Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 178546 - >=net-firewall/fwknop-2.6.1 is a system for doing single packet auth
Summary: >=net-firewall/fwknop-2.6.1 is a system for doing single packet auth
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High enhancement with 2 votes (vote)
Assignee: Default Assignee for New Packages
URL: http://www.cipherdyne.com/fwknop/
Whiteboard:
Keywords: EBUILD
: 292193 (view as bug list)
Depends on: 312617 312619
Blocks: 509672
  Show dependency tree
 
Reported: 2007-05-14 19:33 UTC by wyvern5
Modified: 2014-12-19 20:38 UTC (History)
9 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Proposed ebuild (fwknop-1.9.12.ebuild,2.64 KB, text/plain)
2009-11-09 14:33 UTC, Marshall McMullen
Details
enhanced ebuild (fwknop-1.9.12.ebuild,1.88 KB, text/plain)
2010-04-01 17:03 UTC, René 'Necoro' Neumann
Details
enhanced ebuild (fwknop-1.9.12.ebuild,2.21 KB, text/plain)
2010-04-01 19:56 UTC, René 'Necoro' Neumann
Details
fwknop-2.0.2.ebuild (fwknop-2.0.2.ebuild,951 bytes, text/plain)
2012-09-03 05:46 UTC, Coacher
Details
fwknopd init script (fwknopd.init,1.44 KB, text/plain)
2012-09-03 05:47 UTC, Coacher
Details
fwnop patch to avoid access violation (fwknop-2.0.2-Makefile.patch,1.17 KB, text/plain)
2012-09-03 05:47 UTC, Coacher
Details
fwknop-2.0.4.ebuild (fwknop-2.0.4-r2.ebuild,1.07 KB, text/plain)
2013-01-10 12:33 UTC, Coacher
Details
fwknop-2.0.4-fix-parallel-build.patch (fwknop-2.0.4-fix-parallel-build.patch,1.21 KB, text/plain)
2013-01-10 12:37 UTC, Coacher
Details
fwknopd.init (fwknopd.init,1.37 KB, text/plain)
2013-01-10 12:38 UTC, Coacher
Details
fwknop-2.5.0.ebuild (fwknop-2.5.0.ebuild,1.20 KB, text/plain)
2013-07-28 02:34 UTC, Coacher
Details
fwknop-2.5.0-Reset-terminal-setting-to-orignal-values-after-enter.patch (fwknop-2.5.0-Reset-terminal-setting-to-orignal-values-after-enter.patch,1.24 KB, patch)
2013-07-28 02:35 UTC, Coacher
Details | Diff
fwknop-2.5.0-use-tcflag_t-where-needed.patch (fwknop-2.5.0-use-tcflag_t-where-needed.patch,383 bytes, patch)
2013-07-28 02:35 UTC, Coacher
Details | Diff
fwknop-2.5.0-silent-missing-pidfile-warning-on-start.patch (fwknop-2.5.0-silent-missing-pidfile-warning-on-start.patch,410 bytes, patch)
2013-07-28 02:39 UTC, Coacher
Details | Diff
fwknopd.init (fwknopd.init,1.36 KB, text/plain)
2013-07-28 02:39 UTC, Coacher
Details
fwknop-2.5.1.ebuild (fwknop-2.5.1.ebuild,952 bytes, text/plain)
2013-07-28 03:09 UTC, Coacher
Details

Note You need to log in before you can comment on or make changes to this bug.
Description wyvern5 2007-05-14 19:33:18 UTC
fwknop is a system for doing single packet auth. You can configure SPA to do something like wait for your magic encrypted packet, then open the ssh port for 30 seconds for just your IP. It's a good way to lock down SSH.

Reproducible: Always
Comment 1 Daniel Black (RETIRED) gentoo-dev 2007-06-10 23:34:49 UTC
I came across this product in an article.

I had a look at the source package on 1.8.1.

I don't like the ways this is packaged currently. 14 external perl modules included (though seems to have an option to use system modules). The install.pl seems rather home grown however does seem to acknowledge gentoo as a distro.
Comment 2 Sebastian Luther (few) 2009-11-09 10:53:55 UTC
*** Bug 292193 has been marked as a duplicate of this bug. ***
Comment 3 Marshall McMullen 2009-11-09 14:33:53 UTC
Created attachment 209741 [details]
Proposed ebuild

This is a proposed ebuild for net-firewall/fwknop-1.9.12. It's modeled after
the ebuild for net-firewall/psad that is already in portage. Both programs have
some overlap in perl dependencies installed, so that would probably need to be
fixed...
Comment 4 Ewald Tienkamp 2010-01-31 16:53:10 UTC
Tested the proposed ebuild on two machines: works like a charm. Any chance of fwknop entering portage at some point in the not too distant future?

