On Sun, Sep 18, 2016 at 8:26 PM, newsboost <newsbo...@gmail.com> wrote:

> Dear all,
>
> I'm a fwknop-newbie, I've been struggling with getting fwknopd to work
> on my asus router, as I think it should  be pretty secure, compared to
> alternatives (knockd or just ssh wide open, for everyone to see this
> from the internet or WAN)... I'm not really sure what I make wrong, as I
> don't understand the error messages or what fwknopd is trying to tell
> me... Here's version details:
>
> ----------
>
> # fwknopd --version
> fwknopd server 2.6.9, compiled for firewall bin: /opt/sbin/iptables
> ----------
>
> And below is the error messages - the output, when I try to run fwknopd
> on my Asus router:
>


>From the output below, the reason fwknopd is exiting is because it is
looking for the iptables 'comment' match, and it does not appear to be
available. This is somewhat common on routers since Linux distributions
designed to work there tend to reduce the features they compile in. There
is a solution though - just run the command open/close cycle feature in
fwknop-2.6.9. This way, fwknopd keeps track of the timing for rule
expiration itself instead of using the 'comment' match.

To get this working, change your /etc/fwknop/access.conf file to add the
following lines to the stanza that defines your encryption/HMAC keys:

CMD_CYCLE_OPEN         /opt/sbin/iptables -I INPUT 1 -p $PROTO -s $IP -d
$PORT -j ACCEPT

CMD_CYCLE_CLOSE       /opt/sbin/iptables -D INPUT -p $PROTO -s $IP -d $PORT
-j ACCEPT

CMD_CYCLE_TIMER        30
Please let me know if there are any issues.

Thanks,

--Mike




> ------------------------------------------------------------
> ----------------------------
>
> wrt54g@router:/tmp# fwknopd  -f -v
> Opened access file: /opt/etc/fwknop/access.conf
> Initialize access stanzas
> ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: OPEN_PORTS: tcp/22
>      Var: OPEN_PORTS, Val: 'tcp/22'
> ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: REQUIRE_SOURCE_ADDRESS: N
>      Var: REQUIRE_SOURCE_ADDRESS, Val: 'N'
> ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: SOURCE              ANY
>      Var: SOURCE, Val: 'ANY'
> ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: KEY_BASE64
> gi+z3HrMWUKt/pIpsBOS08qYuGyzaAbIjZObv8+MIAc=
>      Var: KEY_BASE64, Val: 'gi+z3HrMWUKt/pIpsBOS08qYuGyzaAbIjZObv8+MIAc='
> ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: HMAC_KEY_BASE64
> JEbuMIaJewr+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcS
> xg2avEug1GZ6pSoElmNSOKM5QBtroDHRqg==
>      Var: HMAC_KEY_BASE64, Val:
> 'JEbuMIaJewr+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcS
> xg2avEug1GZ6pSoElmNSOKM5QBtroDHRqg=='
> Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
> [+] Writing my PID (2466) to the lock file: /opt/var/fwknop/fwknopd.pid
> Starting fwknopd
> Current fwknopd config settings:
>    0. CONFIG_FILE                  = '/opt/etc/fwknop/fwknopd.conf'
>    1. OVERRIDE_CONFIG              =  '<not set>'
>    2. PCAP_INTF                    =  'eth0'
> ........
> ........
> ........
> GPG_IGNORE_SIG_VERIFY_ERROR:  No
>                GPG_REMOTE_ID:  <not set>
>           GPG_FINGERPRINT_ID:  <not set>
>
>
> Using Digest Cache: '/opt/var/fwknop/digest.cache' (entry count = 0)
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -I INPUT 1 -s 127.0.0.2 -p udp -j ACCEPT
> run_extcmd(): returning 0, pid_status: 0
> ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -s
> 127.0.0.2 -p udp -j ACCEPT' (res: 0, err: )
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -C INPUT -s 127.0.0.2 -p udp -j ACCEPT
> run_extcmd(): returning 0, pid_status: 0
> ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -C INPUT -s
> 127.0.0.2 -p udp -j ACCEPT' (res: 0, err: )
> ipt_chk_support() -C supported
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -D INPUT 1
> run_extcmd(): returning 0, pid_status: 0
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT
> -t filter -j FWKNOP_INPUT
> run_extcmd(): returning 0, pid_status: 2
> rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j
> FWKNOP_INPUT' (res: 0, err: iptables v1.4.21: Couldn't load target
> `FWKNOP_INPUT':No such file or directory
>
> Try `iptables -h' or 'iptables --help' for more information.)
> rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT
> does not exist
> jump_rule_exists_chk_support() jump rule not found
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -F FWKNOP_INPUT
> run_extcmd(): returning 0, pid_status: 0
> delete_all_chains() CMD: '/opt/sbin/iptables -t filter -F FWKNOP_INPUT'
> (res: 0, err: iptables: No chain/target/match by that name.)
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -X FWKNOP_INPUT
> run_extcmd(): returning 0, pid_status: 1
> delete_all_chains() CMD: '/opt/sbin/iptables -t filter -X FWKNOP_INPUT'
> (res: 0, err: iptables: No chain/target/match by that name.)
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -L FWKNOP_INPUT -n
> run_extcmd(): returning 0, pid_status: 1
> chain_exists() CMD: '/opt/sbin/iptables -t filter -L FWKNOP_INPUT -n'
> (res: 0, err: iptables: No chain/target/match by that name.)
> 'filter' table 'FWKNOP_INPUT' chain exists
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -N FWKNOP_INPUT
> run_extcmd(): returning 0, pid_status: 0
> create_chain() CMD: '/opt/sbin/iptables -t filter -N FWKNOP_INPUT' (res:
> 0, err: )
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT
> -t filter -j FWKNOP_INPUT
> run_extcmd(): returning 0, pid_status: 1
> rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j
> FWKNOP_INPUT' (res: 0, err: iptables: No chain/target/match by that name.)
> rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT
> does not exist
> jump_rule_exists_chk_support() jump rule not found
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -I INPUT 1 -j FWKNOP_INPUT
> run_extcmd(): returning 0, pid_status: 0
> add_jump_rule() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -j
> FWKNOP_INPUT' (res: 0, err: )
> Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -I INPUT 1 -s 127.0.0.2 -m comment --comment __TMPCOMMENT__ -j ACCEPT
> run_extcmd(): returning 0, pid_status: 0
> comment_match_exists() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -s
> 127.0.0.2 -m comment --comment __TMPCOMMENT__ -j ACCEPT' (res: 0, err:
> iptables: No chain/target/match by that name.)
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -L INPUT --line-numbers -n
> run_extcmd(): returning 0, pid_status: 0
> Warning: Could not use the 'comment' match
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT
> -t filter -j FWKNOP_INPUT
> run_extcmd(): returning 0, pid_status: 0
> rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j
> FWKNOP_INPUT' (res: 0, err: )
> rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT
> already exists
> jump_rule_exists_chk_support() jump rule found
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -D INPUT -j FWKNOP_INPUT
> run_extcmd(): returning 0, pid_status: 0
> delete_all_chains() CMD: '/opt/sbin/iptables -t filter -D INPUT -j
> FWKNOP_INPUT' (res: 0, err: )
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT
> -t filter -j FWKNOP_INPUT
> run_extcmd(): returning 0, pid_status: 1
> rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j
> FWKNOP_INPUT' (res: 0, err: iptables: No chain/target/match by that name.)
> rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT
> does not exist
> jump_rule_exists_chk_support() jump rule not found
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -F FWKNOP_INPUT
> run_extcmd(): returning 0, pid_status: 0
> delete_all_chains() CMD: '/opt/sbin/iptables -t filter -F FWKNOP_INPUT'
> (res: 0, err: )
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -X FWKNOP_INPUT
> run_extcmd(): returning 0, pid_status: 0
> delete_all_chains() CMD: '/opt/sbin/iptables -t filter -X FWKNOP_INPUT'
> (res: 0, err: )
> ------------------------------------------------------------
> ----------------------------
>
>
> And then it exits... Sorry, I don't know what is the problem. Please
> help with a few hints/ideas/suggestions and I'll try them out. Thanks!
>
>
>
> ------------------------------------------------------------
> ------------------
> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>



-- 
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss

Reply via email to