Thanks Jonathan,
This is great!
I agree with you on separating the server and client packages, as well
as foregoing the GPG authentication in the initial release(s) (less
dependencies, significant reduction in size, etc., makes initial
adoption a bit easier).
-Damien
On 07/19/2011 10:52 PM, Jonathan Bennett wrote:
> Damien, I have put together the patch that adds fwknopd to openwrt. It
> may need a few tweaks, but I'm volunteering to keep the openwrt
> version up to date.
>
> I've sent it on to the openwrt guys. Hopefully it will get added
> soon-ish. I have a bit more testing to do before I'm totally
> satisfied, but it is running on my router right now.
>
> I've opted to just compile the server half of the program, and not
> include the gpg authentication in this first version. I'd like to go
> back and try to add gpg as an option in the openwrt build. (and add
> the client as a separate package)
>
> Feel free to add any comments.
> ~Jonathan Bennett
>
> Just in case you want it, here's the patch
>
> Index: net/fwknop/Makefile
> ===================================================================
> --- net/fwknop/Makefile (revision 0)
> +++ net/fwknop/Makefile (revision 0)
> @@ -0,0 +1,61 @@
> +include $(TOPDIR)/rules.mk
> +
> +PKG_NAME:=fwknopd
> +PKG_VERSION:=2.0.0rc2
> +PKG_RELEASE:=1
> +
> +PKG_BUILD_DIR:=$(BUILD_DIR)/fwknop-$(PKG_VERSION)
> +PKG_SOURCE:=fwknop-$(PKG_VERSION).tar.gz
> +PKG_SOURCE_URL:=http://www.cipherdyne.org/fwknop/download
> +PKG_MD5SUM:=c78252216fa9627cacf61b453da915a8
> +PKG_CAT:=zcat
> +include $(INCLUDE_DIR)/package.mk
> +
> +define Package/fwknopd
> + SECTION:=net
> + CATEGORY:=Network
> + DEFAULT:=n
> + TITLE:=Firewall Knock Operator Daemon
> + URL:=http://http://www.cipherdyne.org/fwknop/
> + MAINTAINER:=Jonathan Bennett <[email protected]>
> + DEPENDS:=+libpcap +libgdbm +iptables
> +endef
> +
> +define Package/fwknopd/description
> + Firewall Knock Operator Daemon
> + Fwknop implements an authorization scheme known as Single Packet
> + Authorization (SPA) for Linux systems running iptables. This
> mechanism
> + requires only a single encrypted and non-replayed packet to
> communicate
> + various pieces of information including desired access through
> an iptables
> + policy. The main application of this program is to use iptables in a
> + default-drop stance to protect services such as SSH with an additional
> + layer of security in order to make the exploitation of vulnerabilities
> + (both 0-day and unpatched code) much more difficult.
> +endef
> +
> +define Package/Conffiles
> + fwknopd.conf
> +endef
> +
> +CONFIGURE_ARGS += \
> + --disable-client \
> + --without-gpgme \
> + --with-iptables=/usr/sbin/iptables
> +
> +
> +
> +define Package/fwknopd/install
> + $(INSTALL_DIR) $(1)/usr/sbin
> + $(INSTALL_DIR) $(1)/etc/fwknop
> + $(INSTALL_DIR) $(1)/etc/init.d
> + $(INSTALL_DIR) $(1)/usr/lib
> + $(INSTALL_BIN) $(PKG_BUILD_DIR)/extras/fwknop.init.openwrt
> $(1)/etc/init.d/fwknopd
> + $(INSTALL_BIN) $(PKG_BUILD_DIR)/server/.libs/fwknopd $(1)/usr/sbin/
> + $(INSTALL_BIN) $(PKG_BUILD_DIR)/lib/.libs/libfko.so.0.0.2
> $(1)/usr/lib/libfko.so.0
> + $(INSTALL_BIN) $(PKG_BUILD_DIR)/lib/.libs/libfko.so.0.0.2
> $(1)/usr/lib/libfko.so.0.0.2
> + $(INSTALL_CONF) $(PKG_BUILD_DIR)/server/fwknopd.conf $(1)/etc/fwknop/
> + $(INSTALL_CONF) $(PKG_BUILD_DIR)/server/access.conf $(1)/etc/fwknop/
> +
> +endef
> +
> +$(eval $(call BuildPackage,fwknopd))
>
------------------------------------------------------------------------------
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
http://www.accelacomm.com/jaw/sfnl/114/51426210/
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