Machines used for testing:
Gentoo Linux, hardened-sources, amd64 (server),
Gentoo Linux, hardened-sources, x86 (client).
Comment 5 René 'Necoro' Neumann 2010-04-01 13:53:38 UTC
I filed bugs for all the dependencies ... #312615, #312617 and #312619

Will change the ebuild to use them in the following
Comment 6 René 'Necoro' Neumann 2010-04-01 17:03:07 UTC
Created attachment 226159 [details]
enhanced ebuild

This ebuild is the enhanced version of the other one. I added a couple of dependencies (why were they skipped in the first place?), removed the usage of the shipped deps and fixed some permissions.

Oh - and instead of the messy hostname/domain guessing, I just used "hostname --fqdn" - should work too
Comment 7 René 'Necoro' Neumann 2010-04-01 19:56:33 UTC
Created attachment 226177 [details]
enhanced ebuild

I added two useflags:

"server" is thought to be unset by these users only wanting to install the client and thus get rid of unneeded dependencies (e.g. iptables, whois, mailer, a couple of Perl stuff).

the "gpg" useflag is for these guys, which do not want the gpg-deps pulled in as they do not need them (seems to be quite a bunch).

What needs to be done is the support for the nice testsuite supported by the package.
Comment 8 Marco Schinkel 2012-08-16 20:26:23 UTC
SPA seems to be really better than normal port knocking. It would be very cool if fwknop could be added to portage. 

The program is now ported to C and actively developed:
http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=summary
Comment 9 Coacher 2012-09-03 05:46:52 UTC
Created attachment 322804 [details]
fwknop-2.0.2.ebuild

Updated ebuild for fwknop-2.0.2
Comment 10 Coacher 2012-09-03 05:47:24 UTC
Created attachment 322806 [details]
fwknopd init script
Comment 11 Coacher 2012-09-03 05:47:53 UTC
Created attachment 322808 [details]
fwnop patch to avoid access violation
Comment 12 Coacher 2013-01-10 12:33:49 UTC
Created attachment 335058 [details]
fwknop-2.0.4.ebuild

Proposed ebuild for fwknop-2.0.4. `gdbm` USE added, minor changes there and there. BTW, since version 2 fwknop has no dependencies over perl, so all deps of this bug are obsolete and could be dropped.
Comment 13 Coacher 2013-01-10 12:37:07 UTC
Created attachment 335062 [details]
fwknop-2.0.4-fix-parallel-build.patch

Needed patch to fix parallel build. See this discussion: http://sourceforge.net/mailarchive/message.php?msg_id=30285314
Comment 14 Coacher 2013-01-10 12:38:12 UTC
Created attachment 335066 [details]
fwknopd.init
Comment 15 Coacher 2013-07-28 02:34:18 UTC
Created attachment 354354 [details]
fwknop-2.5.0.ebuild

fwknop 2.5.0 is out for some time. One can find changelog here: http://www.cipherdyne.org/blog/2013/07/software-release-fwknop-2.5-with-hmac-support.html

The most notable changes are HMAC support and static code analysis by Coverity.
Comment 16 Coacher 2013-07-28 02:35:14 UTC
Created attachment 354356 [details, diff]
fwknop-2.5.0-Reset-terminal-setting-to-orignal-values-after-enter.patch
Comment 17 Coacher 2013-07-28 02:35:39 UTC
Created attachment 354358 [details, diff]
fwknop-2.5.0-use-tcflag_t-where-needed.patch
Comment 18 Coacher 2013-07-28 02:39:30 UTC
Created attachment 354360 [details, diff]
fwknop-2.5.0-silent-missing-pidfile-warning-on-start.patch
Comment 19 Coacher 2013-07-28 02:39:53 UTC
Created attachment 354362 [details]
fwknopd.init
Comment 20 Coacher 2013-07-28 03:09:06 UTC
Created attachment 354366 [details]
fwknop-2.5.1.ebuild

Upstream quickly rolled out bugfix release where all the issues we patched against in 2.5.0 ebuild are fixed.
Comment 21 Seemant Kulleen 2013-11-07 18:54:43 UTC
Can this be added into portage with Coacher as the maintainer by proxy if (s)he is willing?
Comment 22 Coacher 2013-11-07 19:42:18 UTC
(In reply to Seemant Kulleen from comment #21)
> Can this be added into portage with Coacher as the maintainer by proxy if
> (s)he is willing?

