subject:"\[Fwknop\-discuss\] noob \- cannot figure out errors $e.g. \"Couldn't load target `FWKNOP_INPUT'\"$ when running \"fwknopd \-f \-v\""

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

2016-09-21 Thread newsboost


On 09/20/2016 08:56 PM, newsboost wrote:

On 09/20/2016 02:26 PM, Michael Rash wrote:


This cuts out the rate limiting stuff and will help to verify
that SSH is available on eth0. The nmap output you sent had
'filtered' instead of 'closed', so that implies a firewall
policy in the way instead of otherwise having TCP stack
access and SSH not listening on eth0.

You're completely right! First I had my connection "filtered" and
when I tried to ssh to the WAN-side of the router (public IP
address) it was just waiting forever and nothing happens... After
running the command above, when I tried to ssh it immediately
said something about "connection closed" (I'm at work at the
moment, I just didn't have time to reply earlier)...


Ok, so does nmap now report that port 22 is "closed" instead of 
"filtered"? If so, then you are either hitting the TCP stack itself 
and there is nothing bound to port 22 as Jonathan suspected 
(definitely important), or iptables is using the REJECT target 
against your connection (as you have below), or both. To be really 
sure iptables is not in the way, I would temporarily just flush the 
whole policy, test SSH, and then rebuild it. So:


# iptables -F
# iptables -X
... test ssh ...
# iptables-restore 

You need to make sure SSH is available before fwknopd can have a 
chance...


SSH is available from the LAN - that's what's so strange... But now I 
tested this. Still the same result: I get that port 22 is "filtered" 
from the WAN-side until "opening" with:


# iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT

And then I get that port 22 is "closed"... I verified using "shields 
up". It says the same, as I discovered: First, I get a good 
"stealth"-rating on "shields up" which is normally good. After running 
$IPT -F, $IPT -X  $IPT -I INPUT 1 -p tcp --dport 22 -j 
ACCEPT,. I immediately get that port 22 is closed. BUT I can 
connect to port 22 from the LAN-side (192.168.1.XXX)...


UPDATE: I received a little help, from the Asus custom firmware-group: I 
discovered that the SSHD-program on my router is called dropbear and I 
was looking for SSHD because I'm used to linux... Earlier I discovered, 
that the difference between opening up for SSH to only the LAN vs 
LAN+WAN is this:


==
rt54g@router:/tmp# diff LAN_only.txt LAN+WAN.txt
--- LAN_only.txt
+++ LAN+WAN.txt

 *filter
+:SSHBFP - [0:0]
+-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHBFP
+-A SSHBFP -m recent --set --name SSH --rsource
+-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH 
--rsource -j DROP

+-A SSHBFP -j ACCEPT
==

From the Asus custom firmware-group, I learned (it's actually obvious 
and so simple) that my SSH-WAN-access solution should be to setup 
LAN+WAN and then delete the iptables-roule that opened SSH to the 
WAN-side (instead of adding the rules that connected the WAN to the LAN, 
which is quite simple and obvious but I didn't thought about it before - 
something about dropbear was only bound to the LAN-side or 
LAN-interfaces and the "LAN+WAN"-setting would bind dropbear-server to 
eth0 on the WAN-side). So, I got the following, after using the routers' 
web-interface to setup SSH-access to LAN+WAN (these 3 rules are the last 
3 rules, output from my "diff"-command above):


wrt54g@router:/tmp/mnt/sda# iptables -t filter -L SSHBFP -v --line-numbers
Chain SSHBFP (1 references)
num   pkts bytes target prot opt in out source   
destination
1144all  --  anyany anywhere 
anywhere recent: SET name: SSH side: source
20 0 DROP   all  --  anyany anywhere 
anywhere recent: UPDATE seconds: 60 hit_count: 4 name: SSH 
side: source
3144 ACCEPT all  --  anyany anywhere 
anywhere


I followed the suggestion from the Asus firmware group and deleted the 
last ACCEPT-rule in the SSHBFP-chain: wrt54g@router:/tmp/mnt/sda# 
iptables -D SSHBFP -j ACCEPT



My findings:
- I tested with "shields up" and "shields up" says now all my ports are 
filtered (in "stealth" mode, they call it, so ssh is invisible from 
WAN-side)!
- I also tested with nmap from the LAN-side to the external IP (ssh 
admin@router-external_IP-address) and this says "22/tcp open   ssh". I 
believe it's okay, as I'm SSH'ing from the LAN and the router will not 
see me coming from the WAN/internet...
- Finally I tested, running a VPN-connection on my main pc and then 
connecting (trying to SSH into) to the WAN-side of the router. Again, 
now port 22 is filtered - so everything is ok, so far...


Now I need to open up, after sending an SPA-packet. My task is to ensure 
I use fwknopd in the correct way, i.e. I believe right after fwknopd 
receives the SPA-packet it must use something like the following custom 
command to open port 2

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

2016-09-20 Thread newsboost

On 09/20/2016 02:26 PM, Michael Rash wrote:

On Mon, Sep 19, 2016 at 6:49 PM, newsboost
mailto:newsbo...@gmail.com>> wrote:

Without changing these rules in the web-interface, I tried
to login to
the Asus-router and using SSH (from LAN-side) I wanted to
type in
something like:

# iptables -N SSHBFP
# iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m
state --state
NEW -j SSHBFP
iptables: Protocol wrong type for socket.
# iptables -A SSHBFP -m recent --set --name SSH --rsource
# iptables -A SSHBFP -m recent --update --seconds 60
--hitcount 4 --name
SSH --rsource -j DROP
# iptables -A SSHBFP -j ACCEPT

So, I'm not completely sure what is going on... I don't
understand the
"Protocol wrong type for socket". These commands don't
work. If they
did, I think it should be possible to make the
fwknopd-server let me
in...

