Hi everyone,

 

I’ve recently been implementing fwknop on our servers, and I’ve come across a problem.

 

Initially, I installed and ran fwknop on a VM to test out its capabilities. Once I was satisfied with everything, I began installation on the pre-production server. With everything completed, I ran into the issue. When sending the SPA packet over the terminal interface, the rules to allow my IP were added and removed without returning any errors. Everything ran smoothly until I attempted to use the Windows GUI ‘Morpheus’. First issue was a time difference between the server and the client that did not exist. I of course solved this by disabling SPA packet aging. With the next problem , the following would occur after the servers receipt of the packet:

 

Jul  2 15:50:03 ioc fwknopd[23273]: (stanza #1) SPA Packet from IP: 12.23.34.45 received with access source match

Jul  2 15:50:03 ioc fwknopd[23273]: process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s  --dport 22 -m comment --comment _exp_1341258633 -j ACCEPT 2>&1' (res: 0, err: Try `iptables -h' or 'iptables --help' for more information. Bad argument `22' )

Jul  2 15:50:03 ioc fwknopd[23273]: Added Rule to FWKNOP_INPUT for , tcp/22 expires at 1341258633

Jul  2 15:50:33 ioc fwknopd[23273]: check_firewall_rules() CMD: '/sbin/iptables -t filter -L FWKNOP_INPUT --line-numbers -n 2>&1' (res: 0, err: )

Jul  2 15:50:33 ioc fwknopd[23273]: Did not find expire comment in rules list 0.

(The only line that was changed was line 1. The IP address was scrubbed for confidentiality reasons.)

 

Have you noticed it yet? The server receives the packet, notices the IP address, and yet does not attempt to insert it into the ‘process_spa_request’. For troubleshooting reasons, I tried setting the PCAP_FILTER to a UDP port as well, and the same problem occurred. If you have any ideas on what I could try, I would love ideas. I appreciate any help you may have to offer!

 

Morpheus variables:

 

-          Resolve External IP

-          Destination set using domain name

-          Access Parameter: TCP/22

-          Send over TCP protocol

-          Destination Port: ***

 

Config dump:

 

Current fwknopd config settings:

  0. CONFIG_FILE                                              =  '/usr/local/etc/fwknop/fwknopd.conf'

  1. OVERRIDE_CONFIG                                  =  '<not set>'

  2. PCAP_INTF                                                  =  'eth0'

  3. ENABLE_PCAP_PROMISC                     =  'N'

  4. PCAP_FILTER                                               =  'tcp port ***'

  5. PCAP_DISPATCH_COUNT                     =  '0'

  6. PCAP_LOOP_SLEEP                                  =  '10000'

  7. MAX_SNIFF_BYTES                                  =  '1500'

  8. ENABLE_SPA_PACKET_AGING            =  'N'

  9. MAX_SPA_PACKET_AGE                       =  '120'

10. ENABLE_DIGEST_PERSISTENCE          =  'Y'

11. CMD_EXEC_TIMEOUT                           =  '<not set>'

12. ENABLE_SPA_OVER_HTTP                   =  'N'

13. ENABLE_TCP_SERVER                            =  'Y'

14. TCPSERV_PORT                                        =  '***'

15. LOCALE                                         =  '<not set>'

16. SYSLOG_IDENTITY                                   =  'fwknopd'

17. SYSLOG_FACILITY                                    =  'LOG_DAEMON'

18. ENABLE_IPT_FORWARDING               =  'N'

19. ENABLE_IPT_LOCAL_NAT                    =  'Y'

20. ENABLE_IPT_SNAT                                  =  'N'

21. SNAT_TRANSLATE_IP                            =  '<not set>'

22. ENABLE_IPT_OUTPUT                           =  'N'

23. FLUSH_IPT_AT_INIT                               =  'Y'

24. FLUSH_IPT_AT_EXIT                               =  'Y'

25. IPT_INPUT_ACCESS                                =  'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'

26. IPT_OUTPUT_ACCESS                            =  'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'

27. IPT_FORWARD_ACCESS                        =  'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'

28. IPT_DNAT_ACCESS                                 =  'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'

29. IPT_SNAT_ACCESS                                  =  'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'

30. IPT_MASQUERADE_ACCESS               =  'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'

31. FWKNOP_RUN_DIR               =  '/usr/local/var/run/fwknop'

32. FWKNOP_CONF_DIR                             =  '/usr/local/etc/fwknop'

33. ACCESS_FILE                                              =  '/usr/local/etc/fwknop/access.conf'

34. FWKNOP_PID_FILE                                 =  '/usr/local/var/run/fwknop/fwknopd.pid'

35. DIGEST_FILE                                               =  '/usr/local/var/run/fwknop/digest.cache'

36. GPG_HOME_DIR                                     =  '/root/.gnupg'

37. FIREWALL_EXE                                          =  '/sbin/iptables'

 

Current fwknopd access settings:

SOURCE (1):  ANY

==============================================================

OPEN_PORTS:                                                   tcp/22

RESTRICT_PORTS:                                            <not set>

KEY:                                                                       <see the access.conf file>

FW_ACCESS_TIMEOUT:                                30

ENABLE_CMD_EXEC:                                      No

CMD_EXEC_USER:                                           <not set>

REQUIRE_USERNAME:                                                  <not set>

REQUIRE_SOURCE_ADDRESS:                    No

ACCESS_EXPIRE:                                               <not set>

GPG_HOME_DIR:                                            <not set>

GPG_DECRYPT_ID:                                          <not set>

GPG_DECRYPT_PW:                                       <see the access.conf file>

GPG_REQUIRE_SIG:                                       No

GPG_IGNORE_SIG_VERIFY_ERROR:        No

GPG_REMOTE_ID:                                          <not set>

 

-Aldan