Just found this thread from a few years ago when working on the same issue.
Thought I’d contribute my solution to rebuild the centos 7 SRPM for iptables
instead of firewall-cmd. Here are the steps:
# yum install yum-utils
# yumdownloader —source fwknop
# vim ~/rpmbuild/SPECS/fwknop.spec (make edits shown in patch below)
# vim ~/rpmbuild/SOURCES/fwknopd.service (make edits shown in patch below)
Then just rebuild:
# cd ~/rpmbuild/SPECS; rpmbuild -ba fwknop.spec
--- fwknop.spec.old 2015-11-25 04:35:32.000000000 -0800
+++ fwknop.spec 2021-02-21 13:48:24.255624950 -0800
@@ -1,7 +1,7 @@
Summary: A Single Packet Authorization (SPA) implementation
Name: fwknop
Version: 2.6.7
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2
Group: System Environment/Daemons
Url: http://www.cipherdyne.org/fwknop/ <http://www.cipherdyne.org/fwknop/>
@@ -54,7 +54,7 @@
%setup -q
%build
-%configure --with-firewall-cmd=/usr/bin/firewall-cmd --with-gpgme
+%configure --with-iptables=/sbin/iptables --with-gpgme
# remove Rpath
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g’ libtool
--- fwknopd.service 2015-11-25 04:35:24.000000000 -0800
+++ /usr/lib/systemd/system/fwknopd.service 2021-02-21 13:54:12.000000000
-0800
@@ -1,8 +1,8 @@
[Unit]
Description=The FireWall KNock OPerator (fwknop)
Documentation=man:fwknop(8)
-After=network-online.target firewalld.service
-Requires=firewalld.service
+After=network-online.target iptables.service
+Requires=iptables.service
[Service]
Type=forking
Hope this helps someone,Adi
On 4/9/2017 03:43, Michael Rash wrote:
>
>
> On Sat, Apr 8, 2017 at 5:38 PM, Adam <awg1@...
> <mailto:awg1@...>> wrote:
>
> Hi there. I'm trying to get fwknop working on Centos 7.3 for the first
> time (I've used it on Ubuntu for years).
>
> The systemd log records the following:
>
> Apr 08 21:17:14 nextcloud fwknopd[1052]: Starting fwknopd
> Apr 08 21:17:14 nextcloud systemd[1]: PID file
> /var/run/fwknop/fwknopd.pid not readable (yet?) after start.
> Apr 08 21:17:25 nextcloud fwknopd[1052]: Added jump rule from chain:
> INPUT to chain: FWKNOP_INPUT
> Apr 08 21:17:26 nextcloud fwknopd[1052]: Warning: Could not use the
> 'comment' match
> Apr 08 21:17:28 nextcloud systemd[1]: fwknopd.service never wrote its
> PID file. Failing.
> Apr 08 21:17:28 nextcloud systemd[1]: Failed to start The FireWall KNock
> OPerator (fwknop).
> Apr 08 21:17:28 nextcloud systemd[1]: Unit fwknopd.service entered
> failed state.
> Apr 08 21:17:28 nextcloud systemd[1]: fwknopd.service failed.
>
>
> I'm NOT using firewalld which I believe may be where the problem lies
> (and I really don't want to use it). I masked firewalld and removed the
> firewalld references from the service file and now I have this:
>
>
> Hello Adam,
>
> The problem appears to be the inability of fwknopd to see the 'comment'
> match. Did you install the 'fwknop-server' package from the CentOS
> package repositories? If so, to get things working and switch over to
> iptables, I'd recommend installing the latest release of fwknop from
> sources and compiling it with iptables support. Or just clone the latest
> code and to the following:
>
> $ git clone https://github.com/mrash/fwknop <https://github.com/mrash/fwknop>
> fwknop.git
> $ cd fwknop.git
> $ ./autogen.sh
> $ ./configure --with-iptables=/sbin/iptables --prefix=/usr
> --sysconfdir=/etc --localstatedir=/run
> $ make
> $ sudo make install
>
> I think fwknopd should be functional after this.
>
> Thanks,
>
> --Mike
>
Thanks Mike, that seems to have worked. I did need to observe the
workaround on this page regarding the loading of libfko.so.3 and managed
the firewall initiation with rc.local rather than systemd. A bit of a
hack maybe but the "comment match" problem return if I had them both
loading through systemd. Anyway it's up and running now. Thanks for
your help.
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
