Kind Sir First, this looks like a fantastic port protection method. Thanks for your work in writing it.
I am trying to set this up for the first time on a Ubiquiti Edge-lite router which uses debian wheezey (mips). The version in the Wheezey repos is quite dated user@Host ~ $ sudo fwknopd -V [-] file: /etc/fwknop/fwknopd.conf permissions should only be user read/write (0600, -rw-------) fwknopd server 2.0.0rc2 I have also installed to a host on my lan and it does not report this permission issue. So I assume that the warning is from fwknop and not the Edge Os on the router and plan on changing it. Although I may compile the newest version instead. But that caries it own set of problems as the router is not a very good compiler, so I would need to compile on a computer which is not of the same architecture. More important is that I am not understanding how to work around an issue with the first step in your tutorial. It says; "From spaclient generate encryption and HMAC keys along with the ssh access request arguments to spaserver.domain.com. In the fwknop command below the client IP '1.1.1.1' is used in the argument: '-a 1.1.1.1', and assumes this IP is known to the user. This is the externally routable IP of the client system (i.e. past any NAT device), and will certainly be different for your particular network. Using the -a argument is the most secure method of generating an SPA packet since it encrypts IP to be allowed through the remote firewall within the SPA packet vs. having to trust the network layer header. The fwknop client can also resolve your externally routable IP via the -R argument which causes fwknop to issue an HTTPS request (via wget --secure- protocol ...) to an IP resolution script hosted on cipherdyne.org. However, if you are concerned about a local network admin or other entity discovering usage of the fwknop client through traffic analysis you should not use this option since DNS and HTTPS requests to cipherdyne.org are rather obvious." My issue is that for my case use the remote IP will almost never be known before hand. What I am trying to do. I have a couple of IP-Cameras that I would like to put into service for security reasons but they call home to the manufactures servers and I don't trust them. When these cameras are allowed to talk freely the output is accessible from a cell phone app and that is a nice feature, but only when I want that access to exist. Hence fwknop, which, if I understand its capabilities correctly will allow me to slap the router on some port and have it open access for the cameras to talk to the manufactures servers there by giving me access via my cell to the camera output. When I am done, a second slap of the router and the access will be terminated. The tutorial never says, and I have not been able to locate how to work around the "assumption that the ip" is known or can be discovered when the key is generated. So, not being able to get that ip, as it will always be different, depending which towers and network the phone will be on, can I just omit that part of the command? Another issue that I will have to deal with is that I did not install the gpg suggested packages into the router as they wanted to drag in a bunch of other dependencies and space is limited on the router and I want to keep the footprint as small as possible. Any help or guidance you can share with me will be greatly appreciated. I hope to write a tutorial for the users of the Ubiquiti routers. The only info I have been able to find is on a Ubuntu site and it is quite dated also. Although I have not looked specifically at openwrt yet, but will do so next. Thanks Randy -- If it ain't broke tweek it ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fwknop-discuss mailing list Fwknop-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
