Thread: [Fwknop-discuss] iptables blocking SPA packet
Brought to you by:
mbr
From: Michael S. <re...@at...> - 2013-02-18 20:42:56
|
Hello all, I'm trying to set up fwknop from the Debian stable repo on a Linode Xen VPS server and having some trouble. I'm able to install and set everything up the way I want it, however, after configuring the firewall to block all port 22 traffic in accordance with the cipherdyne tutorial and starting fwknopd, it appears that iptables is blocking the actual authentication packet. I'm pretty naive when it comes to iptables, so I'm probably missing something in my configuration. Here's an example of what iptables logs when I try to open the ssh port: iptables blocked: IN=eth0 OUT= MAC=f2:3c:91:70:18:58:c8:4c:75:f5:c4:ff:08:00 SRC=74.87.211.230 DST=198.58.106.81 LEN=210 TOS=0x00 PREC=0x40 TTL=48 ID=11814 DF PROTO=UDP SPT=32849 DPT=62201 LEN=190 My iptables configuration looks like this: *filter # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT #Default drop rules for fwknop-server, allow established connections #-A INPUT -i eth0 -p tcp --dport 22 -j DROP #-A INPUT -i eth0 -p tcp --dport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #-A INPUT -i etho -p udp --dport 62201 -j ACCEPT # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT #-A INPUT -p tcp --dport 443 -j ACCEPT # Allow SSH connections # # The -dport number should be the same port number you set in sshd_config # -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp -j ACCEPT # Log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables blocked: " --log-level 7 # Drop all other inbound - default deny unless explicitly allowed policy -A INPUT -j DROP -A FORWARD -j DROP Right now I have the fwknop rules commented out, but you can also see my attempt to let iptables pass any incoming udp traffic on port 62201, but even with that rule, iptables continued to block the knock packet. Any help will be greatly appreciated it. Thanks. Mike Swanson |
From: Michael S. <re...@at...> - 2013-02-18 21:07:53
|
On 02/18/2013 11:42 AM, Michael Swanson wrote: > Hello all, > > I'm trying to set up fwknop from the Debian stable repo on a Linode Xen > VPS server and having some trouble. I'm able to install and set > everything up the way I want it, however, after configuring the firewall > to block all port 22 traffic in accordance with the cipherdyne tutorial > and starting fwknopd, it appears that iptables is blocking the actual > authentication packet. I'm pretty naive when it comes to iptables, so > I'm probably missing something in my configuration. One thing I forgot to mention explicitly, since I'm using packages from the Debian repos, I'm using version 1.9.12-2 on the server, which is what's in stable, and I'm using version 2.0.0rc2 from testing on my client. Not sure if the different versions might be causing a problem. > > Here's an example of what iptables logs when I try to open the ssh port: > iptables blocked: IN=eth0 OUT= > MAC=f2:3c:91:70:18:58:c8:4c:75:f5:c4:ff:08:00 SRC=74.87.211.230 > DST=198.58.106.81 LEN=210 TOS=0x00 PREC=0x40 TTL=48 ID=11814 DF > PROTO=UDP SPT=32849 DPT=62201 LEN=190 > > My iptables configuration looks like this: > > *filter > > # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that > doesn't use lo0 > -A INPUT -i lo -j ACCEPT > -A INPUT -d 127.0.0.0/8 -j REJECT > > # Accept all established inbound connections > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > # Allow all outbound traffic - you can modify this to only allow > certain traffic > -A OUTPUT -j ACCEPT > > #Default drop rules for fwknop-server, allow established connections > #-A INPUT -i eth0 -p tcp --dport 22 -j DROP > #-A INPUT -i eth0 -p tcp --dport 22 -m conntrack --ctstate > ESTABLISHED,RELATED -j ACCEPT > #-A INPUT -i etho -p udp --dport 62201 -j ACCEPT > > # Allow HTTP and HTTPS connections from anywhere (the normal ports for > websites and SSL). > -A INPUT -p tcp --dport 80 -j ACCEPT > #-A INPUT -p tcp --dport 443 -j ACCEPT > > # Allow SSH connections > # > # The -dport number should be the same port number you set in sshd_config > # > -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT > > # Allow ping > -A INPUT -p icmp -j ACCEPT > > # Log iptables denied calls > -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables blocked: " > --log-level 7 > > # Drop all other inbound - default deny unless explicitly allowed policy > -A INPUT -j DROP > -A FORWARD -j DROP > > Right now I have the fwknop rules commented out, but you can also see my > attempt to let iptables pass any incoming udp traffic on port 62201, but > even with that rule, iptables continued to block the knock packet. > > Any help will be greatly appreciated it. Thanks. > > Mike Swanson > > ------------------------------------------------------------------------------ > The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, > is your hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials, tech docs, > whitepapers, evaluation guides, and opinion stories. Check out the most > recent posts - join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |
From: Franck J. <fr...@de...> - 2013-02-19 12:04:37
|
Le 18/02/2013 22:07, Michael Swanson a écrit : > On 02/18/2013 11:42 AM, Michael Swanson wrote: >> Hello all, Hi, >> I'm trying to set up fwknop from the Debian stable repo on a Linode Xen >> VPS server and having some trouble. I'm able to install and set >> everything up the way I want it, however, after configuring the firewall >> to block all port 22 traffic in accordance with the cipherdyne tutorial >> and starting fwknopd, it appears that iptables is blocking the actual >> authentication packet. I'm pretty naive when it comes to iptables, so >> I'm probably missing something in my configuration. > > One thing I forgot to mention explicitly, since I'm using packages from > the Debian repos, I'm using version 1.9.12-2 on the server, which is > what's in stable, and I'm using version 2.0.0rc2 from testing on my > client. Not sure if the different versions might be causing a problem. [...] The problem seen by running the Perl server and the C client on Debian (Not related to the OS) is the length of the Rijndael key (at most 16 characters). http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681580 Michael committed a fix for this for the next 2.0.5 release. Regards, -- Franck Joncourt |
From: Michael R. <mb...@ci...> - 2013-02-19 02:59:26
|
On Feb 18, 2013, Michael Swanson wrote: > Hello all, Hi Mike, > I'm trying to set up fwknop from the Debian stable repo on a Linode Xen > VPS server and having some trouble. I'm able to install and set > everything up the way I want it, however, after configuring the firewall > to block all port 22 traffic in accordance with the cipherdyne tutorial > and starting fwknopd, it appears that iptables is blocking the actual > authentication packet. I'm pretty naive when it comes to iptables, so > I'm probably missing something in my configuration. In general, fwknopd uses libpcap to acquire SPA packet data, so assuming that fwknopd is sniffing an interface where the SPA packet actually hits, then it will see the packet even though iptables is also blocking it. This is because libpcap is able to acquire packet data from the kernel at a level before iptables interacts with it, and this is also why tcpdump can see packets on an interface where iptables is also blocking everything. > Here's an example of what iptables logs when I try to open the ssh port: > iptables blocked: IN=eth0 OUT= > MAC=f2:3c:91:70:18:58:c8:4c:75:f5:c4:ff:08:00 SRC=74.87.211.230 > DST=198.58.106.81 LEN=210 TOS=0x00 PREC=0x40 TTL=48 ID=11814 DF > PROTO=UDP SPT=32849 DPT=62201 LEN=190 In this case, if fwknopd is sniffing eth0 as the log message from the INPUT chain indicates, then it should see the SPA packet even though iptables blocks it from progressing further up the stack. I would run fwknopd in --debug mode in order to help see what is going on (more on this in reply to the other email you sent). --Mike > My iptables configuration looks like this: > > *filter > > # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that > doesn't use lo0 > -A INPUT -i lo -j ACCEPT > -A INPUT -d 127.0.0.0/8 -j REJECT > > # Accept all established inbound connections > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > # Allow all outbound traffic - you can modify this to only allow > certain traffic > -A OUTPUT -j ACCEPT > > #Default drop rules for fwknop-server, allow established connections > #-A INPUT -i eth0 -p tcp --dport 22 -j DROP > #-A INPUT -i eth0 -p tcp --dport 22 -m conntrack --ctstate > ESTABLISHED,RELATED -j ACCEPT > #-A INPUT -i etho -p udp --dport 62201 -j ACCEPT > > # Allow HTTP and HTTPS connections from anywhere (the normal ports for > websites and SSL). > -A INPUT -p tcp --dport 80 -j ACCEPT > #-A INPUT -p tcp --dport 443 -j ACCEPT > > # Allow SSH connections > # > # The -dport number should be the same port number you set in sshd_config > # > -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT > > # Allow ping > -A INPUT -p icmp -j ACCEPT > > # Log iptables denied calls > -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables blocked: " > --log-level 7 > > # Drop all other inbound - default deny unless explicitly allowed policy > -A INPUT -j DROP > -A FORWARD -j DROP > > Right now I have the fwknop rules commented out, but you can also see my > attempt to let iptables pass any incoming udp traffic on port 62201, but > even with that rule, iptables continued to block the knock packet. > > Any help will be greatly appreciated it. Thanks. > > Mike Swanson > > ------------------------------------------------------------------------------ > The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, > is your hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials, tech docs, > whitepapers, evaluation guides, and opinion stories. Check out the most > recent posts - join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |
From: Michael R. <mb...@ci...> - 2013-02-19 03:05:17
|
On Feb 18, 2013, Michael Swanson wrote: > On 02/18/2013 11:42 AM, Michael Swanson wrote: > > Hello all, > > > > I'm trying to set up fwknop from the Debian stable repo on a Linode Xen > > VPS server and having some trouble. I'm able to install and set > > everything up the way I want it, however, after configuring the firewall > > to block all port 22 traffic in accordance with the cipherdyne tutorial > > and starting fwknopd, it appears that iptables is blocking the actual > > authentication packet. I'm pretty naive when it comes to iptables, so > > I'm probably missing something in my configuration. > > One thing I forgot to mention explicitly, since I'm using packages from > the Debian repos, I'm using version 1.9.12-2 on the server, which is > what's in stable, and I'm using version 2.0.0rc2 from testing on my > client. Not sure if the different versions might be causing a problem. It's possible that the mismatch between the client and server is causing the problem since the perl code isn't maintained anymore. And, due to more rigorous usage of crypto in the C code that is going to be released in fwknop-2.5 in a few weeks, I would recommend switching to the C version too. For the fwknopd perl daemon, the --debug switch should help to see what is going on: # fwknopd -i eth0 --debug Hopefully you will see how far an incoming SPA packet is able to progress within fwknopd, and this may provide a hint for what is happening. Are you running NTP? If not, and the clocks are significantly out of sync between the client and server, then you may want to temporarily set ENABLE_SPA_PACKET_AGING to 'N' on the server and see if this makes a difference. I wouldn't leave that disabled though due to the possibility of opening yourself up to a MITM attack - having decent time sync is a good idea. Thanks, --Mike > > Here's an example of what iptables logs when I try to open the ssh port: > > iptables blocked: IN=eth0 OUT= > > MAC=f2:3c:91:70:18:58:c8:4c:75:f5:c4:ff:08:00 SRC=74.87.211.230 > > DST=198.58.106.81 LEN=210 TOS=0x00 PREC=0x40 TTL=48 ID=11814 DF > > PROTO=UDP SPT=32849 DPT=62201 LEN=190 > > > > My iptables configuration looks like this: > > > > *filter > > > > # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that > > doesn't use lo0 > > -A INPUT -i lo -j ACCEPT > > -A INPUT -d 127.0.0.0/8 -j REJECT > > > > # Accept all established inbound connections > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > # Allow all outbound traffic - you can modify this to only allow > > certain traffic > > -A OUTPUT -j ACCEPT > > > > #Default drop rules for fwknop-server, allow established connections > > #-A INPUT -i eth0 -p tcp --dport 22 -j DROP > > #-A INPUT -i eth0 -p tcp --dport 22 -m conntrack --ctstate > > ESTABLISHED,RELATED -j ACCEPT > > #-A INPUT -i etho -p udp --dport 62201 -j ACCEPT > > > > # Allow HTTP and HTTPS connections from anywhere (the normal ports for > > websites and SSL). > > -A INPUT -p tcp --dport 80 -j ACCEPT > > #-A INPUT -p tcp --dport 443 -j ACCEPT > > > > # Allow SSH connections > > # > > # The -dport number should be the same port number you set in sshd_config > > # > > -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT > > > > # Allow ping > > -A INPUT -p icmp -j ACCEPT > > > > # Log iptables denied calls > > -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables blocked: " > > --log-level 7 > > > > # Drop all other inbound - default deny unless explicitly allowed policy > > -A INPUT -j DROP > > -A FORWARD -j DROP > > > > Right now I have the fwknop rules commented out, but you can also see my > > attempt to let iptables pass any incoming udp traffic on port 62201, but > > even with that rule, iptables continued to block the knock packet. > > > > Any help will be greatly appreciated it. Thanks. > > > > Mike Swanson > > > > ------------------------------------------------------------------------------ > > The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, > > is your hub for all things parallel software development, from weekly thought > > leadership blogs to news, videos, case studies, tutorials, tech docs, > > whitepapers, evaluation guides, and opinion stories. Check out the most > > recent posts - join the conversation now. http://goparallel.sourceforge.net/ > > _______________________________________________ > > Fwknop-discuss mailing list > > Fwk...