![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2024-06-28
目錄
- Package / Software
- Install on U22
- Generate encryption and HMAC keys
- UDP (no need libpcap)
- U22 Config Summary
- fwknopd Settings
- CLI
- Debug
- iptables 的變化
- CLI Client - fwknop
- Logs
- Doc
Package / Software
Android:
- fwknop2
Window:
- fwknop-gui (https://incomsystems.biz/fwknop-gui/index.php)
OpenWrt Package:
- fwknop (libfko)
- fwknopd (libfko, libpcap, iptables)
Debian
- fwknop-client (libfko3)
- fwknop-server
Install on U22
apt-get install fwknop-server fwknop-client
fwknopd -V
fwknopd server 2.6.10, compiled for firewall bin: /usr/sbin/iptables
fwknop -V
fwknop client 2.6.10, FKO protocol version 3.0.0
Generate encryption and HMAC keys
fwknop --key-gen
[*] Creating initial rc file: /root/.fwknoprc KEY_BASE64: ?? HMAC_KEY_BASE64: ??
SPA Package 係經過 encrypt-then-authenticate 處理
KEY_BASE64
用於 encrypt 及 decrypt SPA Package # Rijndael mode
HMAC_KEY_BASE64
authenticated encryption of SPA packets
UDP (no need libpcap)
# This instructs fwknopd to acquire SPA packets via a UDP socket directly without having to use libpcap
# fwknop should be compiled with --enable-udp-server so that libpcap can be removed as a dependency
ENABLE_UDP_SERVER N UDPSERV_PORT 62201
Notes
- 使用 UDP Mode 要 firewall 開 port (e.g. ufw allow 62201/udp)
- 它比 TCP Mode, 因為不用回應 SYN package
U22 Config Summary
fwknopd.conf
# 基本設定 ENABLE_UDP_SERVER Y; UDPSERV_PORT 62201; # 防攻擊 ENABLE_DIGEST_PERSISTENCE Y; # 選擇性加上 ENABLE_SPA_PACKET_AGING Y; MAX_SPA_PACKET_AGE 30;
access.conf
* 必須用 SOURCE 開頭
SOURCE ANY
KEY_BASE64 __CHANGEME__
HMAC_KEY_BASE64 __CHANGEME__
FW_ACCESS_TIMEOUT 10
OPEN_PORTS tcp/22,tcp/2201
REQUIRE_SOURCE_ADDRESS Y
ENABLE_CMD_EXEC N
chmod 600 access.conf
Enable Service & Start
/etc/default/fwknop-server
START_DAEMON="yes"
systemctl enable fwknop-server --now
Check
systemctl status fwknop-server
lsof -c fwknopd -a -i udp
fwknopd Settings
Config File
-
fwknopd.conf
# There are no access control directives in this file. -
access.conf
# All access control directives
UDP Mode
ENABLE_UDP_SERVER (Default: N)
UDPSERV_PORT (Default: 62201)
PCAP_Mode
PCAP_INTF
PCAP_INTF <interface>
Specify the ethernet interface on which fwknopd will sniff packets.
By default fwknopd puts the pcap interface into promiscuous mode.
(ENABLE_PCAP_PROMISC Y)
PCAP_FILTER
PCAP_FILTER <pcap filter spec>
fwknopd defaults to UDP port 62201.
if an fwknop client uses the --rand-port option
PCAP_FILTER "udp dst portrange 10000-65535"
PCAP_LOOP_SLEEP # The default is 100000 (1/10 sec)
PCAP_LOOP_SLEEP <microseconds>
Sets the number of microseconds to passed as an argument to usleep() in the pcap loop.
TCP Mode
TCPSERV_PORT <port>
ENABLE_TCP_SERVER <Y/N>
MAX_SPA_PACKET_AGE
client 與 fwknopd server 之間的最大時間誤差.
If left blank, it will default to 120 seconds.
ENABLE_DIGEST_PERSISTENCE
Track digest sums associated with previous SPA packets processed by fwknopd.
SOURCE # Default: ANY
This defines the source address from which the SPA packet will be accepted.
The string "ANY" is also accepted if a valid SPA packet should be honored from any source IP.
Every authorization stanza in access.conf definition must start with the “SOURCE” keyword.
OPEN_PORTS
OPEN_PORTS <proto/port>,...,<proto/port>
Define a set of ports and protocols (tcp or udp) that will be opened if a valid knock sequence is seen.
If this entry is not set, fwknopd will attempt to honor any proto/port request specified in the SPA data !!
(unless of it matches any “RESTRICT_PORTS” entries)
HMAC_KEY_BASE64
Defines the HMAC message verification key for validate the SPA packet
KEY_BASE64
用於 encrypt 及 decrypt SPA Package # Rijndael mode
FW_ACCESS_TIMEOUT
設定 fwknopd 多久後刪除它建立的 firewall rules.
firewall 要有 established rule. 否則時間到就會斷線 !!
