==== 42_fwknopd.test ====[+] TEST: [Rijndael SPA] [client+server] complete c

1. ==== 42_fwknopd.test ====
2.  
3. [+] TEST: [Rijndael SPA] [client+server] complete cycle (tcp/22 ssh)
4. Thu Mar 1 08:42:52 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
5. [+] Writing my PID (7392) to the lock file: run/fwknopd.pid
6.  
7. Starting fwknopd
8. Current fwknopd config settings:
9. 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
10. 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
11. 2. PCAP_INTF = 'lo'
12. 3. ENABLE_PCAP_PROMISC = 'N'
13. 4. PCAP_FILTER = 'udp port 62201'
14. 5. PCAP_DISPATCH_COUNT = '0'
15. 6. PCAP_LOOP_SLEEP = '10000'
16. 7. MAX_SNIFF_BYTES = '1500'
17. 8. ENABLE_SPA_PACKET_AGING = 'Y'
18. 9. MAX_SPA_PACKET_AGE = '120'
19. 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
20. 11. CMD_EXEC_TIMEOUT = '<not set>'
21. 12. ENABLE_SPA_OVER_HTTP = 'N'
22. 13. ENABLE_TCP_SERVER = 'N'
23. 14. TCPSERV_PORT = '62201'
24. 15. LOCALE = '<not set>'
25. 16. SYSLOG_IDENTITY = 'fwknopd'
26. 17. