On Apr 26, 2012, ruh Ruhsam Bernhard wrote: > Hello, > > first, thank you for fwknop! > We will use it on linux based PLCs. > As we also have PLCs based on Windows, we needed FwKnop for Windows. > Thus, i've implemented a version, which is compatible with yours (only those > functions we require).
Interesting indeed. I've often thought that SPA had applications in the PLC / SCADA environment. > But i've added some functionality, your fwknop has not included... > Yes, this is bad, but was required. We currently don't want to modify your > linux version, but use the original from distributions. > If you ever plan to add some similar functions, maybe you can try to solve it > the same way to stay compatible... Would you be willing to post a patch for the source code of your modifications? It could be integrated into the main fwknop distribution - perhaps with a new --enable-<...> switch to the configure script. > - created etc and usr directory. > Where etc holds access.conf and fwknopd.conf. > Usr holds access.conf (again) and fwknopd.rul. > Configuration in usr\access.conf "overwrites" them in etc\access.conf. > This is important, as end users should be able to configure their own > password, and this files won't be updated during deinstall/install-sequence > of our product. I can see this as a variant of the --override-config stuff, but for SPA key information and gated by a new ENABLE_ variable. > - fix firewall rules > usr\fwknopd.rul can include fix ports (ranges) to open on every start (think > of another PLC (some, or no operating system) trying to communicate with our > PLC - no client available). > As we don't know them, but must configure the firewall during installation of > our product this is an easy solution to deploy on multiple PLCs for end > users... The multi-port access mode of fwknop does part of this, but I think it would be a good idea to make this more flexible (as you suggest). The FORCE_NAT mode is another similar piece of functionality. > - Replay buffer size is configurable. > PLCs typically run over months/years without restarts. > Thus, memory is limited (RAM and file system). Make sense. fwknop now runs on embedded distributions, so having configurable limits like this is good. > - Logging and statistics. > Replay buffer is not ideal for support teams. > My logging buffer also filters "updates". > When our "ConnectionManager" connects to the PLC(s), it resends the > SPA-packets just before the firewall-rule-timeout expires. These "updates" > are not logged into the file to keep it small. (PS: Windows firewall does not > allow to add similar ports more times). > Created a statistics file for TCP and UDP in ini-file format. > > Some pictures/files, hopefully helping to understand: Thanks for sending, --Mike > Konfiguration of the service in the registry: > > > > The fwknopd.conf extensions: > > # The max number of SPA digests to hold in memory. > # When this amount of messages is received, the digest cache file is written > # to disk. > MAX_DIGEST_COUNT=30000; > > # After this time (in seconds) has elapsed, the digest cache file is written > # to disk, even if MAX_DIGEST_COUNT was not reached. > MAX_DIGEST_TIME=900; > > # Enable logging and statistical records of messages. > # The logfiles are written to the LogPath-Directory, defined in the services > # registry configuration. > ENABLE_LOGGING=Y; > > # When this amount of logfile-entries is reached, the logfile is written to > disk. > # The logging mechanism filters 'updates' of ports. > # Thus the amount can be smaller than that of tracking digests. > MAX_LOG_COUNT=1000; > > # After this time (in seconds) has elapsed, the digest log files are written > # to disk, even if MAX_LOG_COUNT was not reached. > MAX_LOG_TIME=900; > > > The fwknopd.rul file: > > #FwKnop configuration file for fixed firewall rules. > #fromPort;toPort;protocol;IP address to allow;comment/rule name; > #Where protocol can be "tcp" or "udp". > #The comment will be used as a part of the firewall rule name. > #Examples: > #812;815;tcp;10.150.22.8;range required for PLC XYZ; > #42;42;udp;10.150.22.8;life, the universe and everything > > > Example of a log file: > > #<time> <src_ip> <message> > Sat Mar 05 04:17:15 2011 10.150.22.8 > <10.150.22.8,tcp/652,tcp/653,tcp/654,tcp/655> > Sat Mar 05 04:17:16 2011 10.150.22.8 > <10.150.22.8,tcp/736,tcp/737,tcp/738,tcp/739,tcp/740> > > Example of TCP statistics file: > Where PortNumber=count within [Ports]. > > [Info] > Type=Single Packet Authorization (SPA) - Statistics > Created=Fri Mar 04 07:06:04 2011 > > [Ports] > 22=14 > 111=128 > 137=128 > 139=128 > 445=128 > 600=3190 > > > Example of a UDP statistics file: > Where PortNumber=count within [Ports]. > > [Info] > Type=Single Packet Authorization (SPA) - Statistics > Created=Fri Mar 04 07:06:04 2011 > > [Ports] > 111=1 > 137=3193 > 138=3193 > > > > Maybe you can get a few ideas... > > Regards, > - Bernhard Ruhsam > > PS: Sorry for the 3 email-adresses - not sure, where to send... > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
