On Jul 05, 2012, Aldan Beaubien wrote:
> Hi everyone,
> I've recently been implementing fwknop on our servers, and I've come across a problem.
> Initially, I installed and ran fwknop on a VM to test out its capabilities. Once I was satisfied with everything, I began installation on the pre-production server. With everything completed, I ran into the issue. When sending the SPA packet over the terminal interface, the rules to allow my IP were added and removed without returning any errors. Everything ran smoothly until I attempted to use the Windows GUI 'Morpheus'. First issue was a time difference between the server and the client that did not exist. I of course solved this by disabling SPA packet aging. With the next problem , the following would occur after the servers receipt of the packet:
> Jul 2 15:50:03 ioc fwknopd: (stanza #1) SPA Packet from IP: 188.8.131.52 received with access source match
> Jul 2 15:50:03 ioc fwknopd: process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s --dport 22 -m comment --comment _exp_1341258633 -j ACCEPT 2>&1' (res: 0, err: Try `iptables -h' or 'iptables --help' for more information. Bad argument `22' )
> Jul 2 15:50:03 ioc fwknopd: Added Rule to FWKNOP_INPUT for , tcp/22 expires at 1341258633
> Jul 2 15:50:33 ioc fwknopd: check_firewall_rules() CMD: '/sbin/iptables -t filter -L FWKNOP_INPUT --line-numbers -n 2>&1' (res: 0, err: )
> Jul 2 15:50:33 ioc fwknopd: Did not find expire comment in rules list 0.
> (The only line that was changed was line 1. The IP address was scrubbed for confidentiality reasons.)
> Have you noticed it yet? The server receives the packet, notices the IP address, and yet does not attempt to insert it into the 'process_spa_request'. For troubleshooting reasons, I tried setting the PCAP_FILTER to a UDP port as well, and the same problem occurred. If you have any ideas on what I could try, I would love ideas. I appreciate any help you may have to offer!
Thanks for sending this. Here is what's happening - the Morpheus client
doesn't look like it is able to properly resolve your external IP, and it
doesn't include enough error checking to detect this. Because Morpheus is
not using the new libfko library, it is building SPA packet data that
includes (I think) a null byte for the IP. The libfko library has code to
validate access IP's when building SPA packet data, so if Morpheus could
be switched over to using it then this would partially be solved - I'll
email the Morpheus maintainer to see if he's interested. Or, if anyone
else is interested in developing a Windows UI for the fwknop client please
let me know - the libfko library is portable to Windows.
Now, there is another issue in that the fwknopd server has made an
assumption that incoming packet data was built by libfko and so it doesn't
include enough error checking for the IP field (since libfko does this on
the client side) - I will fix this.
In terms of getting things working, I suspect that if you manually specify
the IP to allow within the Morpheus client that it will work.
> Morpheus variables:
> - Resolve External IP
> - Destination set using domain name
> - Access Parameter: TCP/22
> - Send over TCP protocol
> - Destination Port: ***
> Config dump:
> Current fwknopd config settings:
> 0. CONFIG_FILE = '/usr/local/etc/fwknop/fwknopd.conf'
> 1. OVERRIDE_CONFIG = '<not set>'
> 2. PCAP_INTF = 'eth0'
> 3. ENABLE_PCAP_PROMISC = 'N'
> 4. PCAP_FILTER = 'tcp port ***'
> 5. PCAP_DISPATCH_COUNT = '0'
> 6. PCAP_LOOP_SLEEP = '10000'
> 7. MAX_SNIFF_BYTES = '1500'
> 8. ENABLE_SPA_PACKET_AGING = 'N'
> 9. MAX_SPA_PACKET_AGE = '120'
> 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
> 11. CMD_EXEC_TIMEOUT = '<not set>'
> 12. ENABLE_SPA_OVER_HTTP = 'N'
> 13. ENABLE_TCP_SERVER = 'Y'
> 14. TCPSERV_PORT = '***'
> 15. LOCALE = '<not set>'
> 16. SYSLOG_IDENTITY = 'fwknopd'
> 17. SYSLOG_FACILITY = 'LOG_DAEMON'
> 18. ENABLE_IPT_FORWARDING = 'N'
> 19. ENABLE_IPT_LOCAL_NAT = 'Y'
> 20. ENABLE_IPT_SNAT = 'N'
> 21. SNAT_TRANSLATE_IP = '<not set>'
> 22. ENABLE_IPT_OUTPUT = 'N'
> 23. FLUSH_IPT_AT_INIT = 'Y'
> 24. FLUSH_IPT_AT_EXIT = 'Y'
> 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
> 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
> 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
> 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
> 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
> 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
> 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
> 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
> 33. ACCESS_FILE = '/usr/local/etc/fwknop/access.conf'
> 34. FWKNOP_PID_FILE = '/usr/local/var/run/fwknop/fwknopd.pid'
> 35. DIGEST_FILE = '/usr/local/var/run/fwknop/digest.cache'
> 36. GPG_HOME_DIR = '/root/.gnupg'
> 37. FIREWALL_EXE = '/sbin/iptables'
> Current fwknopd access settings:
> SOURCE (1): ANY
> OPEN_PORTS: tcp/22
> RESTRICT_PORTS: <not set>
> KEY: <see the access.conf file>
> FW_ACCESS_TIMEOUT: 30
> ENABLE_CMD_EXEC: No
> CMD_EXEC_USER: <not set>
> REQUIRE_USERNAME: <not set>
> REQUIRE_SOURCE_ADDRESS: No
> ACCESS_EXPIRE: <not set>
> GPG_HOME_DIR: <not set>
> GPG_DECRYPT_ID: <not set>
> GPG_DECRYPT_PW: <see the access.conf file>
> GPG_REQUIRE_SIG: No
> GPG_IGNORE_SIG_VERIFY_ERROR: No
> GPG_REMOTE_ID: <not set>