[Fwknop-discuss] Port Forwarding via SPA + fwknop-1.9.3 release
Brought to you by:
mbr
Menu
▾
▴
[Fwknop-discuss] Port Forwarding via SPA + fwknop-1.9.3 release
|
From: Michael R. <mb...@ci...> - 2008-04-06 03:51:09
|
Hi all - Here is a blog post that describes the inbound port forwarding capability in fwknop (this allows external clients to directly access servers running on internal networks when the fwknop daemon is deployed on a Linux gateway): http://www.cipherdyne.org/blog/2008/04/port-forwarding-via-single-packet-authorization.html Also, fwknop-1.9.3 has been released: http://www.cipherdyne.org/fwknop/download/ Here is the complete ChangeLog: - Added MASQUERADE and SNAT support to complement inbound DNAT connections for SPA packets that request --Forward-access to internal systems. This functionality is only enabled when both ENABLE_IPT_FORWARDING and ENABLE_IPT_SNAT are set, and is configured by two new variables IPT_MASQUERADE_ACCESS and IPT_SNAT_ACCESS which define the iptables interface to creating SNAT rules. The SNAT supplements of DNAT rules are not usually necessary because internal systems usually have a route back out to the Internet, but this feature accommodates those systems that do not have such a route. By default, the MASQUERADE target is used if ENABLE_IPT_SNAT is enabled because this means that the external IP does not have to be manually defined. However, the external IP can be defined by the SNAT_TRANSLATE_IP variable. - Added hex_dump() feature for fwknop client so that raw encrypted SPA packet data can be displayed in --verbose mode. - When ENABLE_IPT_FORWARDING is set, added a check for the value of the /proc/sys/net/ipv4/ip_forward file to ensure that the local system allows packets to be forwarded. Unless ENABLE_PROC_IP_FORWARD is disabled, then fwknopd will automatically set the ip_forward file to "1" if it is set to "0" (again, only if ENABLE_IPT_FORWARDING is enabled). - Minor bugfix to remove sys_log() call in legacy port knocking mode. - Minor bugfix to expand both the Id and Revision tags via the svn:keywords directive. -- Michael Rash http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F |