Thread: [Fwknop-discuss] fwknop in openwrt
Brought to you by:
mbr
From: Jonathan B. <jbs...@gm...> - 2011-07-18 16:36:55
|
I know there are binaries compiled for Openwrt, but only the Mipsel target. Would there be any interest in including fwknop in openwrt? I would personally find it useful to be able to build it for any platform, and include it in images I compile. I would want to split the basic fwknop server from the gpg support, and make the gpg an optional addon. Flash space is scarce, so no use in installing everything if I'm not going to use that functionality. I suppose I'm volunteering to try to package fwknop for openwrt. It'll take me a while to figure everything out, and I'm open to comments. (Like if Michael absolutely doesn't want it included in openwrt. That would be an important comment.) ~Jonathan Bennett |
From: Damien S. <ds...@ds...> - 2011-07-18 17:49:08
|
Hi Jonathan, By all means, go for it. I think including fwknop in openwrt is a great idea. I did the first build as part of a learning exercise to see what it would take to get fwknop server up on the openwrt platform. I did only mipsel, because that was the only platform I could test on. I will be glad to provide any support I can to assist you on this... Regards, -Damien Stuart On Jul 18, 2011, at 12:36 PM, Jonathan Bennett wrote: > I know there are binaries compiled for Openwrt, but only the Mipsel > target. Would there be any interest in including fwknop in openwrt? I > would personally find it useful to be able to build it for any > platform, and include it in images I compile. > > I would want to split the basic fwknop server from the gpg support, > and make the gpg an optional addon. Flash space is scarce, so no use > in installing everything if I'm not going to use that functionality. > > I suppose I'm volunteering to try to package fwknop for openwrt. It'll > take me a while to figure everything out, and I'm open to comments. > (Like if Michael absolutely doesn't want it included in openwrt. That > would be an important comment.) > > > ~Jonathan Bennett > > ------------------------------------------------------------------------------ > AppSumo Presents a FREE Video for the SourceForge Community by Eric > Ries, the creator of the Lean Startup Methodology on "Lean Startup > Secrets Revealed." This video shows you how to validate your ideas, > optimize your ideas and identify your business strategy. > http://p.sf.net/sfu/appsumosfdev2dev > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |
From: Jonathan B. <jbs...@gm...> - 2011-07-20 02:55:55
|
Damien, I have put together the patch that adds fwknopd to openwrt. It may need a few tweaks, but I'm volunteering to keep the openwrt version up to date. I've sent it on to the openwrt guys. Hopefully it will get added soon-ish. I have a bit more testing to do before I'm totally satisfied, but it is running on my router right now. I've opted to just compile the server half of the program, and not include the gpg authentication in this first version. I'd like to go back and try to add gpg as an option in the openwrt build. (and add the client as a separate package) Feel free to add any comments. ~Jonathan Bennett Just in case you want it, here's the patch Index: net/fwknop/Makefile =================================================================== --- net/fwknop/Makefile (revision 0) +++ net/fwknop/Makefile (revision 0) @@ -0,0 +1,61 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=fwknopd +PKG_VERSION:=2.0.0rc2 +PKG_RELEASE:=1 + +PKG_BUILD_DIR:=$(BUILD_DIR)/fwknop-$(PKG_VERSION) +PKG_SOURCE:=fwknop-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=http://www.cipherdyne.org/fwknop/download +PKG_MD5SUM:=c78252216fa9627cacf61b453da915a8 +PKG_CAT:=zcat +include $(INCLUDE_DIR)/package.mk + +define Package/fwknopd + SECTION:=net + CATEGORY:=Network + DEFAULT:=n + TITLE:=Firewall Knock Operator Daemon + URL:=http://http://www.cipherdyne.org/fwknop/ + MAINTAINER:=Jonathan Bennett <jbs...@gm...> + DEPENDS:=+libpcap +libgdbm +iptables +endef + +define Package/fwknopd/description + Firewall Knock Operator Daemon + Fwknop implements an authorization scheme known as Single Packet + Authorization (SPA) for Linux systems running iptables. This mechanism + requires only a single encrypted and non-replayed packet to communicate + various pieces of information including desired access through an iptables + policy. The main application of this program is to use iptables in a + default-drop stance to protect services such as SSH with an additional + layer of security in order to make the exploitation of vulnerabilities + (both 0-day and unpatched code) much more difficult. +endef + +define Package/Conffiles + fwknopd.conf +endef + +CONFIGURE_ARGS += \ + --disable-client \ + --without-gpgme \ + --with-iptables=/usr/sbin/iptables + + + +define Package/fwknopd/install + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_DIR) $(1)/etc/fwknop + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_DIR) $(1)/usr/lib + $(INSTALL_BIN) $(PKG_BUILD_DIR)/extras/fwknop.init.openwrt $(1)/etc/init.d/fwknopd + $(INSTALL_BIN) $(PKG_BUILD_DIR)/server/.libs/fwknopd $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_BUILD_DIR)/lib/.libs/libfko.so.0.0.2 $(1)/usr/lib/libfko.so.0 + $(INSTALL_BIN) $(PKG_BUILD_DIR)/lib/.libs/libfko.so.0.0.2 $(1)/usr/lib/libfko.so.0.0.2 + $(INSTALL_CONF) $(PKG_BUILD_DIR)/server/fwknopd.conf $(1)/etc/fwknop/ + $(INSTALL_CONF) $(PKG_BUILD_DIR)/server/access.conf $(1)/etc/fwknop/ + +endef + +$(eval $(call BuildPackage,fwknopd)) |
