On Oct 22, 2011, Frank Ness wrote: > > Hi,
Hello Frank, > First of all apologies if this is a double post. I seem to have some trouble > posting to the list. Not a double post - this one made it through. > The good news is I think I have succeded in succesfully compiling fwknopd to > dd-wrt using optware. The program compiled without errors and runs on my > router. The bad news is that it doesn't seem to create iptables rules needed. > > If I start fwknopd and send a SPA packet from my android phone to my router > fwknopd responds with: > > Using Digest Cache: '/var/run/fwknop/digest.cache' (entry count = 0) > Added jump rule from chain: INPUT to chain: FWKNOP_INPUT > PCAP filter is: udp port 62201 > Starting fwknopd main event loop. > SPA Packet from IP: <my phone ip> received. > SPA Packet: > '+0e+uMnhekbCqfB1tHSenxfiiCrtkaxSJJzBNA5FfYiX1pmMC1cO5MhxmorkfGS2+z723Jd2Aj/4Y4oPNn1MmXQ9gc8yAziJGe0Rkiqt9GCwmXGzWzDVFiWPXg9zLDA9Az/xW2SIaEGudbGEn3hXqnb1O0HEJy74TlOvgjP8obBNlSMyucX4aw' > Added Rule to FWKNOP_INPUT for <my phone ip>, tcp/8822 expires at 1319299103 The above looks normal. However, can you confirm that the iptables 'comment' match is compiled into the dd-wrt kernel? The "Added Rule..." message above should indicate that it's there because fwknopd checks the exit status of the iptables command it uses to add the rule, but I think it would be good to check manually just to be sure. Does this command generate any errors?: # iptables -I INPUT -p tcp --dport 12345 -m comment --comment "testing" -j ACCEPT > However I cannot reach ssh on my router. If I run (from a different ssh > session) iptables -L I can see some entries relating to fwknopd. I get > > # iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > FWKNOP_INPUT 0 -- anywhere anywhere > > Immediately after that I get some iptables rules I put in myslef. Then after > quite a lot more lines i get > > Chain FWKNOP_INPUT (1 references) > target prot opt source destination > Chain advgrp_1 (0 references) > > And the output continues but with no references to either my phone ip address > or port 8822. You can list just the fwknopd rules with: # fwknopd --fw-list This may help interpret things if the iptables rule set is really large. If you try generating the SPA packet once again and immediately after can you execute the --fw-list command above? This will help to confirm whether fwknopd is actually able to add any corresponding access rule for the SPA packet. If the rule exists, then we'll need to investigate how fwknopd is adding the jump rule w.r.t. the rest of the policy. > Then after a while fwknop tells me: > > Did not find expire comment in rules list 0. This makes me think that the 'comment' match may not exist.. > I'm stuck. As far as I can tell fwknopd runs without errors and can access > iptables because I can see entries relating to fwknop in my iptables. These > entries disappear (as they should) when I close fwknopd and reapear when I > start fwknopd again. However, no iptables rules are created. > > Does anyone have a suggestion to solve this problem? Am I configuring > fwknopd.conf or access.conf wrong? the output of fwknopd -D is attached below That configuration looks good to me. Btw, I'm currently developing a test suite for fwknop: http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=shortlog;h=refs/heads/test_suite Once this is complete (another week or so) it may be interesting to try it out on your dd-wrt system. I'll send you an email once it is closer to being ready. On dd-wrt did you need to do anything special to get fwknop to compile? It's cool to see that it compiles properly on another platform. Thanks, --Mike > Thanks, > > Frank > > output of fwknopd -D > # fwknopd -D > Current fwknopd config settings: > 0. CONFIG_FILE = '/opt/etc/fwknop/fwknopd.conf' > 1. OVERRIDE_CONFIG = '<not set>' > 2. PCAP_INTF = 'vlan2' > 3. ENABLE_PCAP_PROMISC = 'N' > 4. PCAP_FILTER = 'udp port 62201' > 5. MAX_SNIFF_BYTES = '1500' > 6. ENABLE_SPA_PACKET_AGING = 'Y' > 7. MAX_SPA_PACKET_AGE = '120' > 8. ENABLE_DIGEST_PERSISTENCE = 'Y' > 9. CMD_EXEC_TIMEOUT = '<not set>' > 10. ENABLE_SPA_OVER_HTTP = 'N' > 11. ENABLE_TCP_SERVER = 'N' > 12. TCPSERV_PORT = '62201' > 13. LOCALE = '<not set>' > 14. SYSLOG_IDENTITY = 'fwknopd' > 15. SYSLOG_FACILITY = 'LOG_DAEMON' > 16. ENABLE_IPT_FORWARDING = 'N' > 17. ENABLE_IPT_LOCAL_NAT = 'Y' > 18. ENABLE_IPT_SNAT = 'N' > 19. SNAT_TRANSLATE_IP = '<not set>' > 20. ENABLE_IPT_OUTPUT = 'N' > 21. FLUSH_IPT_AT_INIT = 'Y' > 22. FLUSH_IPT_AT_EXIT = 'Y' > 23. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, > 1' > 24. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, > FWKNOP_OUTPUT, 1' > 25. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, > FWKNOP_FORWARD, 1' > 26. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, > FWKNOP_PREROUTING, 1' > 27. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, > FWKNOP_POSTROUTING, 1' > 28. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, > FWKNOP_POSTROUTING, 1' > 29. FWKNOP_RUN_DIR = '/var/run/fwknop' > 30. FWKNOP_CONF_DIR = '/opt/etc/fwknop' > 31. ACCESS_FILE = '/opt/etc/fwknop/access.conf' > 32. FWKNOP_PID_FILE = '/var/run/fwknop/fwknopd.pid' > 33. DIGEST_FILE = '/var/run/fwknop/digest.cache' > 34. GPG_HOME_DIR = '/root/.gnupg' > 35. FIREWALL_EXE = '/usr/sbin/iptables' > Current fwknopd access settings: > SOURCE (1): ANY > ============================================================== > OPEN_PORTS: tcp/8822,tcp/22 > RESTRICT_PORTS: <not set> > KEY: <see the access.conf file> > FW_ACCESS_TIMEOUT: 30 > ENABLE_CMD_EXEC: No > CMD_EXEC_USER: <not set> > REQUIRE_USERNAME: <not set> > REQUIRE_SOURCE_ADDRESS: No > GPG_HOME_DIR: <not set> > GPG_DECRYPT_ID: <not set> > GPG_DECRYPT_PW: <see the access.conf file> > GPG_REQUIRE_SIG: No > GPG_IGNORE_SIG_VERIFY_ERROR: No > GPG_REMOTE_ID: <not set> > > > ------------------------------------------------------------------------------ > The demand for IT networking professionals continues to grow, and the > demand for specialized networking skills is growing even more rapidly. > Take a complimentary Learning@Cisco Self-Assessment and learn > about Cisco certifications, training, and career opportunities. > http://p.sf.net/sfu/cisco-dev2dev > _______________________________________________ > Fwknop-discuss mailing list > Fwknop-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Fwknop-discuss mailing list Fwknop-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
