Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ==== 42_fwknopd.test ====
- [+] TEST: [Rijndael SPA] [client+server] complete cycle (tcp/22 ssh)
- Thu Mar 1 08:42:52 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
- [+] Writing my PID (7392) to the lock file: run/fwknopd.pid
- Starting fwknopd
- Current fwknopd config settings:
- 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
- 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
- 2. PCAP_INTF = 'lo'
- 3. ENABLE_PCAP_PROMISC = 'N'
- 4. PCAP_FILTER = 'udp port 62201'
- 5. PCAP_DISPATCH_COUNT = '0'
- 6. PCAP_LOOP_SLEEP = '10000'
- 7. MAX_SNIFF_BYTES = '1500'
- 8. ENABLE_SPA_PACKET_AGING = 'Y'
- 9. MAX_SPA_PACKET_AGE = '120'
- 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
- 11. CMD_EXEC_TIMEOUT = '<not set>'
- 12. ENABLE_SPA_OVER_HTTP = 'N'
- 13. ENABLE_TCP_SERVER = 'N'
- 14. TCPSERV_PORT = '62201'
- 15. LOCALE = '<not set>'
- 16. SYSLOG_IDENTITY = 'fwknopd'
- 17. SYSLOG_FACILITY = 'LOG_DAEMON'
- 18. ENABLE_IPT_FORWARDING = 'N'
- 19. ENABLE_IPT_LOCAL_NAT = 'Y'
- 20. ENABLE_IPT_SNAT = 'N'
- 21. SNAT_TRANSLATE_IP = '<not set>'
- 22. ENABLE_IPT_OUTPUT = 'N'
- 23. FLUSH_IPT_AT_INIT = 'Y'
- 24. FLUSH_IPT_AT_EXIT = 'Y'
- 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
- 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
- 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
- 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
- 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
- 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
- 33. ACCESS_FILE = 'conf/default_access.conf'
- 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
- 35. DIGEST_FILE = 'run/digest.cache'
- 36. GPG_HOME_DIR = '/root/.gnupg'
- 37. FIREWALL_EXE = '/sbin/iptables'
- Current fwknopd access settings:
- SOURCE (1): ANY
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- Using Digest Cache: 'run/digest.cache' (entry count = 0)
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
- Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
- PCAP filter is: udp port 62201
- Starting fwknopd main event loop.
- (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
- SPA Packet: '+Di94RpHfcCSCFS2W7nifULBm+d+Ix6BK1svd8Us56B4r3a3eaP+jVIdbK15Q9Qs/q1yy/zx3dcoy08+NUgtu4rJNpl5A00oggUa+fA5C1P8wEyoNS7OxPeAWMV56KZh2iwpsnIevl7+HOroPUAA85aM/abqoer5I'
- (stanza #1) SPA Decode (res=0):
- SPA Field Values:
- =================
- Random Value: 1594849460569645
- Username: root
- Timestamp: 1330587774
- FKO Version: 1.9.12
- Message Type: 1
- Message String: 127.0.0.2,tcp/22
- Nat Access: <NULL>
- Server Auth: <NULL>
- Client Timeout: 0
- Digest Type: 3
- Encoded Data: 1594849460569645:cm9vdA:1330587774:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
- SPA Data Digest: XY/G/K33jvAG10SzNg2y5JuFDSwEjtj5k/3wcewpZ0U
- process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587777 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587777
- Gracefully leaving the fwknopd event loop.
- Got SIGTERM. Exiting...
- Shutting Down fwknopd.
- delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
- [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
- ==== END 42_fwknopd.test ====
- ==== 48_fwknopd.test ====
- [+] TEST: [Rijndael SPA] [client+server] future expired stanza (tcp/22 ssh)
- Thu Mar 1 08:43:21 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/future_expired_stanza_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
- [+] Writing my PID (7654) to the lock file: run/fwknopd.pid
- Starting fwknopd
- Current fwknopd config settings:
- 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
- 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
- 2. PCAP_INTF = 'lo'
- 3. ENABLE_PCAP_PROMISC = 'N'
- 4. PCAP_FILTER = 'udp port 62201'
- 5. PCAP_DISPATCH_COUNT = '0'
- 6. PCAP_LOOP_SLEEP = '10000'
- 7. MAX_SNIFF_BYTES = '1500'
- 8. ENABLE_SPA_PACKET_AGING = 'Y'
- 9. MAX_SPA_PACKET_AGE = '120'
- 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
- 11. CMD_EXEC_TIMEOUT = '<not set>'
- 12. ENABLE_SPA_OVER_HTTP = 'N'
- 13. ENABLE_TCP_SERVER = 'N'
- 14. TCPSERV_PORT = '62201'
- 15. LOCALE = '<not set>'
- 16. SYSLOG_IDENTITY = 'fwknopd'
- 17. SYSLOG_FACILITY = 'LOG_DAEMON'
- 18. ENABLE_IPT_FORWARDING = 'N'
- 19. ENABLE_IPT_LOCAL_NAT = 'Y'
- 20. ENABLE_IPT_SNAT = 'N'
- 21. SNAT_TRANSLATE_IP = '<not set>'
- 22. ENABLE_IPT_OUTPUT = 'N'
- 23. FLUSH_IPT_AT_INIT = 'Y'
- 24. FLUSH_IPT_AT_EXIT = 'Y'
- 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
- 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
- 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
- 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
- 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
- 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
- 33. ACCESS_FILE = 'conf/future_expired_stanza_access.conf'
- 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
- 35. DIGEST_FILE = 'run/digest.cache'
- 36. GPG_HOME_DIR = '/root/.gnupg'
- 37. FIREWALL_EXE = '/sbin/iptables'
- Current fwknopd access settings:
- SOURCE (1): ANY
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: Wed Mar 10 00:00:00 2500
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- Using Digest Cache: 'run/digest.cache' (entry count = 3)
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
- Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
- PCAP filter is: udp port 62201
- Starting fwknopd main event loop.
- (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
- SPA Packet: '/S0ueq/iqj0KdCr6I/wYmSGsJmacbZ1WnvoXhtKVgxJ6ObH/pkjUKC0eBDRZlcZ92+93Q2YJzJw0YRZPq4eUtRFd0yDZydvYi2yum6Ez72PP8IkdnBCwSBkVPdVkI214le8aY+Tg9JfW8Kj6hv+W8xJf5qXQRddhg'
- (stanza #1) SPA Decode (res=0):
- SPA Field Values:
- =================
- Random Value: 1826456026134468
- Username: root
- Timestamp: 1330587803
- FKO Version: 1.9.12
- Message Type: 1
- Message String: 127.0.0.2,tcp/22
- Nat Access: <NULL>
- Server Auth: <NULL>
- Client Timeout: 0
- Digest Type: 3
- Encoded Data: 1826456026134468:cm9vdA:1330587803:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
- SPA Data Digest: xP2SrrHCZGtIm4B/SoTKUzXSM48BqoI/0khDyOnKB5A
- process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587806 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587806
- Gracefully leaving the fwknopd event loop.
- Got SIGTERM. Exiting...
- Shutting Down fwknopd.
- delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
- [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
- ==== END 48_fwknopd.test ====
- ==== 49_fwknopd.test ====
- [+] TEST: [Rijndael SPA] [client+server] OPEN_PORTS (tcp/22 ssh)
- Thu Mar 1 08:43:26 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/open_ports_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
- [+] Writing my PID (7704) to the lock file: run/fwknopd.pid
- Starting fwknopd
- Current fwknopd config settings:
- 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
- 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
- 2. PCAP_INTF = 'lo'
- 3. ENABLE_PCAP_PROMISC = 'N'
- 4. PCAP_FILTER = 'udp port 62201'
- 5. PCAP_DISPATCH_COUNT = '0'
- 6. PCAP_LOOP_SLEEP = '10000'
- 7. MAX_SNIFF_BYTES = '1500'
- 8. ENABLE_SPA_PACKET_AGING = 'Y'
- 9. MAX_SPA_PACKET_AGE = '120'
- 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
- 11. CMD_EXEC_TIMEOUT = '<not set>'
- 12. ENABLE_SPA_OVER_HTTP = 'N'
- 13. ENABLE_TCP_SERVER = 'N'
- 14. TCPSERV_PORT = '62201'
- 15. LOCALE = '<not set>'
- 16. SYSLOG_IDENTITY = 'fwknopd'
- 17. SYSLOG_FACILITY = 'LOG_DAEMON'
- 18. ENABLE_IPT_FORWARDING = 'N'
- 19. ENABLE_IPT_LOCAL_NAT = 'Y'
- 20. ENABLE_IPT_SNAT = 'N'
- 21. SNAT_TRANSLATE_IP = '<not set>'
- 22. ENABLE_IPT_OUTPUT = 'N'
- 23. FLUSH_IPT_AT_INIT = 'Y'
- 24. FLUSH_IPT_AT_EXIT = 'Y'
- 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
- 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
- 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
- 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
- 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
- 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
- 33. ACCESS_FILE = 'conf/open_ports_access.conf'
- 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
- 35. DIGEST_FILE = 'run/digest.cache'
- 36. GPG_HOME_DIR = '/root/.gnupg'
- 37. FIREWALL_EXE = '/sbin/iptables'
- Current fwknopd access settings:
- SOURCE (1): 4.3.2.0/24, 127.0.0.0/24, 23.43.0.0/16, 10.10.10.10
- ==============================================================
- OPEN_PORTS: udp/6001, tcp/22, tcp/80
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- Using Digest Cache: 'run/digest.cache' (entry count = 4)
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
- Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
- PCAP filter is: udp port 62201
- Starting fwknopd main event loop.
