Linux Firewalls - Michael Rash [141]
fwknop Installation
Installing fwknop begins with downloading the latest source tarball or RPM from http://www.cipherdyne.org/fwknop/download. As usual, it is prudent to verify the MD5 sum; it is even better, from a security perspective, to use GnuPG to see if the GnuPG signature checks out.[78] Once you're sure that the downloaded file is safe, you can proceed with the installation. Here's how to install the source tarball of fwknop version 1.0:
$ cd /usr/local/src
$ wget http://www.cipherdyne.org/fwknop/download/fwknop-1.8.1.tar.bz2
$ wget http://www.cipherdyne.org/fwknop/download/fwknop-1.8.1.tar.bz2.md5
$ md5sum -c fwknop-1.8.1.tar.bz2.md5
$ fwknop-1.8.1.tar.bz2: OK
$ wget http://www.cipherdyne.org/fwknop/download/fwknop-1.8.1.tar.bz2.asc
$ gpg --verify fwknop-1.8.1.tar.bz2.asc
gpg: Signature made Wed Jun 6 01:27:16 2007 EDT using DSA key ID A742839F
gpg: Good signature from "Michael Rash gpg: aka "Michael Rash $ tar xfj fwknop-1.8.1.tar.bz2 $ su - Password: # cd /usr/local/src/fwknop-1.8.1 # ./install.pl As with the installation of psad in Chapter 5, the install.pl script will prompt you for several bits of information, such as the authorization mode (i.e., whether you want to use the SPA mode or the legacy port-knocking mode) and the interface on which you would like fwknop to sniff packets. You can install fwknop on a system that only supports sending SPA packets as an SPA client, or on a system with full support for sending SPA packets as well as sniffing them from the network (this is the default). A full installation of fwknop results in the creation of several files and directories in the filesystem in order to support normal operations, as follows. /usr/bin/fwknop This is the client program responsible for accepting password input from the user; constructing SPA packets that conform to the fwknop packet format; encrypting packet data with the Rijndael symmetric cipher or by interfacing with GnuPG for asymmetric encryption; and sending the encrypted SPA packet via UDP, TCP, or ICMP. By default, fwknop sends SPA packets over UDP port 62201, but this can be changed from the command line. /usr/sbin/fwknopd This is the main daemon responsible for sniffing and decrypting SPA packet data, guarding against replay attacks, decoding the fwknop SPA packet format, verifying access rights, and reconfiguring the local iptables policy to grant temporary access to service(s) requested within SPA packets. /usr/bin/fwknop_serv This is a simplistic TCP server that is only used if SPA packets are sent over the Tor anonymizing network (http://tor.eff.org). Use of this server results in bidirectional communication, so it technically breaks the usual unidirectional nature of the SPA protocol; see "SPA over Tor" on page 254 for more information. /usr/lib/fwknop The Perl modules fwknop uses are installed within this directory in order to keep the system Perl library tree clean. Among the installed modules are Net::Pcap, Net::IPv4Addr, Net::RawIP, IPTables::Parse, IPTables::ChainMgr, Unix::Syslog, GnuPG::Interface, Crypt::CBC, and Crypt::Rijndael. The install.pl script is careful to install only Perl modules that do not already exist within the system Perl library tree, in order to minimize disk utilization. However, you can force install.pl to install all required Perl modules by using the --force-mod-install command-line argument. The IPTables::Parse and IPTables::ChainMgr modules are never installed on systems running the ipfw firewall, or on client-only installs of fwknop on Windows under Cygwin. /etc/fwknop This is the main directory for fwknop daemon configuration files such as fwknop.conf and access.conf. This directory is used by fwknop daemons when running in server mode, and it is not needed to generate an SPA packet in client mode.