fwknop is a system for doing single packet auth. You can configure SPA to do something like wait for your magic encrypted packet, then open the ssh port for 30 seconds for just your IP. It's a good way to lock down SSH. Reproducible: Always
I came across this product in an article. I had a look at the source package on 1.8.1. I don't like the ways this is packaged currently. 14 external perl modules included (though seems to have an option to use system modules). The install.pl seems rather home grown however does seem to acknowledge gentoo as a distro.
*** Bug 292193 has been marked as a duplicate of this bug. ***
Created attachment 209741 [details] Proposed ebuild This is a proposed ebuild for net-firewall/fwknop-1.9.12. It's modeled after the ebuild for net-firewall/psad that is already in portage. Both programs have some overlap in perl dependencies installed, so that would probably need to be fixed...
Tested the proposed ebuild on two machines: works like a charm. Any chance of fwknop entering portage at some point in the not too distant future? Machines used for testing: Gentoo Linux, hardened-sources, amd64 (server), Gentoo Linux, hardened-sources, x86 (client).
I filed bugs for all the dependencies ... #312615, #312617 and #312619 Will change the ebuild to use them in the following
Created attachment 226159 [details] enhanced ebuild This ebuild is the enhanced version of the other one. I added a couple of dependencies (why were they skipped in the first place?), removed the usage of the shipped deps and fixed some permissions. Oh - and instead of the messy hostname/domain guessing, I just used "hostname --fqdn" - should work too
Created attachment 226177 [details] enhanced ebuild I added two useflags: "server" is thought to be unset by these users only wanting to install the client and thus get rid of unneeded dependencies (e.g. iptables, whois, mailer, a couple of Perl stuff). the "gpg" useflag is for these guys, which do not want the gpg-deps pulled in as they do not need them (seems to be quite a bunch). What needs to be done is the support for the nice testsuite supported by the package.
SPA seems to be really better than normal port knocking. It would be very cool if fwknop could be added to portage. The program is now ported to C and actively developed: http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=summary
Created attachment 322804 [details] fwknop-2.0.2.ebuild Updated ebuild for fwknop-2.0.2
Created attachment 322806 [details] fwknopd init script
Created attachment 322808 [details] fwnop patch to avoid access violation
Created attachment 335058 [details] fwknop-2.0.4.ebuild Proposed ebuild for fwknop-2.0.4. `gdbm` USE added, minor changes there and there. BTW, since version 2 fwknop has no dependencies over perl, so all deps of this bug are obsolete and could be dropped.
Created attachment 335062 [details] fwknop-2.0.4-fix-parallel-build.patch Needed patch to fix parallel build. See this discussion: http://sourceforge.net/mailarchive/message.php?msg_id=30285314
Created attachment 335066 [details] fwknopd.init
Created attachment 354354 [details] fwknop-2.5.0.ebuild fwknop 2.5.0 is out for some time. One can find changelog here: http://www.cipherdyne.org/blog/2013/07/software-release-fwknop-2.5-with-hmac-support.html The most notable changes are HMAC support and static code analysis by Coverity.
Created attachment 354356 [details, diff] fwknop-2.5.0-Reset-terminal-setting-to-orignal-values-after-enter.patch
Created attachment 354358 [details, diff] fwknop-2.5.0-use-tcflag_t-where-needed.patch
Created attachment 354360 [details, diff] fwknop-2.5.0-silent-missing-pidfile-warning-on-start.patch
Created attachment 354362 [details] fwknopd.init
Created attachment 354366 [details] fwknop-2.5.1.ebuild Upstream quickly rolled out bugfix release where all the issues we patched against in 2.5.0 ebuild are fixed.
Can this be added into portage with Coacher as the maintainer by proxy if (s)he is willing?
(In reply to Seemant Kulleen from comment #21) > Can this be added into portage with Coacher as the maintainer by proxy if > (s)he is willing? I don't mind. Though you can grab fwknop (with some other stuff) from my overlay here: git://bonespirit.org/bonespirit.git
(In reply to Coacher from comment #22) > (In reply to Seemant Kulleen from comment #21) > > Can this be added into portage with Coacher as the maintainer by proxy if > > (s)he is willing? > > I don't mind. Since some time has passed, do you still want to become a proxied maintainer?
(In reply to Tom Wijsman (TomWij) from comment #23) > (In reply to Coacher from comment #22) > > (In reply to Seemant Kulleen from comment #21) > > > Can this be added into portage with Coacher as the maintainer by proxy if > > > (s)he is willing? > > > > I don't mind. > > Since some time has passed, do you still want to become a proxied maintainer? Yes, it's still fine with me to proxy maintain fwknop. BTW, for those who are interested, I have updated ebuild for 2.6.1 in my overlay (see above). Fell free to grab it.
Looks quite good, only two small issues found and fixed: `scanelf -L -n -q -F '%n #F' /usr/lib64/libfko.so` reveals libassuan and libgpg-error were missing; they are needed for GPG, thus I've added those USE flag conditionally to RDEPEND. DOCS='' broke; so, I've changed that to DOCS=(). + 27 Apr 2014; Tom Wijsman <TomWij@gentoo.org> + +files/fwknop-2.6.0-remove-extra-run-from-paths.patch, +files/fwknopd.confd, + +files/fwknopd.init, +files/fwknopd.tmpfiles.conf, +fwknop-2.6.1.ebuild, + +metadata.xml: + New ebuild for net-firewall/fwknop, a Single Packet Authorization and Port + Knocking application; fixes bug #178546, pr Thank you very much for contributing. PS: If this is your first proxy maintained package; feel free to let me know, then I can send you an introductory e-mail explaining a few things.
