Linux Firewalls - Michael Rash [146]
* * *
[79] 2 A detailed explanation of the IPT_AUTO_CHAIN{n} variables can be found in "Configuration Variables" on page 135. The IPT_AUTO_CHAIN{n} variables provide an interface to the IPTables::ChainMgr module, and this interface is used in both psad and fwknop.
[80] 3 This attack was called to my attention by Sebastien Jeanquier, and the result was the ENABLE_SPA_PACKET_AGING feature (first available in the 0.9.9 release) to implement the time window in which an SPA packet would be accepted by the fwknop server.
[81] 4 fwknop can acquire secret key information from gpg-agent.
fwknop SPA Packet Format
Every SPA packet is constructed according to a well-defined set of rules. These rules allow the fwknop server to be confident about the type of access that is being requested through the iptables firewall and who is requesting it. After accepting user input from the fwknop client command line (see "SPA via Symmetric Encryption" on page 244 and "SPA via Asymmetric Encryption" on page 246), each SPA packet contains the following:
Random data (16 bytes)
This provides enough random information to ensure that every SPA packet fwknop generates is unique—at least, the packets are unique to the degree of randomness that the Perl function rand() is able to conjure with each invocation. (For Perl versions 5.004 and later, the srand() function is called implicitly at the first utilization of the rand() function.)
Username
This is the name of the user that is executing the fwknop command, as returned by getlogin()—or getpwuid() if getlogin() fails. The fwknop server uses this username to determine whether the remote user is authorized to gain access to a service or run a command. (Note that by the time the fwknop server sees the username, the SPA packet has been successfully decrypted, which implies that the SPA packet has been authenticated and the process of verifying authorization can begin.)
Timestamp
This is the timestamp on the local system. The fwknop server uses this value to determine whether the SPA packet falls within the timed access window defined by the MAX_SPA_PACKET_AGE variable.
Software version
This is the version of the fwknop client:
[mbr@spaclient ˜]$ fwknop --Version
[+] fwknop v1.8.1 (file revision: 694)
by Michael Rash For example, the software version field in this case would contain the value 1.0. The fwknop server uses this information to maintain backward compatibility with older clients if the SPA packet format changes. Mode This tells the fwknop server whether or not the SPA client wishes to run a command. The default value is 1 for access mode; command mode is denoted by 0. Access directive This string tells the fwknop server which type of traffic the client wishes to have accepted by the iptables firewall when the policy is modified. The fwknop server parses this string for ports and protocols to instruct iptables to accept, and the policy is reconfigured accordingly. For example, if the client wishes to access both TCP port 22 and UDP port 1194 (which is used by OpenVPN), the string would be client IP,tcp/22,udp/1194. The fwknop server controls whether or not users can request to open specific ports. If only certain ports are allowed to be opened, they must be defined within the access.conf file. (For more information, see "OPEN_PORTS" and "PERMIT_CLIENT_PORTS" on page 238.) Command string This string is a full command that the fwknop client would like to execute on the