Hi,
First of all apologies if this is a double post. I seem to have some trouble
posting to the list.
The good news is I think I have succeded in succesfully compiling fwknopd to
dd-wrt using optware. The program compiled without errors and runs on my
router. The bad news is that it doesn't seem to create iptables rules needed.
If I start fwknopd and send a SPA packet from my android phone to my router
fwknopd responds with:
Using Digest Cache: '/var/run/fwknop/digest.cache' (entry count = 0)
Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
PCAP filter is: udp port 62201
Starting fwknopd main event loop.
SPA Packet from IP: <my phone ip> received.
SPA Packet:
'+0e+uMnhekbCqfB1tHSenxfiiCrtkaxSJJzBNA5FfYiX1pmMC1cO5MhxmorkfGS2+z723Jd2Aj/4Y4oPNn1MmXQ9gc8yAziJGe0Rkiqt9GCwmXGzWzDVFiWPXg9zLDA9Az/xW2SIaEGudbGEn3hXqnb1O0HEJy74TlOvgjP8obBNlSMyucX4aw'
Added Rule to FWKNOP_INPUT for <my phone ip>, tcp/8822 expires at 1319299103
However I cannot reach ssh on my router. If I run (from a different ssh
session) iptables -L I can see some entries relating to fwknopd. I get
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
FWKNOP_INPUT 0 -- anywhere anywhere
Immediately after that I get some iptables rules I put in myslef. Then after
quite a lot more lines i get
Chain FWKNOP_INPUT (1 references)
target prot opt source destination
Chain advgrp_1 (0 references)
And the output continues but with no references to either my phone ip address
or port 8822.
Then after a while fwknop tells me:
Did not find expire comment in rules list 0.
I'm stuck. As far as I can tell fwknopd runs without errors and can access
iptables because I can see entries relating to fwknop in my iptables. These
entries disappear (as they should) when I close fwknopd and reapear when I
start fwknopd again. However, no iptables rules are created.
Does anyone have a suggestion to solve this problem? Am I configuring
fwknopd.conf or access.conf wrong? the output of fwknopd -D is attached below
Thanks,
Frank
output of fwknopd -D
# fwknopd -D
Current fwknopd config settings:
0. CONFIG_FILE = '/opt/etc/fwknop/fwknopd.conf'
1. OVERRIDE_CONFIG = '<not set>'
2. PCAP_INTF = 'vlan2'
3. ENABLE_PCAP_PROMISC = 'N'
4. PCAP_FILTER = 'udp port 62201'
5. MAX_SNIFF_BYTES = '1500'
6. ENABLE_SPA_PACKET_AGING = 'Y'
7. MAX_SPA_PACKET_AGE = '120'
8. ENABLE_DIGEST_PERSISTENCE = 'Y'
9. CMD_EXEC_TIMEOUT = '<not set>'
10. ENABLE_SPA_OVER_HTTP = 'N'
11. ENABLE_TCP_SERVER = 'N'
12. TCPSERV_PORT = '62201'
13. LOCALE = '<not set>'
14. SYSLOG_IDENTITY = 'fwknopd'
15. SYSLOG_FACILITY = 'LOG_DAEMON'
16. ENABLE_IPT_FORWARDING = 'N'
17. ENABLE_IPT_LOCAL_NAT = 'Y'
18. ENABLE_IPT_SNAT = 'N'
19. SNAT_TRANSLATE_IP = '<not set>'
20. ENABLE_IPT_OUTPUT = 'N'
21. FLUSH_IPT_AT_INIT = 'Y'
22. FLUSH_IPT_AT_EXIT = 'Y'
23. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
24. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT,
1'
25. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1,
FWKNOP_FORWARD, 1'
26. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1,
FWKNOP_PREROUTING, 1'
27. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1,
FWKNOP_POSTROUTING, 1'
28. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1,
FWKNOP_POSTROUTING, 1'
29. FWKNOP_RUN_DIR = '/var/run/fwknop'
30. FWKNOP_CONF_DIR = '/opt/etc/fwknop'
31. ACCESS_FILE = '/opt/etc/fwknop/access.conf'
32. FWKNOP_PID_FILE = '/var/run/fwknop/fwknopd.pid'
33. DIGEST_FILE = '/var/run/fwknop/digest.cache'
34. GPG_HOME_DIR = '/root/.gnupg'
35. FIREWALL_EXE = '/usr/sbin/iptables'
Current fwknopd access settings:
SOURCE (1): ANY
==============================================================
OPEN_PORTS: tcp/8822,tcp/22
RESTRICT_PORTS: <not set>
KEY: <see the access.conf file>
FW_ACCESS_TIMEOUT: 30
ENABLE_CMD_EXEC: No
CMD_EXEC_USER: <not set>
REQUIRE_USERNAME: <not set>
REQUIRE_SOURCE_ADDRESS: No
GPG_HOME_DIR: <not set>
GPG_DECRYPT_ID: <not set>
GPG_DECRYPT_PW: <see the access.conf file>
GPG_REQUIRE_SIG: No
GPG_IGNORE_SIG_VERIFY_ERROR: No
GPG_REMOTE_ID: <not set>
------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn
about Cisco certifications, training, and career opportunities.
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
