介紹

A Firewall Knock Operator.

• monitoring and processing Single Packet Authorization (SPA) packets
  (authenticating and decrypting)
• modifying a firewall rule
• removing access after a configurable timeout

SPA = Single Packet Authorization - modern replacement for port knocking

SPA server(fwknopd) will only allow access to the IP that was originally encrypted within the SPA payload

By default, the fwknop client sends SPA packets over 62201/UDP.

fwknopd

 * written in C

 * HMAC with KEY

• An SPA packet is "valid" when it is authenticated via an HMAC
• Encrypted by a strong cipher with an expected key (Rijndael encryption mode)
• The fwknop client strips off any trailing "=" characters before sending an SPA packet.

 * Supports iptables, ipfw, pf#install_on_u22

在 iptables 上的特性

A daemon relies on the iptables "comment" match in order to store the expiration time
  for new ACCEPT rules upon receiving a valid SPA packet.

All new rules are added by fwknopd to the FWKNOP_INPUT chain to ensure separation with the rest of the iptables policy.

We assume that iptables is configured in a default-drop stance for port

iptables -I INPUT 1 -i eth0 -p tcp --dport 22 -j DROP

A state tracking mechanism supported by the firewall can be used to keep a session established
  even after the rule that allows access is removed.

iptables -I INPUT 1 -i eth0 -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

功能

Stopping Replay Attack

spaserver will compare the SHA-256 digest of this packet vs. the SHA-256 digest of all previously seen and properly decrypted SPA packets.

If there is a match, then fwknopd knows that a replay attack was attempted

/tmp/fwknop/digest.cache

# <digest> <proto> <src_ip> <src_port> <dst_ip> <dst_port> <time>
DIGEST     17      s.s.s.s  58536      d.d.d.d  62201      1519636310

Android Client

Fwknop2

https://f-droid.org/en/packages/org.cipherdyne.fwknop2/