- (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
- SPA Packet: '9W3wqMjo/5QPGArHttsWvuouA6OgPX6a+JWo9Scb4BpyP2XHKm7wsTIA/9NyPb46k4pdyA7BsImufOhNvu4zlkZHn9wlj2A8j+Cnbb7CgrXnTZF7UCjjHWr975K6a4KdaJiAk5CiZ1zgzbfM+SaquUYmesjHDlt1E'
- (stanza #1) SPA Decode (res=0):
- SPA Field Values:
- =================
- Random Value: 1849586590101971
- Username: root
- Timestamp: 1330587808
- FKO Version: 1.9.12
- Message Type: 1
- Message String: 127.0.0.2,tcp/22
- Nat Access: <NULL>
- Server Auth: <NULL>
- Client Timeout: 0
- Digest Type: 3
- Encoded Data: 1849586590101971:cm9vdA:1330587808:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
- SPA Data Digest: /91RhB85JRbeqnHxTGKotlqZ6CNXuAh5baaLK+wZ9yw
- process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587811 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587811
- Gracefully leaving the fwknopd event loop.
- Got SIGTERM. Exiting...
- Shutting Down fwknopd.
- delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
- [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
- ==== END 49_fwknopd.test ====
- ==== 51_fwknopd.test ====
- [+] TEST: [Rijndael SPA] [client+server] require user (tcp/22 ssh)
- Thu Mar 1 08:43:36 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/require_user_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
- [+] Writing my PID (7800) to the lock file: run/fwknopd.pid
- Starting fwknopd
- Current fwknopd config settings:
- 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
- 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
- 2. PCAP_INTF = 'lo'
- 3. ENABLE_PCAP_PROMISC = 'N'
- 4. PCAP_FILTER = 'udp port 62201'
- 5. PCAP_DISPATCH_COUNT = '0'
- 6. PCAP_LOOP_SLEEP = '10000'
- 7. MAX_SNIFF_BYTES = '1500'
- 8. ENABLE_SPA_PACKET_AGING = 'Y'
- 9. MAX_SPA_PACKET_AGE = '120'
- 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
- 11. CMD_EXEC_TIMEOUT = '<not set>'
- 12. ENABLE_SPA_OVER_HTTP = 'N'
- 13. ENABLE_TCP_SERVER = 'N'
- 14. TCPSERV_PORT = '62201'
- 15. LOCALE = '<not set>'
- 16. SYSLOG_IDENTITY = 'fwknopd'
- 17. SYSLOG_FACILITY = 'LOG_DAEMON'
- 18. ENABLE_IPT_FORWARDING = 'N'
- 19. ENABLE_IPT_LOCAL_NAT = 'Y'
- 20. ENABLE_IPT_SNAT = 'N'
- 21. SNAT_TRANSLATE_IP = '<not set>'
- 22. ENABLE_IPT_OUTPUT = 'N'
- 23. FLUSH_IPT_AT_INIT = 'Y'
- 24. FLUSH_IPT_AT_EXIT = 'Y'
- 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
- 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
- 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
- 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
- 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
- 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
- 33. ACCESS_FILE = 'conf/require_user_access.conf'
- 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
- 35. DIGEST_FILE = 'run/digest.cache'
- 36. GPG_HOME_DIR = '/root/.gnupg'
- 37. FIREWALL_EXE = '/sbin/iptables'
- Current fwknopd access settings:
- SOURCE (1): ANY
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: testuser
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- Using Digest Cache: 'run/digest.cache' (entry count = 6)
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
- Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
- PCAP filter is: udp port 62201
- Starting fwknopd main event loop.
- (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
- SPA Packet: '9kTNkoPdxVUhDXMlfWdPdqplLkzMnCJouIUQnDTDzwvOr+GgIoyrNCBEGuq8jl1j1KOjX4Q5hQnCECXnEvlwZs9+EI88VKRGXvNp1dXm7MNAYumVtmlqlsYThZhZGmlkttp2nF/XseBebGfn/TmhhixXnVctMYxgmWhh0dxuQu3TYBqaxg5KEO'
- (stanza #1) SPA Decode (res=0):
- SPA Field Values:
- =================
- Random Value: 1339416390673350
- Username: testuser
- Timestamp: 1330587818
- FKO Version: 1.9.12
- Message Type: 1
- Message String: 127.0.0.2,tcp/22
- Nat Access: <NULL>
- Server Auth: <NULL>
- Client Timeout: 0
- Digest Type: 3
- Encoded Data: 1339416390673350:dGVzdHVzZXI:1330587818:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
- SPA Data Digest: vN9eWq+n5+OxCrWgeGluefcpSr2Gw1+idw+Nlkr8Cho
- process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587821 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587821
- Gracefully leaving the fwknopd event loop.
- Got SIGTERM. Exiting...
- Shutting Down fwknopd.
- delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
- [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
- ==== END 51_fwknopd.test ====
- ==== 53_fwknopd.test ====
- [+] TEST: [Rijndael SPA] [client+server] require src (tcp/22 ssh)
- Thu Mar 1 08:43:46 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/require_src_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
- [+] Writing my PID (7896) to the lock file: run/fwknopd.pid
- Starting fwknopd
- Current fwknopd config settings:
- 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
- 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
- 2. PCAP_INTF = 'lo'
- 3. ENABLE_PCAP_PROMISC = 'N'
- 4. PCAP_FILTER = 'udp port 62201'
- 5. PCAP_DISPATCH_COUNT = '0'
- 6. PCAP_LOOP_SLEEP = '10000'
- 7. MAX_SNIFF_BYTES = '1500'
- 8. ENABLE_SPA_PACKET_AGING = 'Y'
- 9. MAX_SPA_PACKET_AGE = '120'
- 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
- 11. CMD_EXEC_TIMEOUT = '<not set>'
- 12. ENABLE_SPA_OVER_HTTP = 'N'
- 13. ENABLE_TCP_SERVER = 'N'
- 14. TCPSERV_PORT = '62201'
- 15. LOCALE = '<not set>'
- 16. SYSLOG_IDENTITY = 'fwknopd'
- 17. SYSLOG_FACILITY = 'LOG_DAEMON'
- 18. ENABLE_IPT_FORWARDING = 'N'
- 19. ENABLE_IPT_LOCAL_NAT = 'Y'
- 20. ENABLE_IPT_SNAT = 'N'
- 21. SNAT_TRANSLATE_IP = '<not set>'
- 22. ENABLE_IPT_OUTPUT = 'N'
- 23. FLUSH_IPT_AT_INIT = 'Y'
- 24. FLUSH_IPT_AT_EXIT = 'Y'
- 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
- 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
- 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
- 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
- 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
- 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
- 33. ACCESS_FILE = 'conf/require_src_access.conf'
- 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
- 35. DIGEST_FILE = 'run/digest.cache'
- 36. GPG_HOME_DIR = '/root/.gnupg'
- 37. FIREWALL_EXE = '/sbin/iptables'
- Current fwknopd access settings:
- SOURCE (1): 4.3.2.0/24, 127.0.0.0/24, 23.43.0.0/16, 10.10.10.10
- ==============================================================
- OPEN_PORTS: udp/6001, tcp/22, tcp/80
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: Yes
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- Using Digest Cache: 'run/digest.cache' (entry count = 8)
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
- Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
- PCAP filter is: udp port 62201
- Starting fwknopd main event loop.
