On Mar 01, 2012, Carlo Capocasa wrote: > Hi, > > thanks for making fwknop! > > I'm attempting to use fwknop 2.0 on a Virtuozzo based virtual host. > > On sending a packet, fwknopd says: > > Added jump rule from chain: INPUT to chain: FWKNOP_INPUT > Added Rule to FWKNOP_INPUT for 92.194.29.143, tcp/22 expires at 1330588447 > > But the port does not open. After 30s (my timeout), it says: > > Did not find expire comment in rules list 0.
For iptables firewalls, fwknopd currently requires the 'comment' match to expire rules since that is where it stores the rule creation time. Perhaps your hosting provider can update their kernel build to include the comment match, but this is probably a long shot. One thing that Damien has suggested is the usage of the pthreads library in order to not require storing the rule creation time in the policy at all. This would certainly work, and I think we should add this functionality as an option - perhaps '--enable-pthreads' for the configure script. With this enabled, fwknopd would work on kernels such as the one you are currently working with. Others may choose to use the 'comment' match strategy as a way to reduce the number of libraries fwknopd needs to link against. Thanks, --Mike > It works fine on my other, Xen based virtual host. > > Any help much appreciated. > > Cheers! Carlo > > ---- > > version > > fwknopd server 2.0 > > access.conf > > SOURCE: ANY; > KEY: foobar22; > FW_ACCESS_TIMEOUT: 30; > > fwknopd.conf > > FLUSH_IPT_AT_INIT Y; > FLUSH_IPT_AT_EXIT Y; > FWKNOP_RUN_DIR /var/run/fwknop; > FWKNOP_CONF_DIR /usr/local/etc/fwknop; > FWKNOP_PID_FILE $FWKNOP_RUN_DIR/fwknopd.pid; > DIGEST_FILE $FWKNOP_RUN_DIR/digest.cache; > FIREWALL_EXE /sbin/iptables; > > ./test-fwknop.pl > > [build] [client] binary exists......................................pass (1) > [build security] [client] Position Independent Executable (PIE).....pass (2) > [build security] [client] stack protected binary....................pass (3) > [build security] [client] fortify source functions..................pass (4) > [build security] [client] read-only relocations.....................pass (5) > [build security] [client] immediate binding.........................pass (6) > [build] [server] binary exists......................................pass (7) > [build security] [server] Position Independent Executable (PIE).....pass (8) > [build security] [server] stack protected binary....................pass (9) > [build security] [server] fortify source functions..................pass (10) > [build security] [server] read-only relocations.....................pass (11) > [build security] [server] immediate binding.........................pass (12) > [build] [libfko] binary exists......................................pass (13) > [build security] [libfko] stack protected binary....................pass (14) > [build security] [libfko] fortify source functions..................pass (15) > [build security] [libfko] read-only relocations.....................pass (16) > [build security] [libfko] immediate binding.........................pass (17) > [preliminaries] [client] usage info.................................pass (18) > [preliminaries] [client] getopt() no such argument..................pass (19) > [preliminaries] [client] --test mode, packet not sent...............pass (20) > [preliminaries] [client] expected code version......................pass (21) > [preliminaries] [server] usage info.................................pass (22) > [preliminaries] [server] getopt() no such argument..................pass (23) > [preliminaries] [server] expected code version......................pass (24) > [preliminaries] collecting system specifics.........................pass (25) > [basic operations] dump config......................................pass (26) > [basic operations] override config..................................pass (27) > [basic operations] [client] --get-key path validation...............pass (28) > [basic operations] [client] require [-s|-R|-a]......................pass (29) > [basic operations] [client] --allow-ip <IP> valid IP................pass (30) > [basic operations] [client] -A <proto>/<port> specification.........pass (31) > [basic operations] [client] generate SPA packet.....................pass (32) > [basic operations] [server] list current fwknopd fw rules...........pass (33) > [basic operations] [server] list all current fw rules...............pass (34) > [basic operations] [server] flush current firewall rules............pass (35) > [basic operations] [server] start...................................pass (36) > [basic operations] [server] stop....................................pass (37) > [basic operations] [server] write PID...............................pass (38) > [basic operations] [server] --packet-limit 1 exit...................pass (39) > [basic operations] [server] ignore packets < min SPA len (140)......pass (40) > [basic operations] [server] -P bpf filter ignore packet.............pass (41) > [Rijndael SPA] [client+server] complete cycle (tcp/22 ssh)..........fail (42) > [Rijndael SPA] [client+server] packet aging (past) (tcp/22 ssh).....pass (43) > [Rijndael SPA] [client+server] packet aging (future) (tcp/22 ssh)...pass (44) > [Rijndael SPA] [client+server] expired stanza (tcp/22 ssh)..........pass (45) > [Rijndael SPA] [client+server] invalid expire date (tcp/22 ssh).....pass (46) > [Rijndael SPA] [client+server] expired epoch stanza (tcp/22 ssh)....pass (47) > [Rijndael SPA] [client+server] future expired stanza (tcp/22 ssh)...fail (48) > [Rijndael SPA] [client+server] OPEN_PORTS (tcp/22 ssh)..............fail (49) > [Rijndael SPA] [client+server] OPEN_PORTS mismatch..................pass (50) > [Rijndael SPA] [client+server] require user (tcp/22 ssh)............fail (51) > [Rijndael SPA] [client+server] user mismatch (tcp/22 ssh)...........pass (52) > [Rijndael SPA] [client+server] require src (tcp/22 ssh).............fail (53) > [Rijndael SPA] [client+server] mismatch require src (tcp/22 ssh)....pass (54) > [Rijndael SPA] [client+server] IP filtering (tcp/22 ssh)............pass (55) > [Rijndael SPA] [client+server] subnet filtering (tcp/22 ssh)........pass (56) > [Rijndael SPA] [client+server] IP+subnet filtering (tcp/22 ssh).....pass (57) > [Rijndael SPA] [client+server] IP match (tcp/22 ssh)................fail (58) > [Rijndael SPA] [client+server] subnet match (tcp/22 ssh)............fail (59) > [Rijndael SPA] [client+server] multi IP/net match (tcp/22 ssh)......fail (60) > [Rijndael SPA] [client+server] multi access stanzas (tcp/22 ssh)....fail (61) > [Rijndael SPA] [client+server] bad/good key stanzas (tcp/22 ssh)....fail (62) > [Rijndael SPA] [client+server] non-enabled NAT (tcp/22 ssh).........pass (63) > [Rijndael SPA] [client+server] NAT to 192.168.1.2 (tcp/22 ssh)......fail (64) > [Rijndael SPA] [client+server] force NAT 192.168.1.123 (tcp/22 ssh).fail (65) > [Rijndael SPA] [client+server] complete cycle (tcp/23 telnet).......fail (66) > [Rijndael SPA] [client+server] complete cycle (tcp/9418 git)........fail (67) > [Rijndael SPA] [client+server] complete cycle (udp/53 dns)..........fail (68) > [Rijndael SPA] [client+server] -P bpf SPA over port 12345...........fail (69) > [Rijndael SPA] [client+server] random SPA port (tcp/22 ssh).........fail (70) > [Rijndael SPA] [client+server] spoof username (tcp/22)..............pass (71) > [Rijndael SPA] [client+server] replay attack detection..............pass (72) > [Rijndael SPA] [server] digest cache structure......................pass (73) > [Rijndael SPA] [client+server] non-base64 altered SPA data..........pass (74) > [Rijndael SPA] [client+server] base64 altered SPA data..............pass (75) > [Rijndael SPA] [client+server] appended data to SPA pkt.............pass (76) > [Rijndael SPA] [client+server] prepended data to SPA pkt............pass (77) > > [+] passed/failed/executed: 60/17/77 tests > > > > ------------------------------------------------------------------------------ > Virtualization & Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
