKNOP_INPUT (2 references)
target  prot opt source        destination
ACCEPT  tcp  --  10.0.1.10     anywhere       tcp dpt:1001
ACCEPT  tcp  --  10.0.1.10     anywhere       tcp dpt:1001

=====================
`knoptm --debug` output:

Received line: 1279996038 30 10.0.1.10 0 0.0.0.0/0 1001 tcp filter FWKNOP_INPUT ACCEPT src 0.0.0.0/0 0 TkE= 0


...

[+] Expiring rule: 1279996038 30 10.0.1.10 0 0.0.0.0/0 1001 tcp filter FWKNOP_INPUT ACCEPT src 0.0.0.0/0 0 TkE= 0
[+] IPTables::Parse::VERSION 0.7
[+] IPTables::Parse::exec_iptables(waitpid()) /sbin/iptables -t -filter -v- n -L FWKNOP_INPUT
[+] IPTables::Parse::exec_iptables() sleep seconds: 1
[+] IPTables::Parse: sleeping for 1 seconds before executing iptables command.
[+] IPTables::Parse: Setting SIGCHLD handler to: CODE(0x1d494f8)
    iptables command stdout:
    iptables command stderr:
[-] exceeded max removal tries for 10.0.1.10 -> 0.0.0.0/0(tcp/1001), deleting from cache

(the above block is repeated multiple times prior to the 'exceeded' message line)


Thanks in advance!
-- Will



The New Busy is not the old busy. Search, chat and e-mail from your inbox. Get started.