- (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
- SPA Packet: '8qHD8V6tkc/1BoHeSAxr4JsQtxR3r0kZhi0OvYJWLqGhGODgnPrHJARYIQFfOnck2IU0sKS3AfLYBJ7B6ps/Kcii+wvAMfukYwYdf/ODZM9Vd8mh3/V4xybzGOzptMCsGO9FFDdEiYrN66dVQHdS3gkqsXlccJC3k'
- (stanza #1) SPA Decode (res=0):
- SPA Field Values:
- =================
- Random Value: 1168796338156489
- Username: root
- Timestamp: 1330587828
- FKO Version: 1.9.12
- Message Type: 1
- Message String: 127.0.0.2,tcp/22
- Nat Access: <NULL>
- Server Auth: <NULL>
- Client Timeout: 0
- Digest Type: 3
- Encoded Data: 1168796338156489:cm9vdA:1330587828:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
- SPA Data Digest: QAkwt9DmpSgi3ix5nil3uhTyBqI02ZbtOmiItn5bocY
- process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587831 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587831
- Gracefully leaving the fwknopd event loop.
- Got SIGTERM. Exiting...
- Shutting Down fwknopd.
- delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
- [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
- ==== END 53_fwknopd.test ====
- ==== 58_fwknopd.test ====
- [+] TEST: [Rijndael SPA] [client+server] IP match (tcp/22 ssh)
- Thu Mar 1 08:44:11 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/ip_source_match_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
- [+] Writing my PID (8130) to the lock file: run/fwknopd.pid
- Starting fwknopd
- Current fwknopd config settings:
- 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
- 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
- 2. PCAP_INTF = 'lo'
- 3. ENABLE_PCAP_PROMISC = 'N'
- 4. PCAP_FILTER = 'udp port 62201'
- 5. PCAP_DISPATCH_COUNT = '0'
- 6. PCAP_LOOP_SLEEP = '10000'
- 7. MAX_SNIFF_BYTES = '1500'
- 8. ENABLE_SPA_PACKET_AGING = 'Y'
- 9. MAX_SPA_PACKET_AGE = '120'
- 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
- 11. CMD_EXEC_TIMEOUT = '<not set>'
- 12. ENABLE_SPA_OVER_HTTP = 'N'
- 13. ENABLE_TCP_SERVER = 'N'
- 14. TCPSERV_PORT = '62201'
- 15. LOCALE = '<not set>'
- 16. SYSLOG_IDENTITY = 'fwknopd'
- 17. SYSLOG_FACILITY = 'LOG_DAEMON'
- 18. ENABLE_IPT_FORWARDING = 'N'
- 19. ENABLE_IPT_LOCAL_NAT = 'Y'
- 20. ENABLE_IPT_SNAT = 'N'
- 21. SNAT_TRANSLATE_IP = '<not set>'
- 22. ENABLE_IPT_OUTPUT = 'N'
- 23. FLUSH_IPT_AT_INIT = 'Y'
- 24. FLUSH_IPT_AT_EXIT = 'Y'
- 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
- 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
- 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
- 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
- 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
- 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
- 33. ACCESS_FILE = 'conf/ip_source_match_access.conf'
- 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
- 35. DIGEST_FILE = 'run/digest.cache'
- 36. GPG_HOME_DIR = '/root/.gnupg'
- 37. FIREWALL_EXE = '/sbin/iptables'
- Current fwknopd access settings:
- SOURCE (1): 127.0.0.1
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- Using Digest Cache: 'run/digest.cache' (entry count = 10)
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
- Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
- PCAP filter is: udp port 62201
- Starting fwknopd main event loop.
- (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
- SPA Packet: '+Q7Olpgnjyn9H+H4fQGs9M7FdcBZTI9gQFALI07YEWtzln/8WQYwaYRL+KJNwL+pJWexiPod2waBYKHSJqE2fvahXLfOpQA4ZcTL9kGEGDwF+SdaqD/W0J0hSqd7i8t9v1tLwgJgWCZXDciNSietq9dLDklvpwRvc'
- (stanza #1) SPA Decode (res=0):
- SPA Field Values:
- =================
- Random Value: 7501374906630001
- Username: root
- Timestamp: 1330587853
- FKO Version: 1.9.12
- Message Type: 1
- Message String: 127.0.0.2,tcp/22
- Nat Access: <NULL>
- Server Auth: <NULL>
- Client Timeout: 0
- Digest Type: 3
- Encoded Data: 7501374906630001:cm9vdA:1330587853:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
- SPA Data Digest: 0EC4TCB35KZtVmGHvVC7J4d+y8X+bpiCWpZE9a6UHrc
- process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587857 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587857
- Gracefully leaving the fwknopd event loop.
- Got SIGTERM. Exiting...
- Shutting Down fwknopd.
- delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
- [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
- ==== END 58_fwknopd.test ====
- ==== 59_fwknopd.test ====
- [+] TEST: [Rijndael SPA] [client+server] subnet match (tcp/22 ssh)
- Thu Mar 1 08:44:17 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/subnet_source_match_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
- [+] Writing my PID (8180) to the lock file: run/fwknopd.pid
- Starting fwknopd
- Current fwknopd config settings:
- 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
- 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
- 2. PCAP_INTF = 'lo'
- 3. ENABLE_PCAP_PROMISC = 'N'
- 4. PCAP_FILTER = 'udp port 62201'
- 5. PCAP_DISPATCH_COUNT = '0'
- 6. PCAP_LOOP_SLEEP = '10000'
- 7. MAX_SNIFF_BYTES = '1500'
- 8. ENABLE_SPA_PACKET_AGING = 'Y'
- 9. MAX_SPA_PACKET_AGE = '120'
- 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
- 11. CMD_EXEC_TIMEOUT = '<not set>'
- 12. ENABLE_SPA_OVER_HTTP = 'N'
- 13. ENABLE_TCP_SERVER = 'N'
- 14. TCPSERV_PORT = '62201'
- 15. LOCALE = '<not set>'
- 16. SYSLOG_IDENTITY = 'fwknopd'
- 17. SYSLOG_FACILITY = 'LOG_DAEMON'
- 18. ENABLE_IPT_FORWARDING = 'N'
- 19. ENABLE_IPT_LOCAL_NAT = 'Y'
- 20. ENABLE_IPT_SNAT = 'N'
- 21. SNAT_TRANSLATE_IP = '<not set>'
- 22. ENABLE_IPT_OUTPUT = 'N'
- 23. FLUSH_IPT_AT_INIT = 'Y'
- 24. FLUSH_IPT_AT_EXIT = 'Y'
- 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
- 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
- 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
- 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
- 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
- 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
- 33. ACCESS_FILE = 'conf/subnet_source_match_access.conf'
- 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
- 35. DIGEST_FILE = 'run/digest.cache'
- 36. GPG_HOME_DIR = '/root/.gnupg'
- 37. FIREWALL_EXE = '/sbin/iptables'
- Current fwknopd access settings:
- SOURCE (1): 127.0.0.0/24
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- Using Digest Cache: 'run/digest.cache' (entry count = 11)
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
- Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
- PCAP filter is: udp port 62201
- Starting fwknopd main event loop.
- (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
- SPA Packet: '9fSEkmQ2UuwD8MuPjU+HS0X38fllIk146nn9tvjJtRiFyHI/1V76skxSgCCvNuW/DT0qMEsHcWJg16a592U5rs/4n5BhqkSp6aihfcWW1N7YzBNn3W5Wk1s6A2VvoHUZqmPz+j840GgDM34F5XK231sqob0os7Ics'
- (stanza #1) SPA Decode (res=0):
- SPA Field Values:
- =================
- Random Value: 1079773555551209
- Username: root
- Timestamp: 1330587859
- FKO Version: 1.9.12
- Message Type: 1
- Message String: 127.0.0.2,tcp/22
- Nat Access: <NULL>
- Server Auth: <NULL>
- Client Timeout: 0
- Digest Type: 3
- Encoded Data: 1079773555551209:cm9vdA:1330587859:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
- SPA Data Digest: XCKgm9pyDAbDg3grd6KgMqiDu/U2jR7aAA8yONbWwT0
- process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587862 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587862
- Gracefully leaving the fwknopd event loop.
- Got SIGTERM. Exiting...
- Shutting Down fwknopd.
- delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
- [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
- ==== END 59_fwknopd.test ====
- ==== 60_fwknopd.test ====
- [+] TEST: [Rijndael SPA] [client+server] multi IP/net match (tcp/22 ssh)
- Thu Mar 1 08:44:22 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/multi_source_match_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
- [+] Writing my PID (9254) to the lock file: run/fwknopd.pid
- Starting fwknopd
- Current fwknopd config settings:
- 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
- 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
- 2. PCAP_INTF = 'lo'
- 3. ENABLE_PCAP_PROMISC = 'N'
- 4. PCAP_FILTER = 'udp port 62201'
- 5. PCAP_DISPATCH_COUNT = '0'
- 6. PCAP_LOOP_SLEEP = '10000'
- 7. MAX_SNIFF_BYTES = '1500'
- 8. ENABLE_SPA_PACKET_AGING = 'Y'
- 9. MAX_SPA_PACKET_AGE = '120'
- 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
- 11. CMD_EXEC_TIMEOUT = '<not set>'
- 12. ENABLE_SPA_OVER_HTTP = 'N'
- 13. ENABLE_TCP_SERVER = 'N'
- 14. TCPSERV_PORT = '62201'
- 15. LOCALE = '<not set>'
- 16. SYSLOG_IDENTITY = 'fwknopd'
- 17. SYSLOG_FACILITY = 'LOG_DAEMON'
- 18. ENABLE_IPT_FORWARDING = 'N'
- 19. ENABLE_IPT_LOCAL_NAT = 'Y'
- 20. ENABLE_IPT_SNAT = 'N'
- 21. SNAT_TRANSLATE_IP = '<not set>'
- 22. ENABLE_IPT_OUTPUT = 'N'
- 23. FLUSH_IPT_AT_INIT = 'Y'
- 24. FLUSH_IPT_AT_EXIT = 'Y'
- 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
- 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
- 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
- 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
- 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
- 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
- 33. ACCESS_FILE = 'conf/multi_source_match_access.conf'
- 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
- 35. DIGEST_FILE = 'run/digest.cache'
- 36. GPG_HOME_DIR = '/root/.gnupg'
- 37. FIREWALL_EXE = '/sbin/iptables'
- Current fwknopd access settings:
- SOURCE (1): 4.3.2.0/24, 127.0.0.0/24, 23.43.0.0/16, 10.10.10.10
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- Using Digest Cache: 'run/digest.cache' (entry count = 12)
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
- Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
- PCAP filter is: udp port 62201
- Starting fwknopd main event loop.
- (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
- SPA Packet: '9FPvqNnu4HvMRGvtMVycVt+BQxixw6Q+BOqdxPTbWJnAmYz/QHgHOxw9X/+ZaU52NG3ZQeE9VbAswY3TLU2VqbHzpyqRUS0y233L8TzOrELaXehwr2sN/rj1scCh7GG9ubbwliIy0tTltiUOeUOE/G5+LhYgDl2bo'
- (stanza #1) SPA Decode (res=0):
- SPA Field Values:
- =================
- Random Value: 8553414479018286
- Username: root
- Timestamp: 1330587864
- FKO Version: 1.9.12
- Message Type: 1
- Message String: 127.0.0.2,tcp/22
- Nat Access: <NULL>
- Server Auth: <NULL>
- Client Timeout: 0
- Digest Type: 3
- Encoded Data: 8553414479018286:cm9vdA:1330587864:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
- SPA Data Digest: 1GTZdWzoNOPWuw+nD7T+leBCO+8/KgDh5RONHFpnIt8
- process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587867 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587867
- Gracefully leaving the fwknopd event loop.
- Got SIGTERM. Exiting...
- Shutting Down fwknopd.
- delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
- [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
- ==== END 60_fwknopd.test ====
- ==== 61_fwknopd.test ====
- [+] TEST: [Rijndael SPA] [client+server] multi access stanzas (tcp/22 ssh)
- Thu Mar 1 08:44:27 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/multi_stanzas_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
- [+] Writing my PID (9304) to the lock file: run/fwknopd.pid
- Starting fwknopd
- Current fwknopd config settings:
- 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
- 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
- 2. PCAP_INTF = 'lo'
- 3. ENABLE_PCAP_PROMISC = 'N'
- 4. PCAP_FILTER = 'udp port 62201'
- 5. PCAP_DISPATCH_COUNT = '0'
- 6. PCAP_LOOP_SLEEP = '10000'
- 7. MAX_SNIFF_BYTES = '1500'
- 8. ENABLE_SPA_PACKET_AGING = 'Y'
- 9. MAX_SPA_PACKET_AGE = '120'
- 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
- 11. CMD_EXEC_TIMEOUT = '<not set>'
- 12. ENABLE_SPA_OVER_HTTP = 'N'
- 13. ENABLE_TCP_SERVER = 'N'
- 14. TCPSERV_PORT = '62201'
- 15. LOCALE = '<not set>'
- 16. SYSLOG_IDENTITY = 'fwknopd'
- 17. SYSLOG_FACILITY = 'LOG_DAEMON'
- 18. ENABLE_IPT_FORWARDING = 'N'
- 19. ENABLE_IPT_LOCAL_NAT = 'Y'
- 20. ENABLE_IPT_SNAT = 'N'
- 21. SNAT_TRANSLATE_IP = '<not set>'
- 22. ENABLE_IPT_OUTPUT = 'N'
- 23. FLUSH_IPT_AT_INIT = 'Y'
- 24. FLUSH_IPT_AT_EXIT = 'Y'
- 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
- 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
- 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
- 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
- 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
- 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
- 33. ACCESS_FILE = 'conf/multi_stanzas_access.conf'
- 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
- 35. DIGEST_FILE = 'run/digest.cache'
- 36. GPG_HOME_DIR = '/root/.gnupg'
- 37. FIREWALL_EXE = '/sbin/iptables'
- Current fwknopd access settings:
- SOURCE (1): 4.3.2.0/24, 23.43.0.0/16, 10.10.10.10
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- SOURCE (2): 23.43.0.0/16, 10.10.10.10
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- SOURCE (3): 4.3.2.0/24, 127.0.0.0/24, 23.43.0.0/16, 10.10.10.10
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- SOURCE (4): 4.3.2.0/24, 10.10.10.10
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- Using Digest Cache: 'run/digest.cache' (entry count = 13)
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
- Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
- PCAP filter is: udp port 62201
- Starting fwknopd main event loop.
- (stanza #3) SPA Packet from IP: 127.0.0.1 received with access source match
- SPA Packet: '8byEJeLH0PtA3KFpj+jE7YRuz0zD8nj56PujTHSLP1YTlvmP3182X1U8VFZrgQhtx2Vlnh0moStWjBAJnxU8Uh/ABJznxZDun97TU0VwYtv6lbkA6PwA93u6PCDAjmDN4azfQS1TmIUfIRvJCULktG1TBMji9HbBU'
- (stanza #3) SPA Decode (res=0):
- SPA Field Values:
- =================
- Random Value: 6036029291678890
- Username: root
- Timestamp: 1330587869
- FKO Version: 1.9.12
- Message Type: 1
- Message String: 127.0.0.2,tcp/22
- Nat Access: <NULL>
- Server Auth: <NULL>
- Client Timeout: 0
- Digest Type: 3
- Encoded Data: 6036029291678890:cm9vdA:1330587869:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
- SPA Data Digest: r2+RNw1xutjwNxIY8wJ3LW1eH1PUaMuTPWxb/HAbBgI
- process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587872 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587872
- Gracefully leaving the fwknopd event loop.
- Got SIGTERM. Exiting...
- Shutting Down fwknopd.
- delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
- [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
- ==== END 61_fwknopd.test ====
- ==== 62_fwknopd.test ====
- [+] TEST: [Rijndael SPA] [client+server] bad/good key stanzas (tcp/22 ssh)
- Thu Mar 1 08:44:32 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/multi_stanzas_with_broken_keys.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
- [+] Writing my PID (9354) to the lock file: run/fwknopd.pid
- Starting fwknopd
- Current fwknopd config settings:
- 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
- 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
- 2. PCAP_INTF = 'lo'
- 3. ENABLE_PCAP_PROMISC = 'N'
- 4. PCAP_FILTER = 'udp port 62201'
- 5. PCAP_DISPATCH_COUNT = '0'
- 6. PCAP_LOOP_SLEEP = '10000'
- 7. MAX_SNIFF_BYTES = '1500'
- 8. ENABLE_SPA_PACKET_AGING = 'Y'
- 9. MAX_SPA_PACKET_AGE = '120'
- 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
- 11. CMD_EXEC_TIMEOUT = '<not set>'
- 12. ENABLE_SPA_OVER_HTTP = 'N'
- 13. ENABLE_TCP_SERVER = 'N'
- 14. TCPSERV_PORT = '62201'
- 15. LOCALE = '<not set>'
- 16. SYSLOG_IDENTITY = 'fwknopd'
- 17. SYSLOG_FACILITY = 'LOG_DAEMON'
- 18. ENABLE_IPT_FORWARDING = 'N'
- 19. ENABLE_IPT_LOCAL_NAT = 'Y'
- 20. ENABLE_IPT_SNAT = 'N'
- 21. SNAT_TRANSLATE_IP = '<not set>'
- 22. ENABLE_IPT_OUTPUT = 'N'
- 23. FLUSH_IPT_AT_INIT = 'Y'
- 24. FLUSH_IPT_AT_EXIT = 'Y'
- 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
- 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
- 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
- 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
- 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
- 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
- 33. ACCESS_FILE = 'conf/multi_stanzas_with_broken_keys.conf'
- 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
- 35. DIGEST_FILE = 'run/digest.cache'
- 36. GPG_HOME_DIR = '/root/.gnupg'
- 37. FIREWALL_EXE = '/sbin/iptables'
- Current fwknopd access settings:
- SOURCE (1): 4.3.2.0/24, 23.43.0.0/16, 10.10.10.10
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- SOURCE (2): 23.43.0.0/16, 10.10.10.10
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- SOURCE (3): 4.3.2.0/24, 127.0.0.0/24, 23.43.0.0/16, 10.10.10.10
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- SOURCE (4): 4.3.2.0/24, 127.0.0.0/24, 23.43.0.0/16, 10.10.10.10
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- SOURCE (5): 4.3.2.0/24, 10.10.10.10
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- Using Digest Cache: 'run/digest.cache' (entry count = 14)
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
- Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
- PCAP filter is: udp port 62201
- Starting fwknopd main event loop.
- (stanza #3) SPA Packet from IP: 127.0.0.1 received with access source match
- SPA Packet: '/dtBbrqTJFz3w83dtGvA2QY4+xyXtFzC9ddjs2uh3cAV77Ag1dw7jWk3Y1F7QzqQQLurXIjddHygpolIw4Kl6Xlkadmn/sJBBftkMc4+oqdaRDggbhdv/cZVNO3oozlch2PbXBj3hrAnb6CXHAIolsDKvMGH0gXGc'
- (stanza #3) Error creating fko context: Decryption failed or decrypted data is invalid
- (stanza #4) SPA Packet from IP: 127.0.0.1 received with access source match
- SPA Packet: '/dtBbrqTJFz3w83dtGvA2QY4+xyXtFzC9ddjs2uh3cAV77Ag1dw7jWk3Y1F7QzqQQLurXIjddHygpolIw4Kl6Xlkadmn/sJBBftkMc4+oqdaRDggbhdv/cZVNO3oozlch2PbXBj3hrAnb6CXHAIolsDKvMGH0gXGc'
- (stanza #4) SPA Decode (res=0):
- SPA Field Values:
- =================
- Random Value: 2136587307201522
- Username: root
- Timestamp: 1330587874
- FKO Version: 1.9.12
- Message Type: 1
- Message String: 127.0.0.2,tcp/22
- Nat Access: <NULL>
- Server Auth: <NULL>
- Client Timeout: 0
- Digest Type: 3
- Encoded Data: 2136587307201522:cm9vdA:1330587874:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
- SPA Data Digest: Z1aLe+AjEWQ/J4sQ1ToMlnDCvWhra/JBaC6faVKK02I
- process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587877 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587877
- Gracefully leaving the fwknopd event loop.
- Got SIGTERM. Exiting...
- Shutting Down fwknopd.
- delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
- [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
- ==== END 62_fwknopd.test ====
- ==== 64_fwknopd.test ====
- [+] TEST: [Rijndael SPA] [client+server] NAT to 192.168.1.2 (tcp/22 ssh)
- Thu Mar 1 08:44:42 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/nat_fwknopd.conf -a conf/open_ports_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
- [+] Writing my PID (9462) to the lock file: run/fwknopd.pid
- Starting fwknopd
- Current fwknopd config settings:
- 0. CONFIG_FILE = 'conf/nat_fwknopd.conf'
- 1. OVERRIDE_CONFIG = 'conf/nat_fwknopd.conf'
- 2. PCAP_INTF = 'lo'
- 3. ENABLE_PCAP_PROMISC = 'N'
- 4. PCAP_FILTER = 'udp port 62201'
- 5. PCAP_DISPATCH_COUNT = '0'
- 6. PCAP_LOOP_SLEEP = '10000'
- 7. MAX_SNIFF_BYTES = '1500'
- 8. ENABLE_SPA_PACKET_AGING = 'Y'
- 9. MAX_SPA_PACKET_AGE = '120'
- 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
- 11. CMD_EXEC_TIMEOUT = '<not set>'
- 12. ENABLE_SPA_OVER_HTTP = 'N'
- 13. ENABLE_TCP_SERVER = 'N'
- 14. TCPSERV_PORT = '62201'
- 15. LOCALE = '<not set>'
- 16. SYSLOG_IDENTITY = 'fwknopd'
- 17. SYSLOG_FACILITY = 'LOG_DAEMON'
- 18. ENABLE_IPT_FORWARDING = 'Y'
- 19. ENABLE_IPT_LOCAL_NAT = 'Y'
- 20. ENABLE_IPT_SNAT = 'N'
- 21. SNAT_TRANSLATE_IP = '<not set>'
- 22. ENABLE_IPT_OUTPUT = 'N'
- 23. FLUSH_IPT_AT_INIT = 'Y'
- 24. FLUSH_IPT_AT_EXIT = 'Y'
- 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
- 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
- 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
- 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
- 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
- 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
- 33. ACCESS_FILE = 'conf/open_ports_access.conf'
- 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
- 35. DIGEST_FILE = 'run/digest.cache'
- 36. GPG_HOME_DIR = '/root/.gnupg'
- 37. FIREWALL_EXE = '/sbin/iptables'
- Current fwknopd access settings:
- SOURCE (1): 4.3.2.0/24, 127.0.0.0/24, 23.43.0.0/16, 10.10.10.10
- ==============================================================
- OPEN_PORTS: udp/6001, tcp/22, tcp/80
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- Using Digest Cache: 'run/digest.cache' (entry count = 16)
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_FORWARD 2>&1; /sbin/iptables -t filter -X FWKNOP_FORWARD 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- delete_all_chains() CMD: '(/sbin/iptables -t nat -F FWKNOP_PREROUTING 2>&1; /sbin/iptables -t nat -X FWKNOP_PREROUTING 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
- Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_FORWARD 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I FORWARD 1 -j FWKNOP_FORWARD 2>&1' (res: 0, err: )
- Added jump rule from chain: FORWARD to chain: FWKNOP_FORWARD
- create_fw_chains() CMD: '/sbin/iptables -t nat -N FWKNOP_PREROUTING 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t nat -I PREROUTING 1 -j FWKNOP_PREROUTING 2>&1' (res: 0, err: )
- Added jump rule from chain: PREROUTING to chain: FWKNOP_PREROUTING
- PCAP filter is: udp port 62201
- Starting fwknopd main event loop.
- (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
- SPA Packet: '+v7+NcB//KsvrF+pnoIRUR2Vej2Vbh/NQ6REdOo1NVGT4COaqafhyFFRIvYnLSoRrmOHsApp0/hchwDwvzpn7zm0h3RwrZYT/O0DdJpmfIld4oK8RMkAxxGqqckQytCy7b4vdJ/RnK9pNS5dNjK1yM/R0Sa9X7U8F851EFdNp15EHqenD0sxUiUI+ln512AES1omOIRDDwpg'
- (stanza #1) SPA Decode (res=0):
- SPA Field Values:
- =================
- Random Value: 7492771951729498
- Username: root
- Timestamp: 1330587884
- FKO Version: 1.9.12
- Message Type: 2
- Message String: 127.0.0.2,tcp/22
- Nat Access: 192.168.1.2,22
- Server Auth: <NULL>
- Client Timeout: 0
- Digest Type: 3
- Encoded Data: 7492771951729498:cm9vdA:1330587884:1.9.12:2:MTI3LjAuMC4yLHRjcC8yMg:MTkyLjE2OC4xLjIsMjI
- SPA Data Digest: 4Szu8WhXryQx9kEZjmBhjo1Hbha7XIbcYwOg4UwSg44
- process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_FORWARD -p 6 -s 127.0.0.2 -d 192.168.1.2 --dport 22 -m comment --comment _exp_1330587887 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added FORWARD Rule to FWKNOP_FORWARD for 127.0.0.2, tcp/22 expires at 1330587887
- process_spa_request() CMD: '/sbin/iptables -t nat -A FWKNOP_PREROUTING -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587887 -j DNAT --to-destination 192.168.1.2:22 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added DNAT Rule to FWKNOP_PREROUTING for 127.0.0.2, tcp/22 expires at 1330587887
- Gracefully leaving the fwknopd event loop.
