Linux Firewalls - Michael Rash [143]
ENABLE_PCAP_PROMISC N;
FIREWALL_TYPE
The FIREWALL_TYPE variable tells fwknopd about the type of firewall that it is responsible for reconfiguring after receiving a valid SPA packet. Supported values are iptables (the default), and ipfw for FreeBSD and Mac OS X systems.
FIREWALL_TYPE iptables;
PCAP_PKT_FILE
If AUTH_MODE is set to either FILE_PCAP or ULOG_PCAP, then the fwknop daemon acquires packet data from a PCAP-formatted file within the filesystem. The path to this file is defined by the PCAP_PKT_FILE variable and is set to the following default:
PCAP_PKT_FILE /var/log/sniff.pcap;
IPT_AUTO_CHAIN1
The IPTables::ChainMgr Perl module is used by fwknop to add and remove ACCEPT rules for legitimate SPA clients. The IPTables::ChainMgr is also used by psad, but instead of adding ACCEPT rules, psad adds DROP rules against IP addresses that send malicious traffic. The default configuration for the IPT_AUTO_CHAIN1 variable is to add ACCEPT rules into the custom iptables chain FWKNOP_INPUT and jump packets into this chain from the built-in INPUT chain.[79]
IPT_AUTO_CHAIN1 ACCEPT, src, filter, INPUT, 1, FWKNOP_INPUT, 1;
ENABLE_MD5_PERSISTENCE
One of the most important features of the SPA protocol is the ability to detect and ignore replay attacks. The ENABLE_MD5_PERSISTENCE variable controls whether or not the fwknop daemon writes the MD5 sums of all successfully decrypted SPA packets to disk. This allows fwknop to detect replay attacks across restarts of fwknop and even across system reboots. This feature is enabled by default, but can be disabled if you wish to verify that replay detection functions correctly (requires sending a duplicate SPA packet over the network to the SPA server).
ENABLE_MD5_PERSISTENCE Y;
MAX_SPA_PACKET_AGE
The MAX_SPA_PACKET_AGE variable defines the maximum age, in seconds, for which the fwknop server will allow an SPA packet to be accepted. The default is two minutes. This variable is only used if ENABLE_SPA_PACKET_AGING is enabled.
MAX_SPA_PACKET_AGE 120;
ENABLE_SPA_PACKET_AGING
By default, the fwknop daemon requires that an SPA packet sent from the fwknop client is less than 120 seconds (two minutes) old, as defined by the MAX_SPA_PACKET_AGE variable discussed above. The fwknop client includes a timestamp within each SPA packet (see "fwknop SPA Packet Format" on page 241), which the fwknop server uses to determine the age of all SPA packets. This feature requires loose time synchronization between the fwknop client and server, but the robust Network Time Protocol (NTP) makes this easy to do.
If ENABLE_SPA_PACKET_AGING is disabled, an attacker inline with an SPA packet could stop the packet from being forwarded, thus preventing the fwknop server from seeing it and calculating its MD5 sum. Later, the attacker could send the original SPA packet against its destination, and the fwknop server would honor it. Further, if the fwknop -s command-line argument was used to generate the original SPA packet, fwknop would honor the SPA packet from whichever source IP address it came from (see the variable REQUIRE_SOURCE_ADDRESS below), and the attacker would gain access through the iptables policy.[80] Therefore, it is highly recommended that you leave this feature enabled.
ENABLE_SPA_PACKET_AGING Y;
REQUIRE_SOURCE_ADDRESS
The REQUIRE_SOURCE_ADDRESS variable tells the fwknop server to require that all SPA packets contain the IP address within the encrypted payload that is to be granted access through iptables. With this feature enabled, the 0.0.0.0 wildcard IP address placed within an SPA packet with the -s argument on the fwknop client command line will