On Apr 01, 2010, Ren? 'Necoro' Neumann wrote:
> Am 01.04.2010 22:16, schrieb René 'Necoro' Neumann:
> > The whole email again, as GPG + Attachment + Sourceforge seems to be a mess.
>
> Mhm ... my fault ... attaching empty file and then wondering, that it is
> empty ^^
>
> The file again.
>
> Sorry for the spamming,
> René
> Thu Apr 1 22:17:30 2010 [+] ** Starting fwknopd (debug mode) **
> fwknopd Command line: --debug
> [+] import_perl_modules(): The @INC array:
> /etc/perl
> /usr/lib/perl5/vendor_perl/5.8.8/i686-linux
> /usr/lib/perl5/vendor_perl/5.8.8
> /usr/lib/perl5/vendor_perl
> /usr/lib/perl5/site_perl/5.8.8/i686-linux
> /usr/lib/perl5/site_perl/5.8.8
> /usr/lib/perl5/site_perl
> /usr/lib/perl5/5.8.8/i686-linux
> /usr/lib/perl5/5.8.8
> /usr/local/lib/site_perl
> .
> [+] Unix::Syslog::VERSION 0.100
> [+] Net::IPv4Addr::VERSION 0.10
> [+] Digest::MD5::VERSION 2.39
> [+] Digest::SHA::VERSION 5.47
> Thu Apr 1 22:17:30 2010 [+] Building iptables config info.
> [+] IPTables::ChainMgr::VERSION 0.9
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr::run_ipt_cmd(waitpid())
> /sbin/iptables -t filter -v -n -L INPUT
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr: Setting SIGCHLD handler to:
> CODE(0xf8b8d3b4)
> Thu Apr 1 22:17:30 2010 iptables command stdout:
> Chain INPUT (policy ACCEPT 117K packets, 40M bytes)
> pkts bytes target prot opt in out source
> destination
> Thu Apr 1 22:17:30 2010 iptables command stderr:
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr::run_ipt_cmd(waitpid())
> /sbin/iptables -t filter -v -n -L FORWARD
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr: Setting SIGCHLD handler to:
> CODE(0xf8b8d3b4)
> Thu Apr 1 22:17:30 2010 iptables command stdout:
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> Thu Apr 1 22:17:30 2010 iptables command stderr:
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr::run_ipt_cmd(waitpid())
> /sbin/iptables -t nat -v -n -L PREROUTING
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr: Setting SIGCHLD handler to:
> CODE(0xf8b8d3b4)
> Thu Apr 1 22:17:30 2010 iptables command stdout:
> Chain PREROUTING (policy ACCEPT 38510 packets, 5591K bytes)
> pkts bytes target prot opt in out source
> destination
> Thu Apr 1 22:17:30 2010 iptables command stderr:
> Thu Apr 1 22:17:30 2010 [+] starting fwknopd v1.9.12 (file revision: 1533)
> [+] Start time: [Thu Apr 1 22:17:30 2010]
> Thu Apr 1 22:17:30 2010 [+] flushing existing iptables fwknop chains
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr::run_ipt_cmd(waitpid())
> /sbin/iptables -t filter -v -n -L FWKNOP_INPUT
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr: Setting SIGCHLD handler to:
> CODE(0xf8b8d3b4)
> Thu Apr 1 22:17:30 2010 iptables command stdout:
> Thu Apr 1 22:17:30 2010 iptables command stderr:
> iptables: No chain/target/match by that name.
Those messages above are normal at startup. If a valid fwknop SPA packet is
received, then fwknopd will create the FWKNOP_* chains as needed on the fly
(it doesn't need to create the chains at start up since they aren't needed
until the first SPA packet is seen).
If you use the fwknop client to create an SPA packet, what happens? I would
recommend trying this as you run fwknopd in --debug mode (as you have already
done) to see where things fail if there are any problems.
Thanks,
--Mike
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr::run_ipt_cmd(waitpid())
> /sbin/iptables -t filter -F FWKNOP_INPUT
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr: Setting SIGCHLD handler to:
> CODE(0xf8b8d3b4)
> Thu Apr 1 22:17:30 2010 iptables command stdout:
> Thu Apr 1 22:17:30 2010 iptables command stderr:
> iptables: No chain/target/match by that name.
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr::run_ipt_cmd(waitpid())
> /sbin/iptables -t filter -v -n -L FWKNOP_FORWARD
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr: Setting SIGCHLD handler to:
> CODE(0xf8b8d3b4)
> Thu Apr 1 22:17:30 2010 iptables command stdout:
> Thu Apr 1 22:17:30 2010 iptables command stderr:
> iptables: No chain/target/match by that name.
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr::run_ipt_cmd(waitpid())
> /sbin/iptables -t filter -F FWKNOP_FORWARD
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr: Setting SIGCHLD handler to:
> CODE(0xf8b8d3b4)
> Thu Apr 1 22:17:30 2010 iptables command stdout:
> Thu Apr 1 22:17:30 2010 iptables command stderr:
> iptables: No chain/target/match by that name.
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr::run_ipt_cmd(waitpid())
> /sbin/iptables -t nat -v -n -L FWKNOP_PREROUTING
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr: Setting SIGCHLD handler to:
> CODE(0xf8b8d3b4)
> Thu Apr 1 22:17:30 2010 iptables command stdout:
> Thu Apr 1 22:17:30 2010 iptables command stderr:
> iptables: No chain/target/match by that name.
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr::run_ipt_cmd(waitpid())
> /sbin/iptables -t nat -F FWKNOP_PREROUTING
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr: Setting SIGCHLD handler to:
> CODE(0xf8b8d3b4)
> Thu Apr 1 22:17:30 2010 iptables command stdout:
> Thu Apr 1 22:17:30 2010 iptables command stderr:
> iptables: No chain/target/match by that name.
> Thu Apr 1 22:17:30 2010 [+] Checking for iptables state tracking rule...
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr::run_ipt_cmd(waitpid())
> /sbin/iptables -v -n -L
> Thu Apr 1 22:17:30 2010 [+] IPTables::ChainMgr: Setting SIGCHLD handler to:
> CODE(0xf8b8d3b4)
> Thu Apr 1 22:17:30 2010 iptables command stdout:
> Chain INPUT (policy ACCEPT 117K packets, 40M bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 88394 packets, 20M bytes)
> pkts bytes target prot opt in out source
> destination
> Thu Apr 1 22:17:30 2010 iptables command stderr:
> Thu Apr 1 22:17:30 2010 [-] warning, could not find any iptables state
> tracking rules
> [+] Crypt::CBC::VERSION 2.29
>
> Thu Apr 1 22:17:30 2010 [+] Dumping config from: /etc/fwknop/fwknop.conf
> ACCESS_CONF /etc/fwknop/access.conf
> ALERTING_METHODS ALL
> AUTH_MODE PCAP
> BLACKLIST (removed)
> CONNTRACK_ESTAB_PORTS 0
> DIGEST_FILE /var/log/fwknop/digest.cache
> DIGEST_TYPE ALL
> EMAIL_ADDRESSES (removed)
> ENABLE_CONNTRACK_PERSIST N
> ENABLE_COOKED_INTF N
> ENABLE_DIGEST_INCLUDE_SRC Y
> ENABLE_DIGEST_PERSISTENCE Y
> ENABLE_EXTERNAL_CMDS N
> ENABLE_EXT_CMD_PREFIX N
> ENABLE_FKO_MODULE Y
> ENABLE_INTF_BYTES_CHECK Y
> ENABLE_INTF_CHECKS Y
> ENABLE_INTF_EXISTS_CHECK Y
> ENABLE_INTF_RUNNING_CHECK Y
> ENABLE_IPT_FORWARDING N
> ENABLE_IPT_LOCAL_NAT Y
> ENABLE_IPT_OUTPUT N
> ENABLE_IPT_SNAT N
> ENABLE_PCAP_PROMISC Y
> ENABLE_PROC_IP_FORWARD Y
> ENABLE_SPA_OVER_HTTP N
> ENABLE_SPA_PACKET_AGING Y
> ENABLE_SYSLOG_FILE Y
> ENABLE_TCP_SERVER N
> ENABLE_UDP_SERVER N
> ENABLE_VOLUNTARY_EXITS N
> EXIT_INTERVAL 1440
> EXTERNAL_CMD_ALARM 30
> EXTERNAL_CMD_CLOSE
> EXTERNAL_CMD_OPEN
> EXT_CMD_PREFIX FWKNOP_
> FIREWALL_TYPE iptables
> FLUSH_IPT_AT_INIT Y
> FWKNOP_CMDLINE_FILE /var/run/fwknop/fwknopd.cmd
> FWKNOP_CONF_DIR /etc/fwknop
> FWKNOP_DIR /var/log/fwknop
> FWKNOP_ERR_DIR /var/log/fwknop/errs
> FWKNOP_LIB_DIR /var/lib/fwknop
> FWKNOP_MOD_DIR /usr/lib/fwknop
> FWKNOP_PID_FILE /var/run/fwknop/fwknopd.pid
> FWKNOP_RUN_DIR /var/run/fwknop
> FWKNOP_SERV_SOCK /var/run/fwknop/fwknop_serv.sock
> FWSERV_SYSLOG_FACILITY LOG_LOCAL7
> FWSERV_SYSLOG_IDENTITY fwknop(fwknop_serv)
> FWSERV_SYSLOG_PRIORITY LOG_INFO
> FW_DATA_FILE /var/log/fwknop/fwdata
> FW_MSG_SEARCH DROP
> GPG_DEFAULT_HOME_DIR (removed)
> HOSTNAME (removed)
> INTF_CHECKS_INTERVAL 20
> IPFW_DYNAMIC_INTERVAL 60
> IPFW_RULE_NUM 1
> IPFW_SET_NUM 1
> IPT_CMD_ALARM 30
> IPT_CONNTRACK_FILE /proc/net/ip_conntrack
> IPT_DNAT_ACCESS DNAT, src, nat, PREROUTING, 1,
> FWKNOP_PREROUTING, 1
> IPT_ERROR_FILE /var/log/fwknop/fwknopd.ipterr
> IPT_EXEC_SLEEP 0
> IPT_EXEC_STYLE waitpid
> IPT_EXEC_TRIES 2
> IPT_FORWARD_ACCESS ACCEPT, src, filter, FORWARD, 1,
> FWKNOP_FORWARD, 1
> IPT_INPUT_ACCESS ACCEPT, src, filter, INPUT, 1, FWKNOP_INPUT, 1
> IPT_MASQUERADE_ACCESS MASQUERADE, src, nat, POSTROUTING, 1,
> FWKNOP_POSTROUTING, 1
> IPT_OUTPUT_ACCESS ACCEPT, dst, filter, OUTPUT, 1, FWKNOP_OUTPUT,
> 1
> IPT_OUTPUT_FILE /var/log/fwknop/fwknopd.iptout
> IPT_SNAT_ACCESS SNAT, src, nat, POSTROUTING, 1,
> FWKNOP_POSTROUTING, 1
> IPT_SYSLOG_FILE /var/log/messages
> KNOPMD_FIFO /var/lib/fwknop/fwknopfifo
> KNOPMD_PID_FILE /var/run/fwknop/knopmd.pid
> KNOPTM_IPT_ERROR_FILE /var/log/fwknop/knoptm.ipterr
> KNOPTM_IPT_OUTPUT_FILE /var/log/fwknop/knoptm.iptout
> KNOPTM_IP_TIMEOUT_SOCK /var/run/fwknop/knoptm_ip_timeout.sock
> KNOPTM_PID_FILE /var/run/fwknop/knoptm.pid
> KNOPTM_SYSLOG_FACILITY LOG_LOCAL7
> KNOPTM_SYSLOG_IDENTITY fwknop(knoptm)
> KNOPTM_SYSLOG_PRIORITY LOG_INFO
> KNOPWATCHD_CHECK_INTERVAL 5
> KNOPWATCHD_MAX_RETRIES 10
> KNOPWATCHD_PID_FILE /var/run/fwknop/knopwatchd.pid
> LOCALE C
> MAX_HOPS 20
> MAX_SNIFF_BYTES 1500
> MAX_SPA_PACKET_AGE 120
> MIN_GNUPG_MSG_SIZE 400
> MIN_SPA_PKT_LEN 150
> P0F_FILE /etc/fwknop/pf.os
> PCAP_CMD_TIMEOUT 10
> PCAP_FILTER udp port 62201
> PCAP_INTF eth0
> PCAP_PKT_FILE /var/log/sniff.pcap
> PROC_IP_FORWARD_FILE /proc/sys/net/ipv4/ip_forward
> REQUIRE_SOURCE_ADDRESS N
> SLEEP_INTERVAL 2
> SNAT_TRANSLATE_IP _CHANGEME_
> SYSLOG_DAEMON metalog
> SYSLOG_FACILITY LOG_LOCAL7
> SYSLOG_IDENTITY fwknopd
> SYSLOG_PRIORITY LOG_INFO
> TCPSERV_PID_FILE /var/run/fwknop/fwknop_serv.pid
> TCPSERV_PORT 62201
> UDPSERV_PORT 62201
>
> Thu Apr 1 22:17:30 2010 [+] Command paths:
>
> fwknop_serv /usr/sbin/fwknop_serv
> fwknopd /usr/sbin/fwknopd
> gpg /usr/bin/gpg
> ifconfig /sbin/ifconfig
> ipfw /sbin/ipfw
> iptables /sbin/iptables
> knopmd /usr/sbin/knopmd
> knoptm /usr/sbin/knoptm
> knopwatchd /usr/sbin/knopwatchd
> mail /bin/mail
> mknod /bin/mknod
> sendmail /usr/sbin/sendmail
> sh /bin/sh
> Thu Apr 1 22:17:30 2010 [+] imported access directives (1 SOURCE
> definitions).
> Thu Apr 1 22:17:30 2010 [+] Stopping knopmd daemon...
> Thu Apr 1 22:17:30 2010 [+] Executing: /usr/sbin/knoptm -i eth0 -c
> /etc/fwknop/fwknop.conf
> Thu Apr 1 22:17:30 2010 [+] digest_store hash:
> $VAR1 = {};
> Thu Apr 1 22:17:30 2010 [+] imported previous tracking digests from disk
> cache: /var/log/fwknop/digest.cache
> Thu Apr 1 22:17:30 2010 [+] Set SIGCHLD handler to: CODE(0xf8b8d3b4)
> Thu Apr 1 22:17:30 2010 [+] Set __WARN__ handler to: CODE(0xf8d28b80)
> Thu Apr 1 22:17:30 2010 [+] Set __DIE__ handler to: CODE(0xf8d28b2c)
> [+] Net::Pcap::VERSION 0.16
> Thu Apr 1 22:17:30 2010 [+] Sniffing (promisc) packet data from interface:
> eth0
> Thu Apr 1 22:17:30 2010 [+] pcap_loop()
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Fwknop-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