- Got SIGTERM. Exiting...
- Shutting Down fwknopd.
- delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
- delete_all_chains() CMD: '/sbin/iptables -t filter -D FORWARD 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_FORWARD 2>&1; /sbin/iptables -t filter -X FWKNOP_FORWARD 2>&1)' (res: 0, err: )
- delete_all_chains() CMD: '/sbin/iptables -t nat -D PREROUTING 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t nat -F FWKNOP_PREROUTING 2>&1; /sbin/iptables -t nat -X FWKNOP_PREROUTING 2>&1)' (res: 0, err: )
- [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
- [.] find_find_regex() Did not match any regex in: '(?i-xsm:to\:192.168.1.2\:22)'
- ==== END 64_fwknopd.test ====
- ==== 65_fwknopd.test ====
- [+] TEST: [Rijndael SPA] [client+server] force NAT 192.168.1.123 (tcp/22 ssh)
- Thu Mar 1 08:44:47 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/nat_fwknopd.conf -a conf/force_nat_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
- [+] Writing my PID (9560) to the lock file: run/fwknopd.pid
- Starting fwknopd
- Current fwknopd config settings:
- 0. CONFIG_FILE = 'conf/nat_fwknopd.conf'
- 1. OVERRIDE_CONFIG = 'conf/nat_fwknopd.conf'
- 2. PCAP_INTF = 'lo'
- 3. ENABLE_PCAP_PROMISC = 'N'
- 4. PCAP_FILTER = 'udp port 62201'
- 5. PCAP_DISPATCH_COUNT = '0'
- 6. PCAP_LOOP_SLEEP = '10000'
- 7. MAX_SNIFF_BYTES = '1500'
- 8. ENABLE_SPA_PACKET_AGING = 'Y'
- 9. MAX_SPA_PACKET_AGE = '120'
- 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
- 11. CMD_EXEC_TIMEOUT = '<not set>'
- 12. ENABLE_SPA_OVER_HTTP = 'N'
- 13. ENABLE_TCP_SERVER = 'N'
- 14. TCPSERV_PORT = '62201'
- 15. LOCALE = '<not set>'
- 16. SYSLOG_IDENTITY = 'fwknopd'
- 17. SYSLOG_FACILITY = 'LOG_DAEMON'
- 18. ENABLE_IPT_FORWARDING = 'Y'
- 19. ENABLE_IPT_LOCAL_NAT = 'Y'
- 20. ENABLE_IPT_SNAT = 'N'
- 21. SNAT_TRANSLATE_IP = '<not set>'
- 22. ENABLE_IPT_OUTPUT = 'N'
- 23. FLUSH_IPT_AT_INIT = 'Y'
- 24. FLUSH_IPT_AT_EXIT = 'Y'
- 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
- 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
- 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
- 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
- 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
- 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
- 33. ACCESS_FILE = 'conf/force_nat_access.conf'
- 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
- 35. DIGEST_FILE = 'run/digest.cache'
- 36. GPG_HOME_DIR = '/root/.gnupg'
- 37. FIREWALL_EXE = '/sbin/iptables'
- Current fwknopd access settings:
- SOURCE (1): ANY
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- Using Digest Cache: 'run/digest.cache' (entry count = 17)
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_FORWARD 2>&1; /sbin/iptables -t filter -X FWKNOP_FORWARD 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- delete_all_chains() CMD: '(/sbin/iptables -t nat -F FWKNOP_PREROUTING 2>&1; /sbin/iptables -t nat -X FWKNOP_PREROUTING 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
- Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_FORWARD 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I FORWARD 1 -j FWKNOP_FORWARD 2>&1' (res: 0, err: )
- Added jump rule from chain: FORWARD to chain: FWKNOP_FORWARD
- create_fw_chains() CMD: '/sbin/iptables -t nat -N FWKNOP_PREROUTING 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t nat -I PREROUTING 1 -j FWKNOP_PREROUTING 2>&1' (res: 0, err: )
- Added jump rule from chain: PREROUTING to chain: FWKNOP_PREROUTING
- PCAP filter is: udp port 62201
- Starting fwknopd main event loop.
- (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
- SPA Packet: '+ig9uGdNfkN6NXx44PKi/P8QYRBRe7bBVMEGriZVP6aAksUe08ezgs9hD4eR2CWOk3eLiLRii05CNbG3uTixi8GSk3avP2Djf7MhodRMPeC81gwfkyO28udmm8GsU85Q98BciqqDHOGWd2+hmMOA442BaLsi8Csho'
- (stanza #1) SPA Decode (res=0):
- SPA Field Values:
- =================
- Random Value: 1627115048258174
- Username: root
- Timestamp: 1330587889
- FKO Version: 1.9.12
- Message Type: 1
- Message String: 127.0.0.2,tcp/22
- Nat Access: <NULL>
- Server Auth: <NULL>
- Client Timeout: 0
- Digest Type: 3
- Encoded Data: 1627115048258174:cm9vdA:1330587889:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
- SPA Data Digest: +QyBBrMkCcVdycoyJbAYjox0qO1uoDECFzSJVbA53mk
- process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_FORWARD -p 6 -s 127.0.0.2 -d 192.168.1.123 --dport 22 -m comment --comment _exp_1330587892 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added FORWARD Rule to FWKNOP_FORWARD for 127.0.0.2, tcp/22 expires at 1330587892
- process_spa_request() CMD: '/sbin/iptables -t nat -A FWKNOP_PREROUTING -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587892 -j DNAT --to-destination 192.168.1.123:22 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added DNAT Rule to FWKNOP_PREROUTING for 127.0.0.2, tcp/22 expires at 1330587892
- Gracefully leaving the fwknopd event loop.
- Got SIGTERM. Exiting...
- Shutting Down fwknopd.
- delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
- delete_all_chains() CMD: '/sbin/iptables -t filter -D FORWARD 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_FORWARD 2>&1; /sbin/iptables -t filter -X FWKNOP_FORWARD 2>&1)' (res: 0, err: )
- delete_all_chains() CMD: '/sbin/iptables -t nat -D PREROUTING 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t nat -F FWKNOP_PREROUTING 2>&1; /sbin/iptables -t nat -X FWKNOP_PREROUTING 2>&1)' (res: 0, err: )
- [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
- [.] find_find_regex() Did not match any regex in: '(?i-xsm:to\:192.168.1.123\:22)'
- [.] find_find_regex() Did not match any regex in: '(?i-xsm:to\:192.168.1.2\:22)'
- ==== END 65_fwknopd.test ====
- ==== 66_fwknopd.test ====
- [+] TEST: [Rijndael SPA] [client+server] complete cycle (tcp/23 telnet)
- Thu Mar 1 08:44:52 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
- [+] Writing my PID (9658) to the lock file: run/fwknopd.pid
- Starting fwknopd
- Current fwknopd config settings:
- 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
- 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
- 2. PCAP_INTF = 'lo'
- 3. ENABLE_PCAP_PROMISC = 'N'
- 4. PCAP_FILTER = 'udp port 62201'
- 5. PCAP_DISPATCH_COUNT = '0'
- 6. PCAP_LOOP_SLEEP = '10000'
- 7. MAX_SNIFF_BYTES = '1500'
- 8. ENABLE_SPA_PACKET_AGING = 'Y'
- 9. MAX_SPA_PACKET_AGE = '120'
- 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
- 11. CMD_EXEC_TIMEOUT = '<not set>'
- 12. ENABLE_SPA_OVER_HTTP = 'N'
- 13. ENABLE_TCP_SERVER = 'N'
- 14. TCPSERV_PORT = '62201'
- 15. LOCALE = '<not set>'
- 16. SYSLOG_IDENTITY = 'fwknopd'
- 17. SYSLOG_FACILITY = 'LOG_DAEMON'
- 18. ENABLE_IPT_FORWARDING = 'N'
- 19. ENABLE_IPT_LOCAL_NAT = 'Y'
- 20. ENABLE_IPT_SNAT = 'N'
- 21. SNAT_TRANSLATE_IP = '<not set>'
- 22. ENABLE_IPT_OUTPUT = 'N'
- 23. FLUSH_IPT_AT_INIT = 'Y'
- 24. FLUSH_IPT_AT_EXIT = 'Y'
- 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
- 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
- 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
- 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
- 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
- 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
- 33. ACCESS_FILE = 'conf/default_access.conf'
- 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
- 35. DIGEST_FILE = 'run/digest.cache'
- 36. GPG_HOME_DIR = '/root/.gnupg'
- 37. FIREWALL_EXE = '/sbin/iptables'
- Current fwknopd access settings:
- SOURCE (1): ANY
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- Using Digest Cache: 'run/digest.cache' (entry count = 18)
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
- Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
- PCAP filter is: udp port 62201
- Starting fwknopd main event loop.