@li... > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > ------------------------------------------------------------------------------ > The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, > is your hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials, tech docs, > whitepapers, evaluation guides, and opinion stories. Check out the most > recent posts - join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |
From: Michael S. <re...@at...> - 2013-02-19 06:08:12
|
On 02/18/2013 07:04 PM, Michael Rash wrote: > On Feb 18, 2013, Michael Swanson wrote: > >> On 02/18/2013 11:42 AM, Michael Swanson wrote: >>> Hello all, >>> >>> I'm trying to set up fwknop from the Debian stable repo on a Linode Xen >>> VPS server and having some trouble. I'm able to install and set >>> everything up the way I want it, however, after configuring the firewall >>> to block all port 22 traffic in accordance with the cipherdyne tutorial >>> and starting fwknopd, it appears that iptables is blocking the actual >>> authentication packet. I'm pretty naive when it comes to iptables, so >>> I'm probably missing something in my configuration. >> >> One thing I forgot to mention explicitly, since I'm using packages from >> the Debian repos, I'm using version 1.9.12-2 on the server, which is >> what's in stable, and I'm using version 2.0.0rc2 from testing on my >> client. Not sure if the different versions might be causing a problem. > > It's possible that the mismatch between the client and server is causing > the problem since the perl code isn't maintained anymore. And, due to > more rigorous usage of crypto in the C code that is going to be released > in fwknop-2.5 in a few weeks, I would recommend switching to the C > version too. I ran the perl server in debug mode and it was definitely failing to correctly decrypt the packet. The salient line from the output looked like this: Mon Feb 18 23:05:47 2013 [+] Decrypted message: jNANANANANA@XjktNANAuNANANAWdxNANANANANANA\ty.eNAeNA[NAT6(%dRNANAGNAZ5NANANANA|NAwNAoNANANANAMNANANANANANA?ZfNANANANANA"NAxNANANA-W_iNA<NANAZNAKqNANAK2-NANANAq:&NANANA@NANA#NANA/,NANANANA#p$NAnNANAQ I don't know exactly what the decrypted contents are supposed to look like, but I'm pretty sure it's NOT like that since there's no discernible information at all. The packet eventually failed for digest and checksum mismatches, which makes sense. So, I uninstalled the perl daemon and downloaded and compiled the C daemon from source. I ran that manually and it worked immediately. It was definitely a problem with the interaction of the C client and the perl server. I don't know how sensitive the decryption is to time variations, but the two systems were within two seconds of each other. They are in different time zones, but I tried to troubleshoot using the time-offset options, and that didn't have any effect. In any case, I have it working now. It also seems to work with the Debain provided initscript (with just a minor modification for the lack of the fwknop.conf file) so I'm just gonna keep that for now. Thanks for your prompt and helpful reply. I appreciate it. Thanks, Mike > > For the fwknopd perl daemon, the --debug switch should help to see what > is going on: > > # fwknopd -i eth0 --debug > > Hopefully you will see how far an incoming SPA packet is able to > progress within fwknopd, and this may provide a hint for what is > happening. > > Are you running NTP? If not, and the clocks are significantly out of > sync between the client and server, then you may want to temporarily set > ENABLE_SPA_PACKET_AGING to 'N' on the server and see if this makes a > difference. I wouldn't leave that disabled though due to the > possibility of opening yourself up to a MITM attack - having decent time > sync is a good idea. > > Thanks, > > --Mike > > >>> Here's an example of what iptables logs when I try to open the ssh port: >>> iptables blocked: IN=eth0 