(In reply to Tom Wijsman (TomWij) from comment #25) > Looks quite good, only two small issues found and fixed: > > `scanelf -L -n -q -F '%n #F' /usr/lib64/libfko.so` reveals libassuan and > libgpg-error were missing; they are needed for GPG, thus I've added those > USE flag conditionally to RDEPEND. DOCS='' broke; so, I've changed that to > DOCS=(). Thank you very much for noticing and fixing these problems. > + 27 Apr 2014; Tom Wijsman <TomWij@gentoo.org> > + +files/fwknop-2.6.0-remove-extra-run-from-paths.patch, > +files/fwknopd.confd, > + +files/fwknopd.init, +files/fwknopd.tmpfiles.conf, +fwknop-2.6.1.ebuild, > + +metadata.xml: > + New ebuild for net-firewall/fwknop, a Single Packet Authorization and Port > + Knocking application; fixes bug #178546, pr Hmm, I think it belongs more to the net-misc/ category. net-misc/knock with similar functionality is there as well. Would it be possible to move it to net-misc/ category please? > PS: If this is your first proxy maintained package; feel free to let me > know, then I can send you an introductory e-mail explaining a few things. Thanks, but there is no need for that. I am proxy maintaining app-admin/ulogd as well.
Tom, please look at my previous comment (especially part about category change).
Reopening to consider category move
Personally I don't think a category move is needed here. The "app-firewall" category is logical enough to hold fwknop, and net-misc is much more, well, miscellaenous oriented (40 vs 400 packages). Unless there is another reason, I'd suggest to keep it as-is.
(In reply to Sven Vermeulen from comment #29) > Personally I don't think a category move is needed here. The "app-firewall" > category is logical enough to hold fwknop, and net-misc is much more, well, > miscellaenous oriented (40 vs 400 packages). > > Unless there is another reason, I'd suggest to keep it as-is. net-firewall/ category, as it looks to me, is dedicated to various XXtables packages, linux network stack tools and different firewalls. fwknop is not any of these. And speaking about miscellaneous oriented packages, openssh, openvpn, and dhcp(cd) are in net-misc/. What do you think?
(In reply to Coacher from comment #30) > net-firewall/ category, as it looks to me, is dedicated to various XXtables > packages, linux network stack tools and different firewalls. fwknop is not > any of these. And speaking about miscellaneous oriented packages, openssh, > openvpn, and dhcp(cd) are in net-misc/. What do you think? Package moves aren't revertible, for as far as I have heard; or at least not easily, yet I also heard that it might be possible by removing the pgkmove line. When you consider a category for a package, you need to take into account its descriptions; like for example, here they are: The net-firewall category contains network firewall software. The net-misc category contains various miscellaneous networking tools and utilities. What's not entirely right to do is to check what is already in those categories; because if you do so, the first software in a category sets what the category is about and that's not always right. It can perhaps give an impression after a while; but beyond that, I don't think it allows for "not any of these" claims. The package in question is based around a "packet filter" which looks like firewall functionality; reading further, it is said to support firewalls; looking further, there is a an image demonstrating firewall behavior as well as a firewalls related book shown on the site. It comes over to me as firewall software, as that would also be a response if you were to ask a laymen "what kind of software is fwknop?"; if it's not, then I wonder with what type of category that one would label fwknop? It's easy to put stuff in miscellaneous categories if you don't know where to put the software, or when a clear category isn't immediately visible; so, if you insist that it is not "firewall software" for a good reason then we can go ahead and place it there until we've found a better category at some later point. Note that this is a devil's advocate response; I personally don't care, just want to prevent future maintainers or net-misc cleanup efforts from not being able to properly move it back as well as becoming more heavy efforts.
(In reply to Tom Wijsman (TomWij) from comment #31) > When you consider a category for a package, you need to take into account > its descriptions; like for example, here they are: > > The net-firewall category contains network firewall software. > > The net-misc category contains various miscellaneous networking tools > and utilities. I was trying to find descs for categories, but failed. Can you please point me to the right direction? > What's not entirely right to do is to check what is already in those > categories; because if you do so, the first software in a category sets what > the category is about and that's not always right. It can perhaps give an > impression after a while; but beyond that, I don't think it allows for "not > any of these" claims. Both net-firewall/ and net-misc/ are mature indeed, I think. > The package in question is based around a "packet filter" which looks like > firewall functionality; reading further, it is said to support firewalls; > looking further, there is a an image demonstrating firewall behavior as well > as a firewalls related book shown on the site. > > It comes over to me as firewall software, as that would also be a response > if you were to ask a laymen "what kind of software is fwknop?"; if it's not, > then I wonder with what type of category that one would label fwknop? This sounds convincing. > It's easy to put stuff in miscellaneous categories if you don't know where > to put the software, or when a clear category isn't immediately visible; so, > if you insist that it is not "firewall software" for a good reason then we > can go ahead and place it there until we've found a better category at some > later point. > > Note that this is a devil's advocate response; I personally don't care, just > want to prevent future maintainers or net-misc cleanup efforts from not > being able to properly move it back as well as becoming more heavy efforts. I see. Thank you for your response Tom, it made things clearer to me. I think of fwknop as yet another network daemon that relies on firewall, perhaps a bit more "lowlevel" than others. But indeed, major part of its functionality can be described as "packet filtering", so probably yes, net-firewall/ suits better here.
@proxy-maint thanks for your efforts on this one. Please close as RESOLVED FIXED.