- (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
- SPA Packet: '8UWRNpo/1aJw4Vrt/aRQ1fgsXKFQkn603Stegs/QA88a7+igqQk/23ve2HZwSntOoGI9ZAIDN8uCfe8SWbga9lCE6eOFLUdeeIkogtQFKF8lc4ZydNGVh5qAJqdy4eI3Aj0U8t/QX/kBS4dorhReQcoQZNa2jPdl4'
- (stanza #1) SPA Decode (res=0):
- SPA Field Values:
- =================
- Random Value: 1716863939491698
- Username: root
- Timestamp: 1330587894
- FKO Version: 1.9.12
- Message Type: 1
- Message String: 127.0.0.2,tcp/23
- Nat Access: <NULL>
- Server Auth: <NULL>
- Client Timeout: 0
- Digest Type: 3
- Encoded Data: 1716863939491698:cm9vdA:1330587894:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMw
- SPA Data Digest: hRF+s1g1ngEA4usjENOshHLGBN4kkkyVsBiaqZ/QpIg
- process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 23 -m comment --comment _exp_1330587897 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/23 expires at 1330587897
- Gracefully leaving the fwknopd event loop.
- Got SIGTERM. Exiting...
- Shutting Down fwknopd.
- delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
- [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
- ==== END 66_fwknopd.test ====
- ==== 67_fwknopd.test ====
- [+] TEST: [Rijndael SPA] [client+server] complete cycle (tcp/9418 git)
- Thu Mar 1 08:44:57 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
- [+] Writing my PID (9708) to the lock file: run/fwknopd.pid
- Starting fwknopd
- Current fwknopd config settings:
- 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
- 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
- 2. PCAP_INTF = 'lo'
- 3. ENABLE_PCAP_PROMISC = 'N'
- 4. PCAP_FILTER = 'udp port 62201'
- 5. PCAP_DISPATCH_COUNT = '0'
- 6. PCAP_LOOP_SLEEP = '10000'
- 7. MAX_SNIFF_BYTES = '1500'
- 8. ENABLE_SPA_PACKET_AGING = 'Y'
- 9. MAX_SPA_PACKET_AGE = '120'
- 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
- 11. CMD_EXEC_TIMEOUT = '<not set>'
- 12. ENABLE_SPA_OVER_HTTP = 'N'
- 13. ENABLE_TCP_SERVER = 'N'
- 14. TCPSERV_PORT = '62201'
- 15. LOCALE = '<not set>'
- 16. SYSLOG_IDENTITY = 'fwknopd'
- 17. SYSLOG_FACILITY = 'LOG_DAEMON'
- 18. ENABLE_IPT_FORWARDING = 'N'
- 19. ENABLE_IPT_LOCAL_NAT = 'Y'
- 20. ENABLE_IPT_SNAT = 'N'
- 21. SNAT_TRANSLATE_IP = '<not set>'
- 22. ENABLE_IPT_OUTPUT = 'N'
- 23. FLUSH_IPT_AT_INIT = 'Y'
- 24. FLUSH_IPT_AT_EXIT = 'Y'
- 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
- 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
- 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
- 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
- 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
- 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
- 33. ACCESS_FILE = 'conf/default_access.conf'
- 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
- 35. DIGEST_FILE = 'run/digest.cache'
- 36. GPG_HOME_DIR = '/root/.gnupg'
- 37. FIREWALL_EXE = '/sbin/iptables'
- Current fwknopd access settings:
- SOURCE (1): ANY
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- Using Digest Cache: 'run/digest.cache' (entry count = 19)
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
- Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
- PCAP filter is: udp port 62201
- Starting fwknopd main event loop.
- (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
- SPA Packet: '/+e6rqjdByeVeDPsOXpY254IoH/TtjqHZa6xCKwoSJ703S1IZpU0YeDEtWFKgUqbMCad57u6CLOUD49cXVTr6lzKX5Vqa09O5P5ze1kFQozEj8iI0qd7ryaN/Mx3wEKrWpKdQ6O5OyI+HgAeCyDB6ik0oZD/yEZP4'
- (stanza #1) SPA Decode (res=0):
- SPA Field Values:
- =================
- Random Value: 4765783826072911
- Username: root
- Timestamp: 1330587899
- FKO Version: 1.9.12
- Message Type: 1
- Message String: 127.0.0.2,tcp/9418
- Nat Access: <NULL>
- Server Auth: <NULL>
- Client Timeout: 0
- Digest Type: 3
- Encoded Data: 4765783826072911:cm9vdA:1330587899:1.9.12:1:MTI3LjAuMC4yLHRjcC85NDE4
- SPA Data Digest: fNxbYtkb8Z5Y5Vm4SbvYV5T8fl7JxJMgFM2GPoHPPGM
- process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 9418 -m comment --comment _exp_1330587902 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/9418 expires at 1330587902
- Gracefully leaving the fwknopd event loop.
- Got SIGTERM. Exiting...
- Shutting Down fwknopd.
- delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
- [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
- ==== END 67_fwknopd.test ====
- ==== 68_fwknopd.test ====
- [+] TEST: [Rijndael SPA] [client+server] complete cycle (udp/53 dns)
- Thu Mar 1 08:45:02 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
- [+] Writing my PID (9758) to the lock file: run/fwknopd.pid
- Starting fwknopd
- Current fwknopd config settings:
- 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
- 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
- 2. PCAP_INTF = 'lo'
- 3. ENABLE_PCAP_PROMISC = 'N'
- 4. PCAP_FILTER = 'udp port 62201'
- 5. PCAP_DISPATCH_COUNT = '0'
- 6. PCAP_LOOP_SLEEP = '10000'
- 7. MAX_SNIFF_BYTES = '1500'
- 8. ENABLE_SPA_PACKET_AGING = 'Y'
- 9. MAX_SPA_PACKET_AGE = '120'
- 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
- 11. CMD_EXEC_TIMEOUT = '<not set>'
- 12. ENABLE_SPA_OVER_HTTP = 'N'
- 13. ENABLE_TCP_SERVER = 'N'
- 14. TCPSERV_PORT = '62201'
- 15. LOCALE = '<not set>'
- 16. SYSLOG_IDENTITY = 'fwknopd'
- 17. SYSLOG_FACILITY = 'LOG_DAEMON'
- 18. ENABLE_IPT_FORWARDING = 'N'
- 19. ENABLE_IPT_LOCAL_NAT = 'Y'
- 20. ENABLE_IPT_SNAT = 'N'
- 21. SNAT_TRANSLATE_IP = '<not set>'
- 22. ENABLE_IPT_OUTPUT = 'N'
- 23. FLUSH_IPT_AT_INIT = 'Y'
- 24. FLUSH_IPT_AT_EXIT = 'Y'
- 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
- 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
- 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
- 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
- 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
- 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
- 33. ACCESS_FILE = 'conf/default_access.conf'
- 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
- 35. DIGEST_FILE = 'run/digest.cache'
- 36. GPG_HOME_DIR = '/root/.gnupg'
- 37. FIREWALL_EXE = '/sbin/iptables'
- Current fwknopd access settings:
- SOURCE (1): ANY
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- Using Digest Cache: 'run/digest.cache' (entry count = 20)
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
- Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
- PCAP filter is: udp port 62201
- Starting fwknopd main event loop.
- (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
- SPA Packet: '+BoUJw//nAJZfEOCxpvGgmWEDw44uu2HFEQ7XUn+I08Y48TQK5oFNHkLJ2r+EGONGNOLAiJyDv2D0JkgZk7UTAoVo1+EmjXgQQIOhrvxCJ0vEsYnJI4ky4584ieV94kuzhVBbWN8+MciFEJ5SIaVaxAZlr5+JMxxA'
- (stanza #1) SPA Decode (res=0):
- SPA Field Values:
- =================
- Random Value: 1963284536174694
- Username: root
- Timestamp: 1330587904
- FKO Version: 1.9.12
- Message Type: 1
- Message String: 127.0.0.2,udp/53
- Nat Access: <NULL>
- Server Auth: <NULL>
- Client Timeout: 0
- Digest Type: 3
- Encoded Data: 1963284536174694:cm9vdA:1330587904:1.9.12:1:MTI3LjAuMC4yLHVkcC81Mw
- SPA Data Digest: yBHxhmlsaMHM0BZ+vwdtPSMeFzQs0nZN+fCI/8TnT7Y
- process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 17 -s 127.0.0.2 --dport 53 -m comment --comment _exp_1330587907 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added Rule to FWKNOP_INPUT for 127.0.0.2, udp/53 expires at 1330587907
- Gracefully leaving the fwknopd event loop.
