Dear all,

I'm a fwknop-newbie, I've been struggling with getting fwknopd to work 
on my asus router, as I think it should  be pretty secure, compared to 
alternatives (knockd or just ssh wide open, for everyone to see this 
from the internet or WAN)... I'm not really sure what I make wrong, as I 
don't understand the error messages or what fwknopd is trying to tell 
me... Here's version details:

----------

# fwknopd --version
fwknopd server 2.6.9, compiled for firewall bin: /opt/sbin/iptables
----------

And below is the error messages - the output, when I try to run fwknopd 
on my Asus router:

----------------------------------------------------------------------------------------

wrt54g@router:/tmp# fwknopd  -f -v
Opened access file: /opt/etc/fwknop/access.conf
Initialize access stanzas
ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: OPEN_PORTS: tcp/22
     Var: OPEN_PORTS, Val: 'tcp/22'
ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: REQUIRE_SOURCE_ADDRESS: N
     Var: REQUIRE_SOURCE_ADDRESS, Val: 'N'
ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: SOURCE              ANY
     Var: SOURCE, Val: 'ANY'
ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: KEY_BASE64          
gi+z3HrMWUKt/pIpsBOS08qYuGyzaAbIjZObv8+MIAc=
     Var: KEY_BASE64, Val: 'gi+z3HrMWUKt/pIpsBOS08qYuGyzaAbIjZObv8+MIAc='
ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: HMAC_KEY_BASE64 
JEbuMIaJewr+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pSoElmNSOKM5QBtroDHRqg==
     Var: HMAC_KEY_BASE64, Val: 
'JEbuMIaJewr+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pSoElmNSOKM5QBtroDHRqg=='
Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
[+] Writing my PID (2466) to the lock file: /opt/var/fwknop/fwknopd.pid
Starting fwknopd
Current fwknopd config settings:
   0. CONFIG_FILE                  = '/opt/etc/fwknop/fwknopd.conf'
   1. OVERRIDE_CONFIG              =  '<not set>'
   2. PCAP_INTF                    =  'eth0'
........
........
........
GPG_IGNORE_SIG_VERIFY_ERROR:  No
               GPG_REMOTE_ID:  <not set>
          GPG_FINGERPRINT_ID:  <not set>


Using Digest Cache: '/opt/var/fwknop/digest.cache' (entry count = 0)
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-I INPUT 1 -s 127.0.0.2 -p udp -j ACCEPT
run_extcmd(): returning 0, pid_status: 0
ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -s 
127.0.0.2 -p udp -j ACCEPT' (res: 0, err: )
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-C INPUT -s 127.0.0.2 -p udp -j ACCEPT
run_extcmd(): returning 0, pid_status: 0
ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -C INPUT -s 
127.0.0.2 -p udp -j ACCEPT' (res: 0, err: )
ipt_chk_support() -C supported
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-D INPUT 1
run_extcmd(): returning 0, pid_status: 0
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT 
-t filter -j FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 2
rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j 
FWKNOP_INPUT' (res: 0, err: iptables v1.4.21: Couldn't load target 
`FWKNOP_INPUT':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.)
rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT 
does not exist
jump_rule_exists_chk_support() jump rule not found
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-F FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 0
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -F FWKNOP_INPUT' 
(res: 0, err: iptables: No chain/target/match by that name.)
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-X FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 1
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -X FWKNOP_INPUT' 
(res: 0, err: iptables: No chain/target/match by that name.)
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-L FWKNOP_INPUT -n
run_extcmd(): returning 0, pid_status: 1
chain_exists() CMD: '/opt/sbin/iptables -t filter -L FWKNOP_INPUT -n' 
(res: 0, err: iptables: No chain/target/match by that name.)
'filter' table 'FWKNOP_INPUT' chain exists
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-N FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 0
create_chain() CMD: '/opt/sbin/iptables -t filter -N FWKNOP_INPUT' (res: 
0, err: )
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT 
-t filter -j FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 1
rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j 
FWKNOP_INPUT' (res: 0, err: iptables: No chain/target/match by that name.)
rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT 
does not exist
jump_rule_exists_chk_support() jump rule not found
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-I INPUT 1 -j FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 0
add_jump_rule() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -j 
FWKNOP_INPUT' (res: 0, err: )
Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-I INPUT 1 -s 127.0.0.2 -m comment --comment __TMPCOMMENT__ -j ACCEPT
run_extcmd(): returning 0, pid_status: 0
comment_match_exists() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -s 
127.0.0.2 -m comment --comment __TMPCOMMENT__ -j ACCEPT' (res: 0, err: 
iptables: No chain/target/match by that name.)
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-L INPUT --line-numbers -n
run_extcmd(): returning 0, pid_status: 0
Warning: Could not use the 'comment' match
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT 
-t filter -j FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 0
rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j 
FWKNOP_INPUT' (res: 0, err: )
rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT 
already exists
jump_rule_exists_chk_support() jump rule found
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-D INPUT -j FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 0
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -D INPUT -j 
FWKNOP_INPUT' (res: 0, err: )
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT 
-t filter -j FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 1
rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j 
FWKNOP_INPUT' (res: 0, err: iptables: No chain/target/match by that name.)
rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT 
does not exist
jump_rule_exists_chk_support() jump rule not found
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-F FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 0
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -F FWKNOP_INPUT' 
(res: 0, err: )
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-X FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 0
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -X FWKNOP_INPUT' 
(res: 0, err: )
----------------------------------------------------------------------------------------


And then it exits... Sorry, I don't know what is the problem. Please 
help with a few hints/ideas/suggestions and I'll try them out. Thanks!



------------------------------------------------------------------------------
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss

Reply via email to