I don't mind. Though you can grab fwknop (with some other stuff) from my overlay here: git://bonespirit.org/bonespirit.git
Comment 23 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2014-04-26 12:54:44 UTC
(In reply to Coacher from comment #22)
> (In reply to Seemant Kulleen from comment #21)
> > Can this be added into portage with Coacher as the maintainer by proxy if
> > (s)he is willing?
> 
> I don't mind. 

Since some time has passed, do you still want to become a proxied maintainer?
Comment 24 Coacher 2014-04-26 17:58:55 UTC
(In reply to Tom Wijsman (TomWij) from comment #23)
> (In reply to Coacher from comment #22)
> > (In reply to Seemant Kulleen from comment #21)
> > > Can this be added into portage with Coacher as the maintainer by proxy if
> > > (s)he is willing?
> > 
> > I don't mind. 
> 
> Since some time has passed, do you still want to become a proxied maintainer?

Yes, it's still fine with me to proxy maintain fwknop.

BTW, for those who are interested, I have updated ebuild for 2.6.1 in my overlay (see above). Fell free to grab it.
Comment 25 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2014-04-27 11:21:10 UTC
Looks quite good, only two small issues found and fixed:

`scanelf -L -n -q -F '%n #F' /usr/lib64/libfko.so` reveals libassuan and libgpg-error were missing; they are needed for GPG, thus I've added those USE flag conditionally to RDEPEND. DOCS='' broke; so, I've changed that to DOCS=().

+  27 Apr 2014; Tom Wijsman <TomWij@gentoo.org>
+  +files/fwknop-2.6.0-remove-extra-run-from-paths.patch, +files/fwknopd.confd,
+  +files/fwknopd.init, +files/fwknopd.tmpfiles.conf, +fwknop-2.6.1.ebuild,
+  +metadata.xml:
+  New ebuild for net-firewall/fwknop, a Single Packet Authorization and Port
+  Knocking application; fixes bug #178546, pr

Thank you very much for contributing.

PS: If this is your first proxy maintained package; feel free to let me know, then I can send you an introductory e-mail explaining a few things.
Comment 26 Coacher 2014-04-28 10:22:29 UTC
(In reply to Tom Wijsman (TomWij) from comment #25)
> Looks quite good, only two small issues found and fixed:
> 
> `scanelf -L -n -q -F '%n #F' /usr/lib64/libfko.so` reveals libassuan and
> libgpg-error were missing; they are needed for GPG, thus I've added those
> USE flag conditionally to RDEPEND. DOCS='' broke; so, I've changed that to
> DOCS=().

Thank you very much for noticing and fixing these problems.

> +  27 Apr 2014; Tom Wijsman <TomWij@gentoo.org>
> +  +files/fwknop-2.6.0-remove-extra-run-from-paths.patch,
> +files/fwknopd.confd,
> +  +files/fwknopd.init, +files/fwknopd.tmpfiles.conf, +fwknop-2.6.1.ebuild,
> +  +metadata.xml:
> +  New ebuild for net-firewall/fwknop, a Single Packet Authorization and Port
> +  Knocking application; fixes bug #178546, pr

Hmm, I think it belongs more to the net-misc/ category. net-misc/knock with similar functionality is there as well. Would it be possible to move it to net-misc/ category please?

> PS: If this is your first proxy maintained package; feel free to let me
> know, then I can send you an introductory e-mail explaining a few things.

Thanks, but there is no need for that. I am proxy maintaining app-admin/ulogd as well.
Comment 27 Coacher 2014-05-05 09:50:33 UTC
Tom, please look at my previous comment (especially part about category change).
Comment 28 Markos Chandras (RETIRED) gentoo-dev 2014-05-05 10:30:29 UTC
Reopening to consider category move
Comment 29 Sven Vermeulen (RETIRED) gentoo-dev 2014-06-01 13:42:50 UTC
Personally I don't think a category move is needed here. The "app-firewall" category is logical enough to hold fwknop, and net-misc is much more, well, miscellaenous oriented (40 vs 400 packages).