From: Damien S. <ds...@ds...> - 2011-07-20 03:02:51
|
Thanks Jonathan, This is great! I agree with you on separating the server and client packages, as well as foregoing the GPG authentication in the initial release(s) (less dependencies, significant reduction in size, etc., makes initial adoption a bit easier). -Damien On 07/19/2011 10:52 PM, Jonathan Bennett wrote: > Damien, I have put together the patch that adds fwknopd to openwrt. It > may need a few tweaks, but I'm volunteering to keep the openwrt > version up to date. > > I've sent it on to the openwrt guys. Hopefully it will get added > soon-ish. I have a bit more testing to do before I'm totally > satisfied, but it is running on my router right now. > > I've opted to just compile the server half of the program, and not > include the gpg authentication in this first version. I'd like to go > back and try to add gpg as an option in the openwrt build. (and add > the client as a separate package) > > Feel free to add any comments. > ~Jonathan Bennett > > Just in case you want it, here's the patch > > Index: net/fwknop/Makefile > =================================================================== > --- net/fwknop/Makefile (revision 0) > +++ net/fwknop/Makefile (revision 0) > @@ -0,0 +1,61 @@ > +include $(TOPDIR)/rules.mk > + > +PKG_NAME:=fwknopd > +PKG_VERSION:=2.0.0rc2 > +PKG_RELEASE:=1 > + > +PKG_BUILD_DIR:=$(BUILD_DIR)/fwknop-$(PKG_VERSION) > +PKG_SOURCE:=fwknop-$(PKG_VERSION).tar.gz > +PKG_SOURCE_URL:=http://www.cipherdyne.org/fwknop/download > +PKG_MD5SUM:=c78252216fa9627cacf61b453da915a8 > +PKG_CAT:=zcat > +include $(INCLUDE_DIR)/package.mk > + > +define Package/fwknopd > + SECTION:=net > + CATEGORY:=Network > + DEFAULT:=n > + TITLE:=Firewall Knock Operator Daemon > + URL:=http://http://www.cipherdyne.org/fwknop/ > + MAINTAINER:=Jonathan Bennett <jbs...@gm...> > + DEPENDS:=+libpcap +libgdbm +iptables > +endef > + > +define Package/fwknopd/description > + Firewall Knock Operator Daemon > + Fwknop implements an authorization scheme known as Single Packet > + Authorization (SPA) for Linux systems running iptables. This mechanism > + requires only a single encrypted and non-replayed packet to communicate > + various pieces of information including desired access through > an iptables > + policy. The main application of this program is to use iptables in a > + default-drop stance to protect services such as SSH with an additional > + layer of security in order to make the exploitation of vulnerabilities > + (both 0-day and unpatched code) much more difficult. > +endef > + > +define Package/Conffiles > + fwknopd.conf > +endef > + > +CONFIGURE_ARGS += \ > + --disable-client \ > + --without-gpgme \ > + --with-iptables=/usr/sbin/iptables > + > + > + > +define Package/fwknopd/install > + $(INSTALL_DIR) $(1)/usr/sbin > + $(INSTALL_DIR) $(1)/etc/fwknop > + $(INSTALL_DIR) $(1)/etc/init.d > + $(INSTALL_DIR) $(1)/usr/lib > + $(INSTALL_BIN) $(PKG_BUILD_DIR)/extras/fwknop.init.openwrt > $(1)/etc/init.d/fwknopd > + $(INSTALL_BIN) $(PKG_BUILD_DIR)/server/.libs/fwknopd $(1)/usr/sbin/ > + $(INSTALL_BIN) $(PKG_BUILD_DIR)/lib/.libs/libfko.so.0.0.2 > $(1)/usr/lib/libfko.so.0 > + $(INSTALL_BIN) $(PKG_BUILD_DIR)/lib/.libs/libfko.so.0.0.2 > $(1)/usr/lib/libfko.so.0.0.2 > + $(INSTALL_CONF) $(PKG_BUILD_DIR)/server/fwknopd.conf $(1)/etc/fwknop/ > + $(INSTALL_CONF) $(PKG_BUILD_DIR)/server/access.conf $(1)/etc/fwknop/ > + > +endef > + > +$(eval $(call BuildPackage,fwknopd)) > |
From: Jonathan B. <jbs...@gm...> - 2011-08-10 20:30:06
|
Not sure why, but it's taking the openwrt folks a while to pull fwknop into trunk. Until that happens, if any of you want to play around with the binaries, let me know what target you're running on, and I'll be happy to send you the .ipk file. ~Jonathan Bennett |
From: Michael R. <mb...@ci...> - 2011-08-15 02:09:04
|
On Aug 10, 2011, Jonathan Bennett wrote: > Not sure why, but it's taking the openwrt folks a while to pull fwknop > into trunk. Until that happens, if any of you want to play around with > the binaries, let me know what target you're running on, and I'll be > happy to send you the .ipk file. I've applied your patch to the "optional_dbm_support" branch in fwknop: http://cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=e7d275ee312c618c3233a504c5aa54b72312f39a This branch is just about ready to be merged back to master, and gdbm/ndbm are not needed anymore by default so I changed your patch slightly to remove the +libgdbm requirement. (Can be enabled if necessary with the --disable-file-cache argument to the configure script in fwknop.) A new rc release will be made soon for anyone who would like to test the latest fwknop code. You can clone the respository via: $ git clone http://www.cipherdyne.org/git/fwknop.git Thanks, -- Michael Rash | Founder http://www.cipherdyne.org/ Key fingerprint: E2EF 0C8A 5AA9 654C 4763 B50F 37AC E946 7F51 8271 > > ~Jonathan Bennett > > ------------------------------------------------------------------------------ > uberSVN's rich system and user administration capabilities and model > configuration take the hassle out of deploying and managing Subversion and > the tools developers use with it. Learn more about uberSVN and get a free > download at: http://p.sf.net/sfu/wandisco-dev2dev > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |