On Oct 22, 2011, Frank Ness wrote:

> 
> Hi Mike, Thanks man, that information helped me solve the problem. I'll 
> explain what the problem is below for the benefit of others. I use the 
> recomended build of dd-wrt (14929). That build ships with a pretty ancient 
> version of iptables (1.3.7). If you run   # iptables -I INPUT -p tcp --dport 
> 12345 -m comment --comment "testing" -j ACCEPT
> the command finishes without any error messages. The syslog is also clean. 
> However if you check using iptables -L there is no corresponding rule. BTW 
> the exit code of the command is 0 so I don't think your program is to blame 
> for not detecting the error.  To solve the problem I upgraded using optware 
> to iptables version 1.4.9. At this point it is important to reboot the 
> router. Only after the router comes back up iptables 1.4.9 is running. If you 
> try to run  # iptables -I INPUT -p tcp --dport 12345 -m comment --comment 
> "testing" -j ACCEPT the rule is added correctly to iptables. Now for the 
> weird part. To get fwknop to run you have to change the FIREWALL_EXE line in 
> fwknopd.conf from /usr/sbin/iptables to iptables and NOT to 
> /opt/usr/sbin/iptables (the location for the new iptables program). I figured 
> that out by running: iptables -V result: iptables v1.4.9/usr/sbin/iptables -V 
> result: iptables v1.3.7/opt/usr/sbin/iptables -V result: iptables v1.3.7also 
> running whereis iptables yields iptables: /usr/sbin/ipt
> ables

Glad to hear that upgrading iptables fixed the problem.  The comment match is
important for fwknop as it is used to track the expiration time for new rules.
I may add some additional checking to fwknopd to see whether the comment
match seems to be working properly.

> So for some reason the system has a little trouble finding iptables, however 
> if the FIREWALL_EXE line in fwknopd.conf is set to iptables there are no more 
> problems and I am able to reach sshd from my phone! Running fwknopd --fw-list 
> shows the rules perfectly.   You asked about compiling fwknopd for dd-wrt. It 
> was my first compilation of a program and all in all I say that it went 
> pretty smooth. The process for compiling a package for optware / dd-wrt is 
> documented on http://www.nslu2-linux.org/wiki/Optware/AddAPackageToOptwareIt 
> is important to note that you can't compile on a recent version of Ubuntu but 
> that you need 8.04 or some other older version. I solved that by running the 
> whole proces in a virtualbox. When you compile the toolchain you have to 
> resort to some tricks to get the right files the beast needs, but that is al 
> solveable.  The biggest problem were a lot of malloc and realloc errors 
> during compilation. With some googling i worked out that by putting  export 
> jm_cv_func_working_malloc=yesexport
>  ac_cv_func_malloc_0_nonnull=yesexport 
> ac_cv_func_rpl_realloc_0_nonnull=yesexport ac_cv_func_realloc_0_nonnull=yes 
> in the make file the problem could be solved. But I think it is an ugly fix 
> and I'm pretty sure some of these lines are redundant or wrong.  The options 
> I used to compile fwknopd are             --build=$(GNU_HOST_NAME) \          
>     --host=$(GNU_TARGET_NAME) \             --target=$(GNU_TARGET_NAME) \For 
> these three the variable is supplied by the dd-wrt/optware part of the make 
> file set. I don't know what it is set to, but since I now have a working 
> version of fwknopd I don't realy care.  I supplies the following options 
> myself--disable-client \I only wanted to try the server. Maybe I'll compile 
> the client too, but for now I dont see the need. (At least not on a router.) 
> --disable-static \When I didn't use this option the compilation proces 
> finished without errors but when I checked the ipk file the program 
> complained about something to do with a static libary . Don't realy know what 
> the problem was. Using this option got ri
> d of it.   --with-iptables=/usr/sbin/iptables \I'm going to recompile the 
> program and I'll change this option to --with-iptables=iptables  that way 
> fwknop should work more out of the box.           --prefix=/opt \Optware is 
> installed in /opt --program-prefix="" \If you don't use this option the 
> fwknopd program gets the prefix mipsel-linux. I don't want that.              
> --disable-pie \This is the most important option. If you don't use this 
> option the program will compile without errors, but it will seg fault upon 
> running on the router. I found some references on other programs seg faulting 
> on dd-wrt if pie was enabled, so i guess that dd-wrt doesn't support pie. 
> When I'm done testing I'll see if I can't upload the make file to optware / 
> dd-wrt, unless of course you don't want me to. However I'm a bit hesitant as 
> this is the first time I compiled a program and I dont want to put a lot of 
> people at risk with a faulty compilation. Also I have to figure out how to 
> upload the make file. Do send me an e-mail when you have the test suite more 
> up and running. It would be interesting to test it. Thanks for the help and 
> your nice program, Frank> Date: Sat, 22 Oct 2011 13:45:31 -0400

Please go ahead and upload the Makefile to optware / dd-wrt whenever you feel
comfortable with it.  You may get some valuable feedback that could be
incorporated within the fwknop sources - like we've done for openwrt (thanks
to Jonathan Bennett):

http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=blob;f=extras/openwrt/README.openwrt;h=28fd51d5a9f3cb57db6eea3f07233a3aef591c72;hb=refs/heads/fwknop-2.0.0

Thanks,

--Mike


> > From: m...@cipherdyne.org
> > To: fwknop-discuss@lists.sourceforge.net
> > Subject: Re: [Fwknop-discuss] Cannot create iptables rules using fwknop on 
> > dd-wrt
> > 
> > On Oct 22, 2011, Frank Ness wrote:
> > 
> > > 
> > > Hi, 
> > 
> > Hello Frank,
> > 
> > > First of all apologies if this is a double post. I seem to have some 
> > > trouble posting to the list.
> > 
> > Not a double post - this one made it through.
> > 
> > > The good news is I think I have succeded in succesfully compiling fwknopd 
> > > to dd-wrt using optware. The program compiled without errors and runs on 
> > > my router. The bad news is that it doesn't seem to create iptables rules 
> > > needed. 
> > >  
> > > If I start fwknopd and send a SPA packet from my android phone to my 
> > > router fwknopd responds with:
> > >  
> > > Using Digest Cache: '/var/run/fwknop/digest.cache' (entry count = 0)
> > > Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
> > > PCAP filter is: udp port 62201
> > > Starting fwknopd main event loop.
> > > SPA Packet from IP: <my phone ip> received.
> > > SPA Packet: 
> > > '+0e+uMnhekbCqfB1tHSenxfiiCrtkaxSJJzBNA5FfYiX1pmMC1cO5MhxmorkfGS2+z723Jd2Aj/4Y4oPNn1MmXQ9gc8yAziJGe0Rkiqt9GCwmXGzWzDVFiWPXg9zLDA9Az/xW2SIaEGudbGEn3hXqnb1O0HEJy74TlOvgjP8obBNlSMyucX4aw'
> > > Added Rule to FWKNOP_INPUT for <my phone ip>, tcp/8822 expires at 
> > > 1319299103
> > 
> > The above looks normal.  However, can you confirm that the iptables 
> > 'comment'
> > match is compiled into the dd-wrt kernel?  The "Added Rule..." message above
> > should indicate that it's there because fwknopd checks the exit status of
> > the iptables command it uses to add the rule, but I think it would be good
> > to check manually just to be sure.  Does this command generate any errors?:
> > 
> > # iptables -I INPUT -p tcp --dport 12345 -m comment --comment "testing" -j 
> > ACCEPT
> > 
> > > However I cannot reach ssh on my router. If I run (from a different ssh 
> > > session) iptables -L I can see some entries relating to fwknopd. I get 
> > >  
> > > # iptables -L
> > > Chain INPUT (policy ACCEPT)
> > > target     prot opt source               destination
> > > FWKNOP_INPUT  0    --  anywhere             anywhere
> > >  
> > > Immediately after that  I get some iptables rules I put in myslef. Then 
> > > after quite a lot more lines i get 
> > > 
> > > Chain FWKNOP_INPUT (1 references)
> > > target     prot opt source               destination
> > > Chain advgrp_1 (0 references)
> > > 
> > > And the output continues but with no references to either my phone ip 
> > > address or port 8822.
> > 
> > You can list just the fwknopd rules with:
> > 
> > # fwknopd --fw-list
> > 
> > This may help interpret things if the iptables rule set is really large.  If
> > you try generating the SPA packet once again and immediately after can you
> > execute the --fw-list command above?  This will help to confirm whether
> > fwknopd is actually able to add any corresponding access rule for the SPA
> > packet.  If the rule exists, then we'll need to investigate how fwknopd is
> > adding the jump rule w.r.t. the rest of the policy.
> > 
> > > Then after a while fwknop tells me:
> > > 
> > > Did not find expire comment in rules list 0.
> > 
> > This makes me think that the 'comment' match may not exist..
> > 
> > > I'm stuck. As far as I can tell fwknopd runs without errors and can 
> > > access iptables because I can see entries relating to fwknop in my 
> > > iptables. These entries disappear (as they should) when I close fwknopd 
> > > and reapear when I start fwknopd again. However, no iptables rules are 
> > > created.
> > >  
> > > Does anyone have a suggestion to solve this problem? Am I configuring 
> > > fwknopd.conf or access.conf wrong? the output of fwknopd -D is attached 
> > > below
> > 
> > That configuration looks good to me.
> > 
> > Btw, I'm currently developing a test suite for fwknop:
> > 
> > http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=shortlog;h=refs/heads/test_suite
> > 
> > Once this is complete (another week or so) it may be interesting to try it
> > out on your dd-wrt system.  I'll send you an email once it is closer to
> > being ready.
> > 
> > On dd-wrt did you need to do anything special to get fwknop to compile?  
> > It's
> > cool to see that it compiles properly on another platform.
> > 
> > Thanks,
> > 
> > --Mike
> > 
> > 
> > > Thanks,
> > >  
> > > Frank
> > >  
> > > output of fwknopd -D 
> > > # fwknopd -D
> > > Current fwknopd config settings:
> > >   0. CONFIG_FILE                  =  '/opt/etc/fwknop/fwknopd.conf'
> > >   1. OVERRIDE_CONFIG              =  '<not set>'
> > >   2. PCAP_INTF                    =  'vlan2'
> > >   3. ENABLE_PCAP_PROMISC          =  'N'
> > >   4. PCAP_FILTER                  =  'udp port 62201'
> > >   5. MAX_SNIFF_BYTES              =  '1500'
> > >   6. ENABLE_SPA_PACKET_AGING      =  'Y'
> > >   7. MAX_SPA_PACKET_AGE           =  '120'
> > >   8. ENABLE_DIGEST_PERSISTENCE    =  'Y'
> > >   9. CMD_EXEC_TIMEOUT             =  '<not set>'
> > >  10. ENABLE_SPA_OVER_HTTP         =  'N'
> > >  11. ENABLE_TCP_SERVER            =  'N'
> > >  12. TCPSERV_PORT                 =  '62201'
> > >  13. LOCALE                       =  '<not set>'
> > >  14. SYSLOG_IDENTITY              =  'fwknopd'
> > >  15. SYSLOG_FACILITY              =  'LOG_DAEMON'
> > >  16. ENABLE_IPT_FORWARDING        =  'N'
> > >  17. ENABLE_IPT_LOCAL_NAT         =  'Y'
> > >  18. ENABLE_IPT_SNAT              =  'N'
> > >  19. SNAT_TRANSLATE_IP            =  '<not set>'
> > >  20. ENABLE_IPT_OUTPUT            =  'N'
> > >  21. FLUSH_IPT_AT_INIT            =  'Y'
> > >  22. FLUSH_IPT_AT_EXIT            =  'Y'
> > >  23. IPT_INPUT_ACCESS             =  'ACCEPT, filter, INPUT, 1, 
> > > FWKNOP_INPUT, 1'
> > >  24. IPT_OUTPUT_ACCESS            =  'ACCEPT, filter, OUTPUT, 1, 
> > > FWKNOP_OUTPUT, 1'
> > >  25. IPT_FORWARD_ACCESS           =  'ACCEPT, filter, FORWARD, 1, 
> > > FWKNOP_FORWARD, 1'
> > >  26. IPT_DNAT_ACCESS              =  'DNAT, nat, PREROUTING, 1, 
> > > FWKNOP_PREROUTING, 1'
> > >  27. IPT_SNAT_ACCESS              =  'SNAT, nat, POSTROUTING, 1, 
> > > FWKNOP_POSTROUTING, 1'
> > >  28. IPT_MASQUERADE_ACCESS        =  'MASQUERADE, nat, POSTROUTING, 1, 
> > > FWKNOP_POSTROUTING, 1'
> > >  29. FWKNOP_RUN_DIR               =  '/var/run/fwknop'
> > >  30. FWKNOP_CONF_DIR              =  '/opt/etc/fwknop'
> > >  31. ACCESS_FILE                  =  '/opt/etc/fwknop/access.conf'
> > >  32. FWKNOP_PID_FILE              =  '/var/run/fwknop/fwknopd.pid'
> > >  33. DIGEST_FILE                  =  '/var/run/fwknop/digest.cache'
> > >  34. GPG_HOME_DIR                 =  '/root/.gnupg'
> > >  35. FIREWALL_EXE                 =  '/usr/sbin/iptables'
> > > Current fwknopd access settings:
> > > SOURCE (1):  ANY
> > > ==============================================================
> > >                  OPEN_PORTS:  tcp/8822,tcp/22
> > >              RESTRICT_PORTS:  <not set>
> > >                         KEY:  <see the access.conf file>
> > >           FW_ACCESS_TIMEOUT:  30
> > >             ENABLE_CMD_EXEC:  No
> > >               CMD_EXEC_USER:  <not set>
> > >            REQUIRE_USERNAME:  <not set>
> > >      REQUIRE_SOURCE_ADDRESS:  No
> > >                GPG_HOME_DIR:  <not set>
> > >              GPG_DECRYPT_ID:  <not set>
> > >              GPG_DECRYPT_PW:  <see the access.conf file>
> > >             GPG_REQUIRE_SIG:  No
> > > GPG_IGNORE_SIG_VERIFY_ERROR:  No
> > >               GPG_REMOTE_ID:  <not set>
> > > 
> > >                                             
> > 
> > > ------------------------------------------------------------------------------
> > > The demand for IT networking professionals continues to grow, and the
> > > demand for specialized networking skills is growing even more rapidly.
> > > Take a complimentary Learning@Cisco Self-Assessment and learn 
> > > about Cisco certifications, training, and career opportunities. 
> > > http://p.sf.net/sfu/cisco-dev2dev
> > 
> > > _______________________________________________
> > > Fwknop-discuss mailing list
> > > Fwknop-discuss@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
> > 
> > 
> > ------------------------------------------------------------------------------
> > The demand for IT networking professionals continues to grow, and the
> > demand for specialized networking skills is growing even more rapidly.
> > Take a complimentary Learning@Cisco Self-Assessment and learn 
> > about Cisco certifications, training, and career opportunities. 
> > http://p.sf.net/sfu/cisco-dev2dev
> > _______________________________________________
> > Fwknop-discuss mailing list
> > Fwknop-discuss@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>                                         

> ------------------------------------------------------------------------------
> The demand for IT networking professionals continues to grow, and the
> demand for specialized networking skills is growing even more rapidly.
> Take a complimentary Learning@Cisco Self-Assessment and learn 
> about Cisco certifications, training, and career opportunities. 
> http://p.sf.net/sfu/cisco-dev2dev

> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss


------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss

Reply via email to