On Jul 22, 2009, J. Bakshi wrote:
> Hello All,
Hi -
> I am already implemented the fwknop successfully in both suse and debian
> servers. Both are remote linux box. Special thanks to Michael for his
> suggestions which always shown me the right track. I may be permitted to
> asks some questions to clear some doubts regarding fwknop.
>
> issue with whatismyip.com
> ( Could not extract external IP from http://www.whatismyip.org/ )
> ======================================================
>
> -R or -w with --debug; fwknop ( version 1.9.11)
> reports as below
>
>
> ```````````````````````````````````````````````````
> ad...@linux-12ml:~> fwknop -A tcp/22 -R --debug --User-agent
> Fwknop/1.9.11 -k 192.168.1.3 ; ssh [email protected]
>
> [+] import_perl_modules(): The @INC array:
> /usr/lib/fwknop
> /usr/lib/fwknop/.
> /usr/lib/fwknop/x86_64-linux-thread-multi
> /usr/lib/perl5/5.10.0/x86_64-linux-thread-multi
> /usr/lib/perl5/5.10.0
> /usr/lib/perl5/site_perl/5.10.0/x86_64-linux-thread-multi
> /usr/lib/perl5/site_perl/5.10.0
> /usr/lib/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi
> /usr/lib/perl5/vendor_perl/5.10.0
> /usr/lib/perl5/vendor_perl
> .
> [+] Term::ReadKey::VERSION 2.30
>
> [+] ***DEBUG*** Starting fwknop client (SPA mode)...
> Resolving external IP via: http://www.whatismyip.org/
> [+] Web server data from: http://www.whatismyip.org/
>
> [*] Could not extract external IP from http://www.whatismyip.org/
>
> `````````````````````````
>
> But if I straight forward visit http://www.whatismyip.org/ I get the
> IP. I have then no problem to connect the fwknop server with that IP
>
> ```````````````````````
> ad...@linux-12ml:~> fwknop -A tcp/22 -a 121.247.128.171 -k 192.168.1.3
> ; ssh [email protected]
>
> [+] Starting fwknop client (SPA mode)...
> [+] Enter an encryption key. This key must match a key in the file
> /etc/fwknop/access.conf on the remote system.
>
> Encryption Key:
> `````````````````````````````````
The IP resolution issue is essentially a bug, and I have attached a
small patch that implements a temporary fix. Most likely the fwknop client
will be updated to resolve against a different server than
www.whatismyip.org since they don't appear to like automated requests so
much (Damien Stuart noticed this a couple of weeks ago).
> Issue with dynamic IP of fwknop server
> ======================================
>
> What to do with those servers having dynamic IP address and pointed with a
> domain from dydns.org or myip.com ?
Do you mean that it becomes difficult to know what the latest fwknop
server IP is, or that there is an issue continuing to sniff packets on
an interface where the IP has changed? The upcoming 1.9.12 release has
new code to recover from interface changes, and I can send you a -pre
release of 1.9.12 if that is the issue.
> Issue with psad
> ============
>
> both fwknop and psad control iptable. Can we have both psad and fwknop
> working in a same box ?
> >From theory they should but I don't know if they really co-exists.
fwknop and psad can co-exist on the same system. They both create their
own custom iptables chains for all rule manipulations, so there is no
conflict.
> Issue with multiple fwknop client
> =========================
>
> Please bear with me, I am not very clear about GnuPG technology. Say one
> more admin needs access to the fwknop server. Hope giving my client key
> which
> I use to communicate with the fwknop server will solve the problem. That
> admin should place that key in his keyring and communicate with that
> key. Hope I am
> in the right track.
There is a key-exchange and signing process to use GnuPG with fwknop.
The best instructions for this are here:
http://www.cipherdyne.org/fwknop/docs/gpghowto.html
Thanks,
--Mike
--- fwknop.orig 2009-07-22 09:19:34.000000000 -0400
+++ fwknop 2009-07-22 09:19:29.000000000 -0400
@@ -1440,7 +1440,7 @@
### greedy match to the last instance of a matching
### IP regex so that we get past any HTTP header info
### that might happen to match the IP regex
- if ($web_data =~ /.*\s($ip_re)\b/i) {
+ if ($web_data =~ /($ip_re)/) {
$external_ip = $1;
}
}
------------------------------------------------------------------------------
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