OUT= >>> MAC=f2:3c:91:70:18:58:c8:4c:75:f5:c4:ff:08:00 SRC=74.87.211.230 >>> DST=198.58.106.81 LEN=210 TOS=0x00 PREC=0x40 TTL=48 ID=11814 DF >>> PROTO=UDP SPT=32849 DPT=62201 LEN=190 >>> >>> My iptables configuration looks like this: >>> >>> *filter >>> >>> # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that >>> doesn't use lo0 >>> -A INPUT -i lo -j ACCEPT >>> -A INPUT -d 127.0.0.0/8 -j REJECT >>> >>> # Accept all established inbound connections >>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >>> >>> # Allow all outbound traffic - you can modify this to only allow >>> certain traffic >>> -A OUTPUT -j ACCEPT >>> >>> #Default drop rules for fwknop-server, allow established connections >>> #-A INPUT -i eth0 -p tcp --dport 22 -j DROP >>> #-A INPUT -i eth0 -p tcp --dport 22 -m conntrack --ctstate >>> ESTABLISHED,RELATED -j ACCEPT >>> #-A INPUT -i etho -p udp --dport 62201 -j ACCEPT >>> >>> # Allow HTTP and HTTPS connections from anywhere (the normal ports for >>> websites and SSL). >>> -A INPUT -p tcp --dport 80 -j ACCEPT >>> #-A INPUT -p tcp --dport 443 -j ACCEPT >>> >>> # Allow SSH connections >>> # >>> # The -dport number should be the same port number you set in sshd_config >>> # >>> -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT >>> >>> # Allow ping >>> -A INPUT -p icmp -j ACCEPT >>> >>> # Log iptables denied calls >>> -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables blocked: " >>> --log-level 7 >>> >>> # Drop all other inbound - default deny unless explicitly allowed policy >>> -A INPUT -j DROP >>> -A FORWARD -j DROP >>> >>> Right now I have the fwknop rules commented out, but you can also see my >>> attempt to let iptables pass any incoming udp traffic on port 62201, but >>> even with that rule, iptables continued to block the knock packet. >>> >>> Any help will be greatly appreciated it. Thanks. >>> >>> Mike Swanson >>> >>> ------------------------------------------------------------------------------ >>> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, >>> is your hub for all things parallel software development, from weekly thought >>> leadership blogs to news, videos, case studies, tutorials, tech docs, >>> whitepapers, evaluation guides, and opinion stories. Check out the most >>> recent posts - join the conversation now. http://goparallel.sourceforge.net/ >>> _______________________________________________ >>> Fwknop-discuss mailing list >>> Fwk...@li... >>> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss >> >> >> >> >> ------------------------------------------------------------------------------ >> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, >> is your hub for all things parallel software development, from weekly thought >> leadership blogs to news, videos, case studies, tutorials, tech docs, >> whitepapers, evaluation guides, and opinion stories. Check out the most >> recent posts - join the conversation now. http://goparallel.sourceforge.net/ >> _______________________________________________ >> Fwknop-discuss mailing list >> Fwk...@li... >> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |
From: Franck J. <fr...@de...> - 2013-02-19 07:59:39
|
[...] > In any case, I have it working now. It also seems to work with the > Debain provided initscript (with just a minor modification for the lack > of the fwknop.conf file) so I'm just gonna keep that for now. Thanks > for your prompt and helpful reply. I appreciate it. I can rebuild the 2.0.4 release for Squeeze if you like. Which architecture are you running? Or I can do it for both. Regards, -- Franck |
From: Michael S. <re...@at...> - 2013-02-19 17:51:26
|
On 02/18/2013 11:21 PM, Franck Joncourt wrote: > [...] >> In any case, I have it working now. It also seems to work with the >> Debain provided initscript (with just a minor modification for the lack >> of the fwknop.conf file) so I'm just gonna keep that for now. Thanks >> for your prompt and helpful reply. I appreciate it. > > I can rebuild the 2.0.4 release for Squeeze if you like. Which architecture are > you running? Or I can do it for both. Franck, Thanks, I looked at the bug report as well and that is the same problem; I am using a key longer than 16 characters. If you don't mind rebuilding for Squeeze that would be awesome, I greatly appreciate it. I'm running the i386 architecture. On a side note, that's always been one of my biggest pet peeves with Debian, their insistence on keeping old, unmaintained software in the repos as the primary option for their in-release version. In any case, thanks very much. Mike > > Regards, > > -- > Franck > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |
From: Franck J. <fr...@de...> - 2013-02-20 20:35:56
|
Hi, Le Tuesday 19 February 2013 18:50:17, Michael Swanson a écrit : > On 02/18/2013 11:21 PM, Franck Joncourt wrote: > > [...] > > > >> In any case, I have it working now. It also seems to work with the > >> Debain provided initscript (with just a minor modification for the lack > >> of the fwknop.conf file) so I'm just gonna keep that for now. Thanks > >> for your prompt and helpful reply. I appreciate it. > > > > I can rebuild the 2.0.4 release for Squeeze if you like. Which > > architecture are you running? Or I can do it for both. > > Franck, > > Thanks, I looked at the bug report as well and that is the same problem; > I am using a key longer than 16 characters. > > If you don't mind rebuilding for Squeeze that would be awesome, I > greatly appreciate it. I'm running the i386 architecture. > > On a side note, that's always been one of my biggest pet peeves with > Debian, their insistence on keeping old, unmaintained software in the > repos as the primary option for their in-release version. In any case, > thanks very much. :) Please find the packages at the following address : http://www.dthconnex.com/packages/fwknop/squeeze/i386/ Hope it works. I have built it quickly and I have not checked it on Debian/Squeeze. If you have any problem let me know, I will go further in the packaging and do a public backport . Regards, -- Franck Joncourt |
From: Michael S. <re...@at...> - 2013-02-20 21:28:55
|
On 02/20/2013 12:22 PM, Franck Joncourt wrote: > Hi, > > Le Tuesday 19 February 2013 18:50:17, Michael Swanson a écrit : >> On 02/18/2013 11:21 PM, Franck Joncourt wrote: >>> [...] >>> >>>> In any case, I have it working now. It also seems to work with the >>>> Debain provided initscript (with just a minor modification for the lack >>>> of the fwknop.conf file) so I'm just gonna keep that for now. Thanks >>>> for your prompt and helpful reply. I appreciate it. >>> >>> I can rebuild the 2.0.4 release for Squeeze if you like. Which >>> architecture are you running? Or I can do it for both. >> >> Franck, >> >> Thanks, I looked at the bug report as well and that is the same problem; >> I am using a key longer than 16 characters. >> >> If you don't mind rebuilding for Squeeze that would be awesome, I >> greatly appreciate it. I'm running the i386 architecture. >> >> On a side note, that's always been one of my biggest pet peeves with >> Debian, their insistence on keeping old, unmaintained software in the >> repos as the primary option for their in-release version. In any case, >> thanks very much. > > :) > > Please find the packages at the following address : > > http://www.dthconnex.com/packages/fwknop/squeeze/i386/ > > Hope it works. I have built it quickly and I have not checked it on > Debian/Squeeze. If you have any problem let me know, I will go further in the > packaging and do a public backport . > Thanks for putting those together. It looks like it depends on upstart, do I have to remove sysvinit in order to use this package? Thanks Mike > Regards, > |
From: Franck J. <fr...@de...> - 2013-02-21 14:24:18
|
Hi, Le 20/02/2013 22:28, Michael Swanson a écrit : [...] >> Please find the packages at the following address : >> >> http://www.dthconnex.com/packages/fwknop/squeeze/i386/ >> >> Hope it works. I have built it quickly and I have not checked it on >> Debian/Squeeze. If you have any problem let me know, I will go further in the >> packaging and do a public backport . >> > > Thanks for putting those together. It looks like it depends on upstart, > do I have to remove sysvinit in order to use this package? Do not do that. I forgot about this issue. This is due to a bug in one of the Debian helper which is now fixed. I am going to rebuild the package without the upstart script and everything should be fine. Regards, -- Franck Joncourt |
From: Franck J. <fr...@de...> - 2013-02-21 22:20:22
|
Hi, Please give it another try. I have uploaded the new packages (bpo) at the same url. I have installed libfko1 and fwknop-server in my Squeeze chroot on i386 and it works fine. Regards, -- Franck Joncourt |
From: Michael S. <re...@at...> - 2013-02-22 18:11:44
|
On 02/21/2013 02:20 PM, Franck Joncourt wrote: > Hi, > > Please give it another try. I have uploaded the new packages (bpo) at the same > url. I have installed libfko1 and fwknop-server in my Squeeze chroot on i386 > and it works fine. > > Regards, > Thanks for the time, Franck, works great now. Installed it this morning with no issues. I appreciate it. Mike |