- Got SIGTERM. Exiting...
- Shutting Down fwknopd.
- delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
- [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
- ==== END 68_fwknopd.test ====
- ==== 69_fwknopd.test ====
- [+] TEST: [Rijndael SPA] [client+server] -P bpf SPA over port 12345
- Thu Mar 1 08:45:07 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose -P "udp port 12345"
- [+] Writing my PID (9808) to the lock file: run/fwknopd.pid
- Starting fwknopd
- Current fwknopd config settings:
- 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
- 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
- 2. PCAP_INTF = 'lo'
- 3. ENABLE_PCAP_PROMISC = 'N'
- 4. PCAP_FILTER = 'udp port 12345'
- 5. PCAP_DISPATCH_COUNT = '0'
- 6. PCAP_LOOP_SLEEP = '10000'
- 7. MAX_SNIFF_BYTES = '1500'
- 8. ENABLE_SPA_PACKET_AGING = 'Y'
- 9. MAX_SPA_PACKET_AGE = '120'
- 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
- 11. CMD_EXEC_TIMEOUT = '<not set>'
- 12. ENABLE_SPA_OVER_HTTP = 'N'
- 13. ENABLE_TCP_SERVER = 'N'
- 14. TCPSERV_PORT = '62201'
- 15. LOCALE = '<not set>'
- 16. SYSLOG_IDENTITY = 'fwknopd'
- 17. SYSLOG_FACILITY = 'LOG_DAEMON'
- 18. ENABLE_IPT_FORWARDING = 'N'
- 19. ENABLE_IPT_LOCAL_NAT = 'Y'
- 20. ENABLE_IPT_SNAT = 'N'
- 21. SNAT_TRANSLATE_IP = '<not set>'
- 22. ENABLE_IPT_OUTPUT = 'N'
- 23. FLUSH_IPT_AT_INIT = 'Y'
- 24. FLUSH_IPT_AT_EXIT = 'Y'
- 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
- 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
- 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
- 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
- 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
- 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
- 33. ACCESS_FILE = 'conf/default_access.conf'
- 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
- 35. DIGEST_FILE = 'run/digest.cache'
- 36. GPG_HOME_DIR = '/root/.gnupg'
- 37. FIREWALL_EXE = '/sbin/iptables'
- Current fwknopd access settings:
- SOURCE (1): ANY
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- Using Digest Cache: 'run/digest.cache' (entry count = 21)
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
- Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
- PCAP filter is: udp port 12345
- Starting fwknopd main event loop.
- (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
- SPA Packet: '9AJutXux/nxGhoAI5ELhLZOHdELCvQP/K4CbR6biBY7yjfueLwfGUHsbEw8EbtI5ssvnSh0XO6Ump3EfepVZKgjQk4J4cvEVQQfWuXEeAnA3DcmUgu1j0rEQvKox6GCmbsbuF66+3VaVMVNxoR1hIqEHHENkvMzsM'
- (stanza #1) SPA Decode (res=0):
- SPA Field Values:
- =================
- Random Value: 8249035391736953
- Username: root
- Timestamp: 1330587909
- FKO Version: 1.9.12
- Message Type: 1
- Message String: 127.0.0.2,tcp/22
- Nat Access: <NULL>
- Server Auth: <NULL>
- Client Timeout: 0
- Digest Type: 3
- Encoded Data: 8249035391736953:cm9vdA:1330587909:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
- SPA Data Digest: NtIrp+lIlv+wHdVAxvKqnAA0lN1xDykgPgZ4Jrq5oyE
- process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587912 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587912
- Gracefully leaving the fwknopd event loop.
- Got SIGTERM. Exiting...
- Shutting Down fwknopd.
- delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
- [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
- [.] file_find_regex() Matched '(?-xism:PCAP\sfilter.*\s12345)' with line: PCAP filter is: udp port 12345
- ==== END 69_fwknopd.test ====
- ==== 70_fwknopd.test ====
- [+] TEST: [Rijndael SPA] [client+server] random SPA port (tcp/22 ssh)
- Thu Mar 1 08:45:12 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose -P "udp"
- [+] Writing my PID (9858) to the lock file: run/fwknopd.pid
- Starting fwknopd
- Current fwknopd config settings:
- 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
- 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
- 2. PCAP_INTF = 'lo'
- 3. ENABLE_PCAP_PROMISC = 'N'
- 4. PCAP_FILTER = 'udp'
- 5. PCAP_DISPATCH_COUNT = '0'
- 6. PCAP_LOOP_SLEEP = '10000'
- 7. MAX_SNIFF_BYTES = '1500'
- 8. ENABLE_SPA_PACKET_AGING = 'Y'
- 9. MAX_SPA_PACKET_AGE = '120'
- 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
- 11. CMD_EXEC_TIMEOUT = '<not set>'
- 12. ENABLE_SPA_OVER_HTTP = 'N'
- 13. ENABLE_TCP_SERVER = 'N'
- 14. TCPSERV_PORT = '62201'
- 15. LOCALE = '<not set>'
- 16. SYSLOG_IDENTITY = 'fwknopd'
- 17. SYSLOG_FACILITY = 'LOG_DAEMON'
- 18. ENABLE_IPT_FORWARDING = 'N'
- 19. ENABLE_IPT_LOCAL_NAT = 'Y'
- 20. ENABLE_IPT_SNAT = 'N'
- 21. SNAT_TRANSLATE_IP = '<not set>'
- 22. ENABLE_IPT_OUTPUT = 'N'
- 23. FLUSH_IPT_AT_INIT = 'Y'
- 24. FLUSH_IPT_AT_EXIT = 'Y'
- 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
- 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
- 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
- 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
- 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
- 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
- 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
- 33. ACCESS_FILE = 'conf/default_access.conf'
- 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
- 35. DIGEST_FILE = 'run/digest.cache'
- 36. GPG_HOME_DIR = '/root/.gnupg'
- 37. FIREWALL_EXE = '/sbin/iptables'
- Current fwknopd access settings:
- SOURCE (1): ANY
- ==============================================================
- OPEN_PORTS: <not set>
- RESTRICT_PORTS: <not set>
- KEY: <see the access.conf file>
- FW_ACCESS_TIMEOUT: 3
- ENABLE_CMD_EXEC: No
- CMD_EXEC_USER: <not set>
- REQUIRE_USERNAME: <not set>
- REQUIRE_SOURCE_ADDRESS: No
- ACCESS_EXPIRE: <not set>
- GPG_HOME_DIR: <not set>
- GPG_DECRYPT_ID: <not set>
- GPG_DECRYPT_PW: <see the access.conf file>
- GPG_REQUIRE_SIG: No
- GPG_IGNORE_SIG_VERIFY_ERROR: No
- GPG_REMOTE_ID: <not set>
- Using Digest Cache: 'run/digest.cache' (entry count = 22)
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
- iptables: No chain/target/match by that name.
- )
- create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
- add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
- Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
- PCAP filter is: udp
- Starting fwknopd main event loop.
- (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
- SPA Packet: '+qyu//aHXeUk1OdDyZFkRBMLonqlrL1dJeN/0SFY+w4aHykIyN/m1hleVLFSsDK00KJHnPSswlGR/K9vfhF89fkl0u5/ahhRew5VDiFMmh8akPcK/o+GqtzSwTAjp3XZANuU5D0G+Z0+Rbrt9TG9Q9HfpkdA6KHYg'
- (stanza #1) SPA Decode (res=0):
- SPA Field Values:
- =================
- Random Value: 8771632541106221
- Username: root
- Timestamp: 1330587914
- FKO Version: 1.9.12
- Message Type: 1
- Message String: 127.0.0.2,tcp/22
- Nat Access: <NULL>
- Server Auth: <NULL>
- Client Timeout: 0
- Digest Type: 3
- Encoded Data: 8771632541106221:cm9vdA:1330587914:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
- SPA Data Digest: fdfz3f9VlwVpuHTLR3SHNxgxeRecjMO/5NEbLVPegqE
- process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587917 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
- )
- Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587917
- Gracefully leaving the fwknopd event loop.
- Got SIGTERM. Exiting...
- Shutting Down fwknopd.
- delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
- delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
- [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
- ==== END 70_fwknopd.test ====
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement