Re: [Fwknop-discuss] some final question about fwknop
Brought to you by:
mbr
From: J. B. <jo...@in...> - 2009-07-23 05:26:27
|
Michael Rash wrote: > On Jul 22, 2009, J. Bakshi wrote: > > >> Michael Rash wrote: >> >>> On Jul 22, 2009, J. Bakshi wrote: >>> >>> >>> >>>> Hello All, >>>> >>>> >>> Hi - >>> >>> >>> >>>> I am already implemented the fwknop successfully in both suse and debian >>>> servers. Both are remote linux box. Special thanks to Michael for his >>>> suggestions which always shown me the right track. I may be permitted to >>>> asks some questions to clear some doubts regarding fwknop. >>>> >>>> issue with whatismyip.com >>>> ( Could not extract external IP from http://www.whatismyip.org/ ) >>>> ====================================================== >>>> >>>> -R or -w with --debug; fwknop ( version 1.9.11) >>>> reports as below >>>> >>>> >>>> ``````````````````````````````````````````````````` >>>> admin@linux-12ml:~> fwknop -A tcp/22 -R --debug --User-agent >>>> Fwknop/1.9.11 -k 192.168.1.3 ; ssh admin@192.168.1.3 >>>> >>>> [+] import_perl_modules(): The @INC array: >>>> /usr/lib/fwknop >>>> /usr/lib/fwknop/. >>>> /usr/lib/fwknop/x86_64-linux-thread-multi >>>> /usr/lib/perl5/5.10.0/x86_64-linux-thread-multi >>>> /usr/lib/perl5/5.10.0 >>>> /usr/lib/perl5/site_perl/5.10.0/x86_64-linux-thread-multi >>>> /usr/lib/perl5/site_perl/5.10.0 >>>> /usr/lib/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi >>>> /usr/lib/perl5/vendor_perl/5.10.0 >>>> /usr/lib/perl5/vendor_perl >>>> . >>>> [+] Term::ReadKey::VERSION 2.30 >>>> >>>> [+] ***DEBUG*** Starting fwknop client (SPA mode)... >>>> Resolving external IP via: http://www.whatismyip.org/ >>>> [+] Web server data from: http://www.whatismyip.org/ >>>> >>>> [*] Could not extract external IP from http://www.whatismyip.org/ >>>> >>>> ````````````````````````` >>>> >>>> But if I straight forward visit http://www.whatismyip.org/ I get the >>>> IP. I have then no problem to connect the fwknop server with that IP >>>> >>>> ``````````````````````` >>>> admin@linux-12ml:~> fwknop -A tcp/22 -a 121.247.128.171 -k 192.168.1.3 >>>> ; ssh admin@192.168.1.3 >>>> >>>> [+] Starting fwknop client (SPA mode)... >>>> [+] Enter an encryption key. This key must match a key in the file >>>> /etc/fwknop/access.conf on the remote system. >>>> >>>> Encryption Key: >>>> ````````````````````````````````` >>>> >>>> >>> The IP resolution issue is essentially a bug, and I have attached a >>> small patch that implements a temporary fix. Most likely the fwknop client >>> will be updated to resolve against a different server than >>> www.whatismyip.org since they don't appear to like automated requests so >>> much (Damien Stuart noticed this a couple of weeks ago). >>> >>> >>> >>>> Issue with dynamic IP of fwknop server >>>> ====================================== >>>> >>>> What to do with those servers having dynamic IP address and pointed with a domain from dydns.org or myip.com ? >>>> >>>> >>> Do you mean that it becomes difficult to know what the latest fwknop >>> server IP is, or that there is an issue continuing to sniff packets on >>> an interface where the IP has changed? The upcoming 1.9.12 release has >>> new code to recover from interface changes, and I can send you a -pre >>> release of 1.9.12 if that is the issue. >>> >>> >>> >>>> Issue with psad >>>> ============ >>>> >>>> both fwknop and psad control iptable. Can we have both psad and fwknop >>>> working in a same box ? >>>> >From theory they should but I don't know if they really co-exists. >>>> >>>> >>> fwknop and psad can co-exist on the same system. They both create their >>> own custom iptables chains for all rule manipulations, so there is no >>> conflict. >>> >>> >>> >>>> Issue with multiple fwknop client >>>> ========================= >>>> >>>> Please bear with me, I am not very clear about GnuPG technology. Say one >>>> more admin needs access to the fwknop server. Hope giving my client key >>>> which >>>> I use to communicate with the fwknop server will solve the problem. That >>>> admin should place that key in his keyring and communicate with that >>>> key. Hope I am >>>> in the right track. >>>> >>>> >>> There is a key-exchange and signing process to use GnuPG with fwknop. >>> The best instructions for this are here: >>> >>> http://www.cipherdyne.org/fwknop/docs/gpghowto.html >>> >>> Thanks, >>> >>> --Mike >>> >>> >> Hello Michael, >> >> Thanks a lot for all the clarifications . >> >> IP resolution by whatismyip.com >> ============================= >> Thanks for the patch. I am also eagerly waiting for 1.9.12 because I >> also have some debian boxes and debian do provide fwknop as .deb >> >> dynamic IP of fwknop server >> ======================= >> Yes, your first assumption is right. There are some servers ( mainly >> home/office servers ) which has dynamic WAN IP and pointed by domains >> from dydns.org due to the firewall those servers also drop the ping but >> the ddclient installed in those servers updated their WAN IP. Is there >> any way to communicate those fwknop servers by their domainname ? Nice >> to know upcoming fwknop server can detect the inteface change too. Great !! >> > > The fwknop client supports DNS lookups, so just use the hostname of the > fwknopd server: > > fwknop -A tcp/ 22 -R -D some.host.com > > >> multiple fwknop client >> ======================= >> >> Thanks for the link. I'll look into it. >> >> One new question >> ================== >> >> Generally we use fwknop to protect the ssh port. How can I protect multiple port with fwknop ? >> > > Yes, multiple ports are suppored, either by using multiple SOURCE > stanzas within the /etc/fwknop/access.conf file, or putting multiple > ports within the OPEN_PORTS variable. > Thanks for your response, I have access.conf as ````````````````````` SOURCE: ANY; OPEN_PORTS: tcp/22; ``````````````````````````` I think I can modify it as SOURCE: ANY; OPEN_PORTS: tcp/22, tcp/110, tcp/34; Please correct me If I am wrong. Thanks a lot |