Unless there is another reason, I'd suggest to keep it as-is.
Comment 30 Coacher 2014-06-01 14:05:17 UTC
(In reply to Sven Vermeulen from comment #29)
> Personally I don't think a category move is needed here. The "app-firewall"
> category is logical enough to hold fwknop, and net-misc is much more, well,
> miscellaenous oriented (40 vs 400 packages).
> 
> Unless there is another reason, I'd suggest to keep it as-is.

net-firewall/ category, as it looks to me, is dedicated to various XXtables packages, linux network stack tools and different firewalls. fwknop is not any of these. And speaking about miscellaneous oriented packages, openssh, openvpn, and dhcp(cd) are in net-misc/. What do you think?
Comment 31 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2014-06-01 15:02:53 UTC
(In reply to Coacher from comment #30)
> net-firewall/ category, as it looks to me, is dedicated to various XXtables
> packages, linux network stack tools and different firewalls. fwknop is not
> any of these. And speaking about miscellaneous oriented packages, openssh,
> openvpn, and dhcp(cd) are in net-misc/. What do you think?

Package moves aren't revertible, for as far as I have heard; or at least not easily, yet I also heard that it might be possible by removing the pgkmove line.

When you consider a category for a package, you need to take into account its descriptions; like for example, here they are:

    The net-firewall category contains network firewall software.

    The net-misc category contains various miscellaneous networking tools
    and utilities.

What's not entirely right to do is to check what is already in those categories; because if you do so, the first software in a category sets what the category is about and that's not always right. It can perhaps give an impression after a while; but beyond that, I don't think it allows for "not any of these" claims.

The package in question is based around a "packet filter" which looks like firewall functionality; reading further, it is said to support firewalls; looking further, there is a an image demonstrating firewall behavior as well as a firewalls related book shown on the site. 

It comes over to me as firewall software, as that would also be a response if you were to ask a laymen "what kind of software is fwknop?"; if it's not, then I wonder with what type of category that one would label fwknop?

It's easy to put stuff in miscellaneous categories if you don't know where to put the software, or when a clear category isn't immediately visible; so, if you insist that it is not "firewall software" for a good reason then we can go ahead and place it there until we've found a better category at some later point.

Note that this is a devil's advocate response; I personally don't care, just want to prevent future maintainers or net-misc cleanup efforts from not being able to properly move it back as well as becoming more heavy efforts.
Comment 32 Coacher 2014-06-01 20:00:38 UTC
(In reply to Tom Wijsman (TomWij) from comment #31)
> When you consider a category for a package, you need to take into account
> its descriptions; like for example, here they are:
> 
>     The net-firewall category contains network firewall software.
> 
>     The net-misc category contains various miscellaneous networking tools
>     and utilities.

I was trying to find descs for categories, but failed. Can you please point me to the right direction?

> What's not entirely right to do is to check what is already in those
> categories; because if you do so, the first software in a category sets what
> the category is about and that's not always right. It can perhaps give an
> impression after a while; but beyond that, I don't think it allows for "not
> any of these" claims.

Both net-firewall/ and net-misc/ are mature indeed, I think.

> The package in question is based around a "packet filter" which looks like
> firewall functionality; reading further, it is said to support firewalls;
> looking further, there is a an image demonstrating firewall behavior as well
> as a firewalls related book shown on the site. 
> 
> It comes over to me as firewall software, as that would also be a response
> if you were to ask a laymen "what kind of software is fwknop?"; if it's not,
> then I wonder with what type of category that one would label fwknop?

This sounds convincing.

> It's easy to put stuff in miscellaneous categories if you don't know where
> to put the software, or when a clear category isn't immediately visible; so,
> if you insist that it is not "firewall software" for a good reason then we
> can go ahead and place it there until we've found a better category at some
> later point.
> 
> Note that this is a devil's advocate response; I personally don't care, just
> want to prevent future maintainers or net-misc cleanup efforts from not
> being able to properly move it back as well as becoming more heavy efforts.

I see. Thank you for your response Tom, it made things clearer to me. I think of fwknop as yet another network daemon that relies on firewall, perhaps a bit more "lowlevel" than others. But indeed, major part of its functionality can be described as "packet filtering", so probably yes, net-firewall/ suits better here.
Comment 33 Coacher 2014-06-01 20:01:37 UTC
@proxy-maint thanks for your efforts on this one. Please close as RESOLVED FIXED.