* 建議設定在 10 秒以下, 因為這段時間內 Source IP 可以多次連線 "OPEN_PORTS"
REQUIRE_SOURCE_ADDRESS
REQUIRE_SOURCE_ADDRESS <Y/N>
Force all SPA packets to contain a real IP address within the encrypted data.
This makes it impossible to use the -s command line argument on the fwknop client command line,
so either -R has to be used to automatically resolve the external address (if the client behind a NAT) or
the client must know the external IP and set it via the -a argument.
log
(stanza #1) SPA Packet from IP: s.s.s.s received with access source match[s.s.s.s] (stanza #1) Got 0.0.0.0 when valid source IP was required.
ENABLE_CMD_EXEC # Default N
ENABLE_CMD_EXEC <Y/N>
fwknopd to accept complete commands that are contained within an authorization packet.
CLI
Status
-S, --status # Display the status of any running fwknopd process.
Detected fwknopd is running (pid=2276).
Kill
-K, --kill # Kill the currently running fwknopd.
Process
/usr/sbin/fwknopd --foreground --syslog-enable \
-c /var/etc/fwknopd.conf -a /var/etc/access.conf -i eth0.2Check FW Rules
--fw-list
List only firewall rules that any running fwknopd daemon has created and then exit.
Listing rules in fwknopd iptables chains... Chain FWKNOP_INPUT (1 references) num target prot opt source destination Chain FWKNOP_FORWARD (1 references) num target prot opt source destination Chain FWKNOP_PREROUTING (1 references) num target prot opt source destination
--fw-flush
Flush any firewall rules created by a running fwknopd process.
(without wait rules timeout)
Deleting any existing firewall rules...
Debug
fwknopd -vtf
-c, --config-file
-a, --access-file
-f, --foreground - Run fwknopd in the foreground
-t, --test - Test mode, process SPA packets but do not make any firewall modifications
-v, --verbose - Set verbose mode
e.g.
fwknopd -f -t -v -a access.conf -c fwknopd.conf
Opened access file: access.conf Initialize access stanzas [+] Processing include_keys directive for: '/etc/fwknop/key.conf' Including key file: '/etc/fwknop/key.conf' [+] Writing my PID (866400) to the lock file: /run/fwknop/fwknopd.pid Starting fwknopd Using Digest Cache: '/run/fwknop/digest.cache' (entry count = 0) Kicking off UDP server to listen on port 62201. ...
Dump the configuration values
fwknopd -D
Current fwknopd config settings: 0. CONFIG_FILE = '/etc/fwknop/fwknopd.conf' 1. OVERRIDE_CONFIG = '<not set>' 2. PCAP_INTF = 'eth1' 3. PCAP_FILE = '<not set>' 4. ENABLE_PCAP_PROMISC = 'N' 5. PCAP_FILTER = 'udp port 62201' 6. PCAP_DISPATCH_COUNT = '100' 7. PCAP_LOOP_SLEEP = '100000' ....
iptables 的變化
Chain INPUT (policy ACCEPT) target prot opt source destination FWKNOP_INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination FWKNOP_FORWARD all -- 0.0.0.0/0 0.0.0.0/0 Chain FWKNOP_FORWARD (1 references) target prot opt source destination Chain FWKNOP_INPUT (1 references) target prot opt source destination
當有正確的 SPA packet 到時
Chain FWKNOP_INPUT (1 references) target prot opt source destination ACCEPT tcp -- s.s.s.s 0.0.0.0/0 tcp dpt:2222 /* _exp_1589956920 */
Logs
當有 SPA Package 來到, 只要有 SOURCE 符合, 就會有第一句 log
(stanza #1) SPA Packet from IP: s.s.s.s received with access source match
fwknopd 成功加 rule
成功時
Added access rule to FWKNOP_INPUT for s.s.s.s -> 0.0.0.0/0 tcp/2222, expires at 1519706071
一段時間後(FW_ACCESS_TIMEOUT)
Removed rule 1 from FWKNOP_INPUT with expire time of 1519706071
Checking
iptables -nL | grep 2222
ACCEPT tcp -- s.s.s.s 0.0.0.0/0 tcp dpt:2222 /* _exp_1519706158 */
fwknopd 失敗的 log
錯 Port (fwknopd 不 Allow 加 SPA package 要開打開的 Port)
(stanza #1) One or more requested protocol/ports was denied per access.conf.
錯 HMAC
(stanza #1) Error creating fko context: Args contain invalid data: FKO_ERROR_INVALID_DATA_HMAC_COMPAREFAIL
多數係錯 HMAC_DIGEST_TYPE
錯 key
(stanza #1) Error creating fko context: Decryption failed or decrypted data is invalid
Remark: Key 的 Veriyf 次序
測試次序
HMAC -> KEY
Doc
https://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html
https://www.cipherdyne.org/fwknop/docs/manpages/fwknopd.html