I checked the 6.test output, and the results were similar. I decided to remove libpcap0.7, which also removed libnet-pcap-perl, so I was back to where I started. Many tests now failed.
So, I looked again at that article on Ubuntu Forums which I mentioned before (see below), and I decided to run:
I then re-ran the fwknop installation script, merging my previous fwknop config, and then I re-ran the fwknop test script. All 152 tests passed!
Maybe Michael can confirm that those are needed. I haven't tried to install fwknop on a system without
I did not download and install Net-Pcap from CPAN, per the above article, because it looked like fwknop already had it.
----- Original Message ----
From: Michael Rash <email@example.com>
Sent: Monday, June 16, 2008 7:01:42 AM
Subject: Re: [Fwknop-discuss] Install on Ubuntu Server
On Jun 15, 2008, firstname.lastname@example.org
> I'll email you a single archive file with the output of:
> (130 and 131 had also failed.)
> I will also email it to anyone who requests it until I fix this, at which time I'll post my fix(es) to the list.
The failed tests are for the port randomization features which
use a pcap filter as follows (in the fwknop.conf file for each of the
PCAP_FILTER udp dst portrange 10000-65535;
This type of filter
statement is not supported in some older versions of
libpcap, so I suspect that you might just need to upgrade your pcap
library and then those tests should work.
In the test/output/6.test file, the fwknop_test.pl
script collects some
system specifics, including information about the installed pcap
library. Here is an excerpt of that output on my system:
# ldd /usr/sbin/tcpdump libcrypto.so
.0.9.8 => /usr/lib/libcrypto.so.0.9.8
.0.8 => /usr/lib/libpcap.so.0.8 (0x00002abbbcc76000) libc.so
.6 => /lib/libc.so.6 (0x00002abbbcea3000) libdl.so
.2 => /lib/libdl.so.2 (0x00002abbbd1fe000) libz.so
.1 => /usr/lib/libz.so.1 (0x00002abbbd403000)
# ls -l /usr/lib/*pcap*
-rw-r--r-- 1 root root 313128 2007-10-04 23:28 /usr/lib/libpcap.a
lrwxrwxrwx 1 root root 14 2008-01-12 20:52 /usr/lib/libpcap.so ->
lrwxrwxrwx 1 root root 16 2008-02-11 06:33 /usr/lib/libpcap.so.0.8
-rw-r--r-- 1 root root 182224 2007-10-04 23:28 /usr/lib/libpcap.so.0.9.7
Franck's suggestion of emailing the anonymized test output is a good
one; it should contain the 6.test output above.
Key fingerprint = 53EA 13EA
472E 3771 894F AC69 95D8 5D6B A742 839F
> ----- Original Message ----
> From: Franck Joncourt <email@example.com
> To: firstname.lastname@example.org
> Cc: email@example.com
> Sent: Sunday, June 15, 2008 4:39:30 PM
> Subject: Re: [Fwknop-discuss] Install on Ubuntu Server
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> > How To:
Install a Port Knocker - FWKNOP - Ubuntu Forums
> > http://ge.ubuntuforums.com/showthread.php?t=812573
> > Many tests failed before I ran that command. I am now down to only four
> > tests failing: 56, 57, 134, and 135.
> > 56:
> > MSG: [*] Dubious sniffed packet format
> > TEST: (Destination port randomness) Verifying SPA format, STATUS: fail
> > 57:
> > MSG: [*] SPA access rules for 127.0.0.2 do not exist.
> > TEST: (Destination port randomness) Rules exist, STATUS: fail
> > 134:
> > MSG: [*] Local access and DNAT access not granted
> > TEST: (Local NAT rand NAT/dst port) Local access rules exist, STATUS: fail
> > 135:
> > MSG: [*] Dubious sniffed packet
> > TEST: (Local NAT rand NAT/dst port) Verifying packet format, STATUS: fail
> > Can anyone give me some clues on how to fix these?
> What about the files in the output directory ? Give us a link or enclose
> maybe *.ipterr and *.iptout.
> ...you can use the --Prepare-results argument on the
> fwknop_test.pl command line to automatically anonymize the test output
> I do not know if this is needed in your case :p!
> - --
> Franck Joncourt
> Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> -----END PGP SIGNATURE-----