I think that iptables error is because of a bug in iptables
and/or the kernel on your system based on some searches I did
- those commands should work just fine. Your strategy is a
good one, and let's try simplifying the iptables commands a
bit. Just do the following and see if you can SSH to the WAN side:

# iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT

You're right - must be a bug in the entware version of iptables,
which I'm using... Anyway, you're right:

No, please allow or let me correct myself as I've now found the solution
- just for the reference - on my router I have these:

wrt54g@router:/tmp/home/root# cd /
wrt54g@router:/# find . | grep -i iptabl
./opt/bin/iptables-xml
./opt/lib/opkg/info/iptables.control
./opt/lib/opkg/info/iptables.list
./opt/lib/iptables
./opt/lib/iptables/libxt_NOTRACK.so
./opt/lib/iptables/libxt_state.so
./opt/sbin/iptables
./opt/sbin/iptables-restore
./opt/sbin/iptables-save
./usr/sbin/iptables
./usr/sbin/iptables-restore
./usr/sbin/iptables-save

(actually /opt = /tmp/mnt/sda/entware, but that's irrelevant here). Also
remember:

wrt54g@router:/# which fwknopd
/opt/sbin/fwknopd

So I have a firmware-version of iptables and I have the entware-version
of iptables. The entware "opkg"-commands gave me (among others) fwknopd.
/usr/sbin/iptables version is v1.4.14. The /opt/sbin/iptables version is
newer: v1.4.21. As I remember, earlier I discovered that I needed to
have the entware-version of iptables running, in order run fwknopd
(avoid error messages). I also have:
$PATH=/opt/bin:/opt/sbin:/bin:/usr/bin:/sbin:/usr/sbin:/home/wrt54g:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin:/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/bin
so with my configuration, the entware version of iptables is default and
first in path.

The solution is simply now: Just had to type "IPT=/usr/sbin/iptables"
and then everywhere I needed iptables, I used "$IPT ." followed by
the rest of the commands... Maybe it can help someone else in the
future, so just for the reference... Now also, I have iptables-restore
working (before it came with an error message, but the problem is that I
have two different version of iptables on the same router, at the same
time)...

This cuts out the rate limiting stuff and will help to verify
that SSH is available on eth0. The nmap output you sent had
'filtered' instead of 'closed', so that implies a firewall
policy in the way instead of otherwise having TCP stack access
and SSH not listening on eth0.

You're completely right! First I had my connection "filtered" and
when I tried to ssh to the WAN-side of the router (public IP
address) it was just waiting forever and nothing happens... After
running the command above, when I tried to ssh it immediately said
something about "connection closed" (I'm at work at the moment, I
just didn't have time to reply earlier)...

Ok, so does nmap now report that port 22 is "closed" instead of
"filtered"? If so, then you are either hitting the TCP stack itself
and there is nothing bound to port 22 as Jonathan suspected
(definitely important), or iptables is using the REJECT target against
your connection (as you have below), or both. To be really sure
iptables is not in the way, I would temporarily just flush the whole
policy, test SSH, and then rebuild it. So:

# iptables -F
# iptables -X
... test ssh ...
# iptables-restore

You need to make sure SSH is available before fwknopd can have a chance...

SSH is available from the LAN - that's what's so strange... But now I
tested this. Still the same result: I get that port 22 is "filtered"
from the WAN-side until "opening" with:

# iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT

And then I get that port 22 is "closed"... I verified using "s

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

2016-09-20 Thread Michael Rash

On Tue, Sep 20, 2016 at 5:51 AM, newsboost .  wrote:

> From: Michael Rash  - 2016-09-20 03:01:54
>>
>
> Hi Michael, sorry if this message is weird, I received messages as
> "digest" but now changed it and did some copy/paste here as I didn't
> receive this "digest"-mail yet, but wanted to reply to it anyway...
>
>
>> On Mon, Sep 19, 2016 at 6:49 PM, newsboost  wrote:
>>
>>>
>>> ==
>>> rt54g@router:/tmp# diff LAN_only.txt LAN+WAN.txt
>>> --- LAN_only.txt
>>> +++ LAN+WAN.txt
>>>
>>> Â  *filter
>>> +:SSHBFP - [0:0]
>>> +-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHBFP
>>> +-A SSHBFP -m recent --set --name SSH --rsource
>>> +-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH
>>> --rsource -j DROP
>>> +-A SSHBFP -j ACCEPT
>>> ==
>>>
>>> I'm definately not an iptables-expert. But what I think I see here, is
>>> that when I go from SSH-access, from only LAN to LAN+WAN, then the
>>> "only" difference is that the router adds something extra to the
>>> IPTABLES-rules. In this case, something extra is added to the
>>> "filter"-table, more specifically, the INPUT-chain. My understanding is
>>> that "SSHBFP" is a new "target", so when something (a tcp-packet) tries
>>> to connect to port 22 from eth0 (the WAN-side of the router = the
>>> internet-side) and it is new, the first rule says: Jump to target
>>> "SSHBFP". Then there are 3 new commands - I don't know what they do. And
>>> finally that packet is ACCEPTED.
>>>
>>
>> That is correct - the additional commands apply the iptables 'recent'
>> extension to effectively do rate limiting on incoming SSH connection
>> requests. Somewhere else in your INPUT chain there should be a rule to
>> accept packets that are part of established connections as well.
>>
>
> Thanks! You're right, I'm sure there is a rule for established connections
> but that is probably not caught by the diff-tool...
>
>
>>
>>> Without changing these rules in the web-interface, I tried to login to
>>> the Asus-router and using SSH (from LAN-side) I wanted to type in
>>> something like:
>>>
>>> # iptables -N SSHBFP
>>> # iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state
>>> NEW -j SSHBFP
>>> iptables: Protocol wrong type for socket.
>>> # iptables -A SSHBFP -m recent --set --name SSH --rsource
>>> # iptables -A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name
>>> SSH --rsource -j DROP
>>> # iptables -A SSHBFP -j ACCEPT
>>>
>>> So, I'm not completely sure what is going on... I don't understand the
>>> "Protocol wrong type for socket". These commands don't work. If they
>>> did, I think it should be possible to make the fwknopd-server let me
>>> in...
>>
>>
>> I think that iptables error is because of a bug in iptables and/or the
>> kernel on your system based on some searches I did - those commands should
>> work just fine. Your strategy is a good one, and let's try simplifying the
>> iptables commands a bit. Just do the following and see if you can SSH to
>> the WAN side:
>>
>> # iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT
>>
>
> You're right - must be a bug in the entware version of iptables, which I'm
> using... Anyway, you're right:
>
>
>> This cuts out the rate limiting stuff and will help to verify that SSH is
>> available on eth0. The nmap output you sent had 'filtered' instead of
>> 'closed', so that implies a firewall policy in the way instead of otherwise
>> having TCP stack access and SSH not listening on eth0.
>>
>> You're completely right! First I had my connection "filtered" and when I
> tried to ssh to the WAN-side of the router (public IP address) it was just
> waiting forever and nothing happens... After running the command above,
> when I tried to ssh it immediately said something about "connection closed"
> (I'm at work at the moment, I just didn't have time to reply earlier)...
>

Ok, so does nmap now report that port 22 is "closed" instead of "filtered"?
If so, then you are either hitting the TCP stack itself and there is
nothing bound to port 22 as Jonathan suspected (definitely important), or
iptables is using the REJECT target against your connection (as you have
below), or both. To be really sure iptables is not in the way, I would
temporarily just flush the whole policy, test SSH, and then rebuild it. So:

# iptables -F
# iptables -X
... test ssh ...
# iptables-restore 

You need to make sure SSH is available before fwknopd can have a chance...

Thanks,

--Mike




>
> Anyway, if it isn't possible for me to login directly to the
>>> router using fwknopd, would it be possible for me to maybe first send
>>> the SPA-packet and then SSH into one of the machines on the LAN (from
>>> the internet/WAN-side), e.g. 192.168.1.150 ? How would I setup this ?
>>>
>>
>> You could use the NAT capabilities in fwknopd to NAT an incoming SSH
>> connection from the WAN side straight through to an internal system if you
>> prefer that (but it shouldn'

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

2016-09-20 Thread newsboost .

>
> From: Michael Rash  - 2016-09-20 03:01:54
>

Hi Michael, sorry if this message is weird, I received messages as "digest"
but now changed it and did some copy/paste here as I didn't receive this
"digest"-mail yet, but wanted to reply to it anyway...


> On Mon, Sep 19, 2016 at 6:49 PM, newsboost  wrote:
>
>>
>> ==
>> rt54g@router:/tmp# diff LAN_only.txt LAN+WAN.txt
>> --- LAN_only.txt
>> +++ LAN+WAN.txt
>>
>> Â  *filter
>> +:SSHBFP - [0:0]
>> +-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHBFP
>> +-A SSHBFP -m recent --set --name SSH --rsource
>> +-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH
>> --rsource -j DROP
>> +-A SSHBFP -j ACCEPT
>> ==
>>
>> I'm definately not an iptables-expert. But what I think I see here, is
>> that when I go from SSH-access, from only LAN to LAN+WAN, then the
>> "only" difference is that the router adds something extra to the
>> IPTABLES-rules. In this case, something extra is added to the
>> "filter"-table, more specifically, the INPUT-chain. My understanding is
>> that "SSHBFP" is a new "target", so when something (a tcp-packet) tries
>> to connect to port 22 from eth0 (the WAN-side of the router = the
>> internet-side) and it is new, the first rule says: Jump to target
>> "SSHBFP". Then there are 3 new commands - I don't know what they do. And
>> finally that packet is ACCEPTED.
>>
>
> That is correct - the additional commands apply the iptables 'recent'
> extension to effectively do rate limiting on incoming SSH connection
> requests. Somewhere else in your INPUT chain there should be a rule to
> accept packets that are part of established connections as well.
>

Thanks! You're right, I'm sure there is a rule for established connections
but that is probably not caught by the diff-tool...


>
>> Without changing these rules in the web-interface, I tried to login to
>> the Asus-router and using SSH (from LAN-side) I wanted to type in
>> something like:
>>
>> # iptables -N SSHBFP
>> # iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state
>> NEW -j SSHBFP
>> iptables: Protocol wrong type for socket.
>> # iptables -A SSHBFP -m recent --set --name SSH --rsource
>> # iptables -A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name
>> SSH --rsource -j DROP
>> # iptables -A SSHBFP -j ACCEPT
>>
>> So, I'm not completely sure what is going on... I don't understand the
>> "Protocol wrong type for socket". These commands don't work. If they
>> did, I think it should be possible to make the fwknopd-server let me
>> in...
>
>
> I think that iptables error is because of a bug in iptables and/or the
> kernel on your system based on some searches I did - those commands should
> work just fine. Your strategy is a good one, and let's try simplifying the
> iptables commands a bit. Just do the following and see if you can SSH to
> the WAN side:
>
> # iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT
>

You're right - must be a bug in the entware version of iptables, which I'm
using... Anyway, you're right:


> This cuts out the rate limiting stuff and will help to verify that SSH is
> available on eth0. The nmap output you sent had 'filtered' instead of
> 'closed', so that implies a firewall policy in the way instead of otherwise
> having TCP stack access and SSH not listening on eth0.
>
> You're completely right! First I had my connection "filtered" and when I
tried to ssh to the WAN-side of the router (public IP address) it was just
waiting forever and nothing happens... After running the command above,
when I tried to ssh it immediately said something about "connection closed"
(I'm at work at the moment, I just didn't have time to reply earlier)...

Anyway, if it isn't possible for me to login directly to the
>> router using fwknopd, would it be possible for me to maybe first send
>> the SPA-packet and then SSH into one of the machines on the LAN (from
>> the internet/WAN-side), e.g. 192.168.1.150 ? How would I setup this ?
>>
>
> You could use the NAT capabilities in fwknopd to NAT an incoming SSH
> connection from the WAN side straight through to an internal system if you
> prefer that (but it shouldn't be necessary - access to SSH on eth0 should
> be possible directly from the WAN side). There are some details on this
> here:
>
> http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#nat
>

Thanks, I begin to understand it and it makes me feel very happy that by
using your iptables command I now get connection closed instead of
filtered... But why doesn't it yet allow ssh from the outside, just by
running:

# iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT

Am I right, somewhere else in the iptables-rules - something must be
REJECTING (isn't that the difference between -j DROP which acts like a
"filter" and -j REJECT which just closes the attempt to SSH in) ?

Or can it be something in the implementation of sshd, on the router? When I
get home from work

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

2016-09-19 Thread Michael Rash

On Mon, Sep 19, 2016 at 6:49 PM, newsboost  wrote:

> On 09/19/2016 08:55 PM, Jonathan Bennett wrote:
> > It may be that the ssh daemon is bound to the internal ip
> > address/device.  This would cause the ssh connections to be rejected
> > even though the firewall is not blocking them.
>
> Yes, maybe you're right... I'm not sure, what is going on... But to
> begin with, I thought the only way, in which SSH did not work - was due
> to iptables disallowing SSH from the WAN-side. But to see if I could/can
> understand what goes on, I made "iptables-save > LAN_only.txt" followed
> by going into the web-interface of the router. In here ("Administration"
>  > "System" > "Enable SSH: Lan only", I changed this setting to "Enable
> SSH: LAN+WAN", followed by "apply" and "iptables-save > LAN+WAN.txt".
> Then I made a "diff"-comparison and below I've tried to manually "clean
> up" the not so interesting entries (where there is no difference):
>
> ==
> rt54g@router:/tmp# diff LAN_only.txt LAN+WAN.txt
> --- LAN_only.txt
> +++ LAN+WAN.txt
>
>   *filter
> +:SSHBFP - [0:0]
> +-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHBFP
> +-A SSHBFP -m recent --set --name SSH --rsource
> +-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH
> --rsource -j DROP
> +-A SSHBFP -j ACCEPT
> ==
>
> I'm definately not an iptables-expert. But what I think I see here, is
> that when I go from SSH-access, from only LAN to LAN+WAN, then the
> "only" difference is that the router adds something extra to the
> IPTABLES-rules. In this case, something extra is added to the
> "filter"-table, more specifically, the INPUT-chain. My understanding is
> that "SSHBFP" is a new "target", so when something (a tcp-packet) tries
> to connect to port 22 from eth0 (the WAN-side of the router = the
> internet-side) and it is new, the first rule says: Jump to target
> "SSHBFP". Then there are 3 new commands - I don't know what they do. And
> finally that packet is ACCEPTED.
>

That is correct - the additional commands apply the iptables 'recent'
extension to effectively do rate limiting on incoming SSH connection
requests. Somewhere else in your INPUT chain there should be a rule to
accept packets that are part of established connections as well.


>
> Without changing these rules in the web-interface, I tried to login to
> the Asus-router and using SSH (from LAN-side) I wanted to type in
> something like:
>
> # iptables -N SSHBFP
> # iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state
> NEW -j SSHBFP
> iptables: Protocol wrong type for socket.
> # iptables -A SSHBFP -m recent --set --name SSH --rsource
> # iptables -A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name
> SSH --rsource -j DROP
> # iptables -A SSHBFP -j ACCEPT
>
> So, I'm not completely sure what is going on... I don't understand the
> "Protocol wrong type for socket". These commands don't work. If they
> did, I think it should be possible to make the fwknopd-server let me
> in...


I think that iptables error is because of a bug in iptables and/or the
kernel on your system based on some searches I did - those commands should
work just fine. Your strategy is a good one, and let's try simplifying the
iptables commands a bit. Just do the following and see if you can SSH to
the WAN side:

# iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT

This cuts out the rate limiting stuff and will help to verify that SSH is
available on eth0. The nmap output you sent had 'filtered' instead of
'closed', so that implies a firewall policy in the way instead of otherwise
having TCP stack access and SSH not listening on eth0.



> Anyway, if it isn't possible for me to login directly to the
> router using fwknopd, would it be possible for me to maybe first send
> the SPA-packet and then SSH into one of the machines on the LAN (from
> the internet/WAN-side), e.g. 192.168.1.150 ? How would I setup this ?
>

You could use the NAT capabilities in fwknopd to NAT an incoming SSH
connection from the WAN side straight through to an internal system if you
prefer that (but it shouldn't be necessary - access to SSH on eth0 should
be possible directly from the WAN side). There are some details on this
here:

http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#nat

Thanks,

--Mike


>
> Thanks for any ideas/help!
>
>
> Br,
> Martin
>
>
> 
> --
> ___
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>



-- 
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
--
___
Fwknop-discuss mailing list
Fwknop-discuss@lists.s

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

2016-09-19 Thread newsboost

On 09/19/2016 08:55 PM, Jonathan Bennett wrote:
> It may be that the ssh daemon is bound to the internal ip 
> address/device.  This would cause the ssh connections to be rejected 
> even though the firewall is not blocking them.

Yes, maybe you're right... I'm not sure, what is going on... But to 
begin with, I thought the only way, in which SSH did not work - was due 
to iptables disallowing SSH from the WAN-side. But to see if I could/can 
understand what goes on, I made "iptables-save > LAN_only.txt" followed 
by going into the web-interface of the router. In here ("Administration" 
 > "System" > "Enable SSH: Lan only", I changed this setting to "Enable 
SSH: LAN+WAN", followed by "apply" and "iptables-save > LAN+WAN.txt". 
Then I made a "diff"-comparison and below I've tried to manually "clean 
up" the not so interesting entries (where there is no difference):

==
rt54g@router:/tmp# diff LAN_only.txt LAN+WAN.txt
--- LAN_only.txt
+++ LAN+WAN.txt

  *filter
+:SSHBFP - [0:0]
+-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHBFP
+-A SSHBFP -m recent --set --name SSH --rsource
+-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH 
--rsource -j DROP
+-A SSHBFP -j ACCEPT
==

I'm definately not an iptables-expert. But what I think I see here, is 
that when I go from SSH-access, from only LAN to LAN+WAN, then the 
"only" difference is that the router adds something extra to the 
IPTABLES-rules. In this case, something extra is added to the 
"filter"-table, more specifically, the INPUT-chain. My understanding is 
that "SSHBFP" is a new "target", so when something (a tcp-packet) tries 
to connect to port 22 from eth0 (the WAN-side of the router = the 
internet-side) and it is new, the first rule says: Jump to target 
"SSHBFP". Then there are 3 new commands - I don't know what they do. And 
finally that packet is ACCEPTED.

Without changing these rules in the web-interface, I tried to login to 
the Asus-router and using SSH (from LAN-side) I wanted to type in 
something like:

# iptables -N SSHBFP
# iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state 
NEW -j SSHBFP
iptables: Protocol wrong type for socket.
# iptables -A SSHBFP -m recent --set --name SSH --rsource
# iptables -A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name 
SSH --rsource -j DROP
# iptables -A SSHBFP -j ACCEPT

So, I'm not completely sure what is going on... I don't understand the 
"Protocol wrong type for socket". These commands don't work. If they 
did, I think it should be possible to make the fwknopd-server let me 
in... Anyway, if it isn't possible for me to login directly to the 
router using fwknopd, would it be possible for me to maybe first send 
the SPA-packet and then SSH into one of the machines on the LAN (from 
the internet/WAN-side), e.g. 192.168.1.150 ? How would I setup this ?

Thanks for any ideas/help!

Br,
Martin

--
___
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

2016-09-19 Thread Jonathan Bennett

It may be that the ssh daemon is bound to the internal ip address/device.
This would cause the ssh connections to be rejected even though the
firewall is not blocking them.

On Mon, Sep 19, 2016, 1:26 PM newsboost  wrote:

> On 09/19/2016 03:13 AM, fwknop-discuss-requ...@lists.sourceforge.net
> wrote:
>
> Date: Sun, 18 Sep 2016 21:13:46 -0400
> From: Michael Rash  
> Subject: Re: [Fwknop-discuss] noob - cannot figure out errors (e.g.
>   "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"
> To: "fwknop-discuss@lists.sourceforge.net" 
> 
>
> 
> Message-ID:
>
> 
> Content-Type: text/plain; charset="utf-8"
>
> On Sun, Sep 18, 2016 at 8:26 PM, newsboost  
>  wrote:>
>
> > # fwknopd --version> fwknopd server 2.6.9, compiled for firewall bin: 
> > /opt/sbin/iptables> -->> And below is the error messages - the 
> > output, when I try to run fwknopd> on my Asus router:>
>
> >From the output below, the reason fwknopd is exiting is because it is
> looking for the iptables 'comment' match, and it does not appear to be
> available. This is somewhat common on routers since Linux distributions
> designed to work there tend to reduce the features they compile in. There
>
> Ok, thanks a lot, Michael! That is a really qualified answer, I had
> absolutely no idea what was the problem, although I suspected that the
> router's iptables-version was a "downgraded" version of what I imagine is
> normally shipped with modern linux-iptables versions...
>
> is a solution though - just run the command open/close cycle feature in
> fwknop-2.6.9. This way, fwknopd keeps track of the timing for rule
> expiration itself instead of using the 'comment' match.
>
> I don't know (nor understand) anything about this, but I'm very happy you
> provided the solution:
>
> To get this working, change your /etc/fwknop/access.conf file to add the
> following lines to the stanza that defines your encryption/HMAC keys:
>
> CMD_CYCLE_OPEN /opt/sbin/iptables -I INPUT 1 -p $PROTO -s $IP -d
> $PORT -j ACCEPT
>
> CMD_CYCLE_CLOSE   /opt/sbin/iptables -D INPUT -p $PROTO -s $IP -d $PORT
> -j ACCEPT
>
> CMD_CYCLE_TIMER30
> Please let me know if there are any issues.
>
> Thanks,
>
> --Mike
>
>
> It's incredibly, I feel I'm almost there (but unfortunately not yet)...
> Here's what I see or have done or figured out:
>
> I have this file on my client pc (I anonymized some details a bit):
>
>
> [martin@HPpc ~]$ cat .fwknoprc
> [default]
>
> [80.165.213.40]
> ACCESS  tcp/22
> SPA_SERVER  80.165.213.40
> KEY_BASE64  gi+z3HrZMUKtpIps/BOS08qYuGyzaAbIjZObv8+MIAc=
> HMAC_KEY_BASE64
> JEbuMIaJewr5Q+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pElmSoNSOKMBtroDHRqg==
> USE_HMACY
> VERBOSE Y
> RESOLVE_IP_HTTPSY
>
>
> On the router (fwknopd-server), I have this "access.conf" (everything else
> is out-commented, thanks a lot for the "CMD_CYCLE"-commands, they really
> help!):
>
> OPEN_PORTS  tcp/22
> SOURCE  ANY
> KEY_BASE64  gi+z3HrZMUKtpIps/BOS08qYuGyzaAbIjZObv8+MIAc=
> HMAC_KEY_BASE64
> JEbuMIaJewr5Q+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pElmSoNSOKMBtroDHRqg==
> CMD_CYCLE_OPEN  /opt/sbin/iptables -I INPUT 1 -p $PROTO -s $IP -d
> $PORT -j ACCEPT
> CMD_CYCLE_CLOSE /opt/sbin/iptables -D INPUT -p $PROTO -s $IP -d $PORT
> -j ACCEPT
> CMD_CYCLE_TIMER 30
>
>
> And this "fwknopd.conf" (everything else is outcommented):
> VERBOSE3;
> PCAP_INTF  eth0;
> PCAP_FILTERudp dst portrange 1-65535;
>
>
> I tested by ssh'ing into the router, through the LAN and ran "fwknopd  -f
> -v" on the router through the LAN, so I could see the messages in the
> front. On my client (same pc) as root in one terminal window, I ran an
> openvpn-connection to get another external IP address, than the WAN-side of
> my router. Then I tried nmap using different combinations, but it didn't
> work out. I ran the fwknop-client like this (so it looked into the details
> in the ~/.fwknoprc - below I have "80.165.213.40" as my fwknop-server
> IP-address or WAN-side of my router and my OpenVPN connection gives me the
> external IP address "178.161.214.215" in extra terminal windows, from which
> I later try to ssh into the WAN-side of my router, trying to get into the
> local network, my own LAN, i.e. 192.168.XXX.XXX

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

2016-09-19 Thread newsboost

From: Jonathan Bennett
Subject: Re: [Fwknop-discuss] noob - cannot figure out errors (e.g.
"Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"
To:fwknop-discuss@lists.sourceforge.net
Message-ID:<6ca7f808-a196-2ede-2b3b-940ab384a...@gmail.com>
Content-Type: text/plain; charset="windows-1252"

I was about to suggest the "comment" feature as the problem.  Michael's 
solution should be the correct one.  I'm curious, though, what firmware distro you're 
using, like Openwrt/Lede, Tomato, etc?
Yes, correct. Michael's solution indeed helped me a lot... I'm running 
version 380.61 of the modified Asuswrt-Merlin firmware, 
https://asuswrt.lostrealm.ca/download (my router is an Asus RT-AC87U - 
consumer grade and I've installed https://github.com/Entware/entware to 
get access to a lot of packages through the "opkg install" command...

I also asked about this problem in the thread here: 
http://www.snbforums.com/threads/step-by-step-setup-of-fwknopd-need-help-also-with-iptables.33792/ 
but nobody seemed to have the solution to fwknopd. I remember I've read 
at least one other tried to get fwknopd to run on this firmware. So I 
think, once I get it working, I'll post an update with the solution - to 
help everyone else... The SPA packets' are a great security feature, I 
think - fwknopd is really great, I think. But I think maybe not many 
people are using it... If I make it work, I'll encourage other people to 
use fwknopd - and I think I'll keep hanging around here in this mailing 
list, to learn :-)

--
___
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

2016-09-19 Thread newsboost


On 09/19/2016 03:13 AM, fwknop-discuss-requ...@lists.sourceforge.net wrote:
Date: Sun, 18 Sep 2016 21:13:46 -0400 From: Michael Rash 
 Subject: Re: [Fwknop-discuss] noob - cannot 
figure out errors (e.g. "Couldn't load target `FWKNOP_INPUT'") when 
running "fwknopd -f -v" To: "fwknop-discuss@lists.sourceforge.net" 
 Message-ID: 
 
Content-Type: text/plain; charset="utf-8" On Sun, Sep 18, 2016 at 8:26 
PM, newsboost  wrote: >

># fwknopd --version
>fwknopd server 2.6.9, compiled for firewall bin: /opt/sbin/iptables
>--
>
>And below is the error messages - the output, when I try to run fwknopd
>on my Asus router:
>

>From the output below, the reason fwknopd is exiting is because it is
looking for the iptables 'comment' match, and it does not appear to be
available. This is somewhat common on routers since Linux distributions
designed to work there tend to reduce the features they compile in. There
Ok, thanks a lot, Michael! That is a really qualified answer, I had 
absolutely no idea what was the problem, although I suspected that the 
router's iptables-version was a "downgraded" version of what I imagine 
is normally shipped with modern linux-iptables versions...

is a solution though - just run the command open/close cycle feature in
fwknop-2.6.9. This way, fwknopd keeps track of the timing for rule
expiration itself instead of using the 'comment' match.
I don't know (nor understand) anything about this, but I'm very happy 
you provided the solution:

To get this working, change your /etc/fwknop/access.conf file to add the
following lines to the stanza that defines your encryption/HMAC keys:

CMD_CYCLE_OPEN /opt/sbin/iptables -I INPUT 1 -p $PROTO -s $IP -d
$PORT -j ACCEPT

CMD_CYCLE_CLOSE   /opt/sbin/iptables -D INPUT -p $PROTO -s $IP -d $PORT
-j ACCEPT

CMD_CYCLE_TIMER30
Please let me know if there are any issues.

Thanks,

--Mike


It's incredibly, I feel I'm almost there (but unfortunately not yet)... 
Here's what I see or have done or figured out:


I have this file on my client pc (I anonymized some details a bit):


[martin@HPpc ~]$ cat .fwknoprc
[default]

[80.165.213.40]
ACCESS  tcp/22
SPA_SERVER  80.165.213.40
KEY_BASE64 gi+z3HrZMUKtpIps/BOS08qYuGyzaAbIjZObv8+MIAc=
HMAC_KEY_BASE64 
JEbuMIaJewr5Q+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pElmSoNSOKMBtroDHRqg==

USE_HMACY
VERBOSE Y
RESOLVE_IP_HTTPSY


On the router (fwknopd-server), I have this "access.conf" (everything 
else is out-commented, thanks a lot for the "CMD_CYCLE"-commands, they 
really help!):


OPEN_PORTS  tcp/22
SOURCE  ANY
KEY_BASE64  gi+z3HrZMUKtpIps/BOS08qYuGyzaAbIjZObv8+MIAc=
HMAC_KEY_BASE64 
JEbuMIaJewr5Q+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pElmSoNSOKMBtroDHRqg==
CMD_CYCLE_OPEN  /opt/sbin/iptables -I INPUT 1 -p $PROTO -s $IP -d 
$PORT -j ACCEPT
CMD_CYCLE_CLOSE /opt/sbin/iptables -D INPUT -p $PROTO -s $IP -d 
$PORT -j ACCEPT

CMD_CYCLE_TIMER 30


And this "fwknopd.conf" (everything else is outcommented):
VERBOSE3;
PCAP_INTF  eth0;
PCAP_FILTERudp dst portrange 1-65535;


I tested by ssh'ing into the router, through the LAN and ran "fwknopd  
-f -v" on the router through the LAN, so I could see the messages in the 
front. On my client (same pc) as root in one terminal window, I ran an 
openvpn-connection to get another external IP address, than the WAN-side 
of my router. Then I tried nmap using different combinations, but it 
didn't work out. I ran the fwknop-client like this (so it looked into 
the details in the ~/.fwknoprc - below I have "80.165.213.40" as my 
fwknop-server IP-address or WAN-side of my router and my OpenVPN 
connection gives me the external IP address "178.161.214.215" in extra 
terminal windows, from which I later try to ssh into the WAN-side of my 
router, trying to get into the local network, my own LAN, i.e. 
192.168.XXX.XXX/24...):


[martin@HPpc ~]$ fwknop -v -R --rc-file .fwknoprc -n 80.165.213.40
[+] Resolved external IP (via '/usr/bin/wget -U Fwknop/2.6.9 
--secure-protocol=auto --quiet -O - 
https://www.cipherdyne.org/cgi-bin/myip') as: 80.165.213.40

SPA Field Values:
=
   Random Value: 1798384148634396
   Username: martin
  Timestamp: 1474307656
...
 Client Timeout: 0
Digest Type: 3 (SHA256)
  HMAC Type: 3 (SHA256)
Encryption Type: 1 (Rijndael)
Encryption Mode: 2 (CBC)
...
Generating SPA packet:
protocol: udp
 source port: 
destination port: 62201
 IP/host: 80.165.213.40
send_spa_packet: bytes sent: 225



On the router (fwknopd-server) this happens (I can see these messages, 
as I have a

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g. "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

2016-09-18 Thread Jonathan Bennett

I was about to suggest the "comment" feature as the problem.  Michael's 
solution should be the correct one.  I'm curious, though, what firmware distro 
you're using, like Openwrt/Lede, Tomato, etc?

--Jonathan Bennett

On 09/18/2016 08:13 PM, Michael Rash wrote:
> 
> 
> On Sun, Sep 18, 2016 at 8:26 PM, newsboost  > wrote:
> 
> Dear all,
> 
> I'm a fwknop-newbie, I've been struggling with getting fwknopd to work
> on my asus router, as I think it should  be pretty secure, compared to
> alternatives (knockd or just ssh wide open, for everyone to see this
> from the internet or WAN)... I'm not really sure what I make wrong, as I
> don't understand the error messages or what fwknopd is trying to tell
> me... Here's version details:
> 
> --
> 
> # fwknopd --version
> fwknopd server 2.6.9, compiled for firewall bin: /opt/sbin/iptables
> --
> 
> And below is the error messages - the output, when I try to run fwknopd
> on my Asus router:
> 
> 
> 
> From the output below, the reason fwknopd is exiting is because it is looking 
> for the iptables 'comment' match, and it does not appear to be available. 
> This is somewhat common on routers since Linux distributions designed to work 
> there tend to reduce the features they compile in. There is a solution
> though - just run the command open/close cycle feature in fwknop-2.6.9. This 
> way, fwknopd keeps track of the timing for rule expiration itself instead of 
> using the 'comment' match.
> 
> To get this working, change your /etc/fwknop/access.conf file to add the 
> following lines to the stanza that defines your encryption/HMAC keys:
> 
> CMD_CYCLE_OPEN /opt/sbin/iptables -I INPUT 1 -p $PROTO -s $IP -d 
> $PORT -j ACCEPT
> 
> CMD_CYCLE_CLOSE   /opt/sbin/iptables -D INPUT -p $PROTO -s $IP -d $PORT 
> -j ACCEPT
> 
> CMD_CYCLE_TIMER30
> 
> Please let me know if there are any issues.
> 
> Thanks,
> 
> --Mike
> 
>  
> 
> 
> 
> 
> 
> wrt54g@router:/tmp# fwknopd  -f -v
> Opened access file: /opt/etc/fwknop/access.conf
> Initialize access stanzas
> ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: OPEN_PORTS: tcp/22
>  Var: OPEN_PORTS, Val: 'tcp/22'
> ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: REQUIRE_SOURCE_ADDRESS: N
>  Var: REQUIRE_SOURCE_ADDRESS, Val: 'N'
> ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: SOURCE  ANY
>  Var: SOURCE, Val: 'ANY'
> ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: KEY_BASE64
> gi+z3HrMWUKt/pIpsBOS08qYuGyzaAbIjZObv8+MIAc=
>  Var: KEY_BASE64, Val: 'gi+z3HrMWUKt/pIpsBOS08qYuGyzaAbIjZObv8+MIAc='
> ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: HMAC_KEY_BASE64
> 
> JEbuMIaJewr+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pSoElmNSOKM5QBtroDHRqg==
>  Var: HMAC_KEY_BASE64, Val:
> 
> 'JEbuMIaJewr+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pSoElmNSOKM5QBtroDHRqg=='
> Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 
> 'ANY'
> [+] Writing my PID (2466) to the lock file: /opt/var/fwknop/fwknopd.pid
> Starting fwknopd
> Current fwknopd config settings:
>0. CONFIG_FILE  = '/opt/etc/fwknop/fwknopd.conf'
>1. OVERRIDE_CONFIG  =  ''
>2. PCAP_INTF=  'eth0'
> 
> 
> 
> GPG_IGNORE_SIG_VERIFY_ERROR:  No
>GPG_REMOTE_ID:  
>   GPG_FINGERPRINT_ID:  
> 
> 
> Using Digest Cache: '/opt/var/fwknop/digest.cache' (entry count = 0)
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -I INPUT 1 -s 127.0.0.2 -p udp -j ACCEPT
> run_extcmd(): returning 0, pid_status: 0
> ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -s
> 127.0.0.2 -p udp -j ACCEPT' (res: 0, err: )
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -C INPUT -s 127.0.0.2 -p udp -j ACCEPT
> run_extcmd(): returning 0, pid_status: 0
> ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -C INPUT -s
> 127.0.0.2 -p udp -j ACCEPT' (res: 0, err: )
> ipt_chk_support() -C supported
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -D INPUT 1
> run_extcmd(): returning 0, pid_status: 0
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT
> -t filter -j FWKNOP_INPUT
> run_extcmd(): returning 0, pid_status: 2
> rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j
> FWKNOP_INPUT' (res: 0, err: iptables v1.4.21: Couldn't load target
> `FWKNOP_INPUT':No such file or directory
> 
> Try `iptables -h' or 'iptables --help' for more information.)
> rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' i

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g. "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

2016-09-18 Thread Michael Rash

On Sun, Sep 18, 2016 at 8:26 PM, newsboost  wrote:

> Dear all,
>
> I'm a fwknop-newbie, I've been struggling with getting fwknopd to work
> on my asus router, as I think it should  be pretty secure, compared to
> alternatives (knockd or just ssh wide open, for everyone to see this
> from the internet or WAN)... I'm not really sure what I make wrong, as I
> don't understand the error messages or what fwknopd is trying to tell
> me... Here's version details:
>
> --
>
> # fwknopd --version
> fwknopd server 2.6.9, compiled for firewall bin: /opt/sbin/iptables
> --
>
> And below is the error messages - the output, when I try to run fwknopd
> on my Asus router:
>


>From the output below, the reason fwknopd is exiting is because it is
looking for the iptables 'comment' match, and it does not appear to be
available. This is somewhat common on routers since Linux distributions
designed to work there tend to reduce the features they compile in. There
is a solution though - just run the command open/close cycle feature in
fwknop-2.6.9. This way, fwknopd keeps track of the timing for rule
expiration itself instead of using the 'comment' match.

To get this working, change your /etc/fwknop/access.conf file to add the
following lines to the stanza that defines your encryption/HMAC keys:

CMD_CYCLE_OPEN /opt/sbin/iptables -I INPUT 1 -p $PROTO -s $IP -d
$PORT -j ACCEPT

CMD_CYCLE_CLOSE   /opt/sbin/iptables -D INPUT -p $PROTO -s $IP -d $PORT
-j ACCEPT

CMD_CYCLE_TIMER30
Please let me know if there are any issues.

Thanks,

--Mike




> 
> 
>
> wrt54g@router:/tmp# fwknopd  -f -v
> Opened access file: /opt/etc/fwknop/access.conf
> Initialize access stanzas
> ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: OPEN_PORTS: tcp/22
>  Var: OPEN_PORTS, Val: 'tcp/22'
> ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: REQUIRE_SOURCE_ADDRESS: N
>  Var: REQUIRE_SOURCE_ADDRESS, Val: 'N'
> ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: SOURCE  ANY
>  Var: SOURCE, Val: 'ANY'
> ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: KEY_BASE64
> gi+z3HrMWUKt/pIpsBOS08qYuGyzaAbIjZObv8+MIAc=
>  Var: KEY_BASE64, Val: 'gi+z3HrMWUKt/pIpsBOS08qYuGyzaAbIjZObv8+MIAc='
> ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: HMAC_KEY_BASE64
> JEbuMIaJewr+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcS
> xg2avEug1GZ6pSoElmNSOKM5QBtroDHRqg==
>  Var: HMAC_KEY_BASE64, Val:
> 'JEbuMIaJewr+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcS
> xg2avEug1GZ6pSoElmNSOKM5QBtroDHRqg=='
> Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
> [+] Writing my PID (2466) to the lock file: /opt/var/fwknop/fwknopd.pid
> Starting fwknopd
> Current fwknopd config settings:
>0. CONFIG_FILE  = '/opt/etc/fwknop/fwknopd.conf'
>1. OVERRIDE_CONFIG  =  ''
>2. PCAP_INTF=  'eth0'
> 
> 
> 
> GPG_IGNORE_SIG_VERIFY_ERROR:  No
>GPG_REMOTE_ID:  
>   GPG_FINGERPRINT_ID:  
>
>
> Using Digest Cache: '/opt/var/fwknop/digest.cache' (entry count = 0)
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -I INPUT 1 -s 127.0.0.2 -p udp -j ACCEPT
> run_extcmd(): returning 0, pid_status: 0
> ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -s
> 127.0.0.2 -p udp -j ACCEPT' (res: 0, err: )
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -C INPUT -s 127.0.0.2 -p udp -j ACCEPT
> run_extcmd(): returning 0, pid_status: 0
> ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -C INPUT -s
> 127.0.0.2 -p udp -j ACCEPT' (res: 0, err: )
> ipt_chk_support() -C supported
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -D INPUT 1
> run_extcmd(): returning 0, pid_status: 0
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT
> -t filter -j FWKNOP_INPUT
> run_extcmd(): returning 0, pid_status: 2
> rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j
> FWKNOP_INPUT' (res: 0, err: iptables v1.4.21: Couldn't load target
> `FWKNOP_INPUT':No such file or directory
>
> Try `iptables -h' or 'iptables --help' for more information.)
> rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT
> does not exist
> jump_rule_exists_chk_support() jump rule not found
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -F FWKNOP_INPUT
> run_extcmd(): returning 0, pid_status: 0
> delete_all_chains() CMD: '/opt/sbin/iptables -t filter -F FWKNOP_INPUT'
> (res: 0, err: iptables: No chain/target/match by that name.)
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
> -X FWKNOP_INPUT
> run_extcmd(): returning 0, pid_status: 1
> delete_all_chains() CMD: '/opt/sbin/iptables -t filter -X FWKNOP_INPUT'
> (res: 0, err: iptables: No chain/target/match by that name.)
> run_extcmd() (with exec

[Fwknop-discuss] noob - cannot figure out errors (e.g. "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

2016-09-18 Thread newsboost

Dear all,

I'm a fwknop-newbie, I've been struggling with getting fwknopd to work 
on my asus router, as I think it should  be pretty secure, compared to 
alternatives (knockd or just ssh wide open, for everyone to see this 
from the internet or WAN)... I'm not really sure what I make wrong, as I 
don't understand the error messages or what fwknopd is trying to tell 
me... Here's version details:

--

# fwknopd --version
fwknopd server 2.6.9, compiled for firewall bin: /opt/sbin/iptables
--

And below is the error messages - the output, when I try to run fwknopd 
on my Asus router:



wrt54g@router:/tmp# fwknopd  -f -v
Opened access file: /opt/etc/fwknop/access.conf
Initialize access stanzas
ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: OPEN_PORTS: tcp/22
 Var: OPEN_PORTS, Val: 'tcp/22'
ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: REQUIRE_SOURCE_ADDRESS: N
 Var: REQUIRE_SOURCE_ADDRESS, Val: 'N'
ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: SOURCE  ANY
 Var: SOURCE, Val: 'ANY'
ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: KEY_BASE64  
gi+z3HrMWUKt/pIpsBOS08qYuGyzaAbIjZObv8+MIAc=
 Var: KEY_BASE64, Val: 'gi+z3HrMWUKt/pIpsBOS08qYuGyzaAbIjZObv8+MIAc='
ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: HMAC_KEY_BASE64 
JEbuMIaJewr+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pSoElmNSOKM5QBtroDHRqg==
 Var: HMAC_KEY_BASE64, Val: 
'JEbuMIaJewr+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pSoElmNSOKM5QBtroDHRqg=='
Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
[+] Writing my PID (2466) to the lock file: /opt/var/fwknop/fwknopd.pid
Starting fwknopd
Current fwknopd config settings:
   0. CONFIG_FILE  = '/opt/etc/fwknop/fwknopd.conf'
   1. OVERRIDE_CONFIG  =  ''
   2. PCAP_INTF=  'eth0'



GPG_IGNORE_SIG_VERIFY_ERROR:  No
   GPG_REMOTE_ID:  
  GPG_FINGERPRINT_ID:  


Using Digest Cache: '/opt/var/fwknop/digest.cache' (entry count = 0)
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-I INPUT 1 -s 127.0.0.2 -p udp -j ACCEPT
run_extcmd(): returning 0, pid_status: 0
ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -s 
127.0.0.2 -p udp -j ACCEPT' (res: 0, err: )
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-C INPUT -s 127.0.0.2 -p udp -j ACCEPT
run_extcmd(): returning 0, pid_status: 0
ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -C INPUT -s 
127.0.0.2 -p udp -j ACCEPT' (res: 0, err: )
ipt_chk_support() -C supported
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-D INPUT 1
run_extcmd(): returning 0, pid_status: 0
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT 
-t filter -j FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 2
rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j 
FWKNOP_INPUT' (res: 0, err: iptables v1.4.21: Couldn't load target 
`FWKNOP_INPUT':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.)
rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT 
does not exist
jump_rule_exists_chk_support() jump rule not found
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-F FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 0
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -F FWKNOP_INPUT' 
(res: 0, err: iptables: No chain/target/match by that name.)
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-X FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 1
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -X FWKNOP_INPUT' 
(res: 0, err: iptables: No chain/target/match by that name.)
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-L FWKNOP_INPUT -n
run_extcmd(): returning 0, pid_status: 1
chain_exists() CMD: '/opt/sbin/iptables -t filter -L FWKNOP_INPUT -n' 
(res: 0, err: iptables: No chain/target/match by that name.)
'filter' table 'FWKNOP_INPUT' chain exists
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-N FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 0
create_chain() CMD: '/opt/sbin/iptables -t filter -N FWKNOP_INPUT' (res: 
0, err: )
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT 
-t filter -j FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 1
rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j 
FWKNOP_INPUT' (res: 0, err: iptables: No chain/target/match by that name.)
rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT 
does not exist
jump_rule_exists_chk_support() jump rule not found
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter 
-I INPUT 1 -j FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 0
add_jump_rule() CMD: '/opt

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g. "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

Re: [Fwknop-discuss] noob - cannot figure out errors (e.g. "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

[Fwknop-discuss] noob - cannot figure out errors (e.g. "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

12 matches

Site Navigation

Mail list logo

Footer information