On Jul 22, 2009, J. Bakshi wrote: > Michael Rash wrote: > > On Jul 22, 2009, J. Bakshi wrote: > > > > > >> Hello All, > >> > > > > Hi - > > > > > >> I am already implemented the fwknop successfully in both suse and debian > >> servers. Both are remote linux box. Special thanks to Michael for his > >> suggestions which always shown me the right track. I may be permitted to > >> asks some questions to clear some doubts regarding fwknop. > >> > >> issue with whatismyip.com > >> ( Could not extract external IP from http://www.whatismyip.org/ ) > >> ====================================================== > >> > >> -R or -w with --debug; fwknop ( version 1.9.11) > >> reports as below > >> > >> > >> ``````````````````````````````````````````````````` > >> ad...@linux-12ml:~> fwknop -A tcp/22 -R --debug --User-agent > >> Fwknop/1.9.11 -k 192.168.1.3 ; ssh [email protected] > >> > >> [+] import_perl_modules(): The @INC array: > >> /usr/lib/fwknop > >> /usr/lib/fwknop/. > >> /usr/lib/fwknop/x86_64-linux-thread-multi > >> /usr/lib/perl5/5.10.0/x86_64-linux-thread-multi > >> /usr/lib/perl5/5.10.0 > >> /usr/lib/perl5/site_perl/5.10.0/x86_64-linux-thread-multi > >> /usr/lib/perl5/site_perl/5.10.0 > >> /usr/lib/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi > >> /usr/lib/perl5/vendor_perl/5.10.0 > >> /usr/lib/perl5/vendor_perl > >> . > >> [+] Term::ReadKey::VERSION 2.30 > >> > >> [+] ***DEBUG*** Starting fwknop client (SPA mode)... > >> Resolving external IP via: http://www.whatismyip.org/ > >> [+] Web server data from: http://www.whatismyip.org/ > >> > >> [*] Could not extract external IP from http://www.whatismyip.org/ > >> > >> ````````````````````````` > >> > >> But if I straight forward visit http://www.whatismyip.org/ I get the > >> IP. I have then no problem to connect the fwknop server with that IP > >> > >> ``````````````````````` > >> ad...@linux-12ml:~> fwknop -A tcp/22 -a 121.247.128.171 -k 192.168.1.3 > >> ; ssh [email protected] > >> > >> [+] Starting fwknop client (SPA mode)... > >> [+] Enter an encryption key. This key must match a key in the file > >> /etc/fwknop/access.conf on the remote system. > >> > >> Encryption Key: > >> ````````````````````````````````` > >> > > > > The IP resolution issue is essentially a bug, and I have attached a > > small patch that implements a temporary fix. Most likely the fwknop client > > will be updated to resolve against a different server than > > www.whatismyip.org since they don't appear to like automated requests so > > much (Damien Stuart noticed this a couple of weeks ago). > > > > > >> Issue with dynamic IP of fwknop server > >> ====================================== > >> > >> What to do with those servers having dynamic IP address and pointed with a > >> domain from dydns.org or myip.com ? > >> > > > > Do you mean that it becomes difficult to know what the latest fwknop > > server IP is, or that there is an issue continuing to sniff packets on > > an interface where the IP has changed? The upcoming 1.9.12 release has > > new code to recover from interface changes, and I can send you a -pre > > release of 1.9.12 if that is the issue. > > > > > >> Issue with psad > >> ============ > >> > >> both fwknop and psad control iptable. Can we have both psad and fwknop > >> working in a same box ? > >> >From theory they should but I don't know if they really co-exists. > >> > > > > fwknop and psad can co-exist on the same system. They both create their > > own custom iptables chains for all rule manipulations, so there is no > > conflict. > > > > > >> Issue with multiple fwknop client > >> ========================= > >> > >> Please bear with me, I am not very clear about GnuPG technology. Say one > >> more admin needs access to the fwknop server. Hope giving my client key > >> which > >> I use to communicate with the fwknop server will solve the problem. That > >> admin should place that key in his keyring and communicate with that > >> key. Hope I am > >> in the right track. > >> > > > > There is a key-exchange and signing process to use GnuPG with fwknop. > > The best instructions for this are here: > > > > http://www.cipherdyne.org/fwknop/docs/gpghowto.html > > > > Thanks, > > > > --Mike > > > > Hello Michael, > > Thanks a lot for all the clarifications . > > IP resolution by whatismyip.com > ============================= > Thanks for the patch. I am also eagerly waiting for 1.9.12 because I > also have some debian boxes and debian do provide fwknop as .deb > > dynamic IP of fwknop server > ======================= > Yes, your first assumption is right. There are some servers ( mainly > home/office servers ) which has dynamic WAN IP and pointed by domains > from dydns.org due to the firewall those servers also drop the ping but > the ddclient installed in those servers updated their WAN IP. Is there > any way to communicate those fwknop servers by their domainname ? Nice > to know upcoming fwknop server can detect the inteface change too. Great !!
The fwknop client supports DNS lookups, so just use the hostname of the fwknopd server: fwknop -A tcp/ 22 -R -D some.host.com > multiple fwknop client > ======================= > > Thanks for the link. I'll look into it. > > One new question > ================== > > Generally we use fwknop to protect the ssh port. How can I protect multiple > port with fwknop ? Yes, multiple ports are suppored, either by using multiple SOURCE stanzas within the /etc/fwknop/access.conf file, or putting multiple ports within the OPEN_PORTS variable. Thanks, --Mike > ---- > I am eagerly waiting for the final release of 1.9.12 to use in my production > servers. > Once again millions of thanks. Wish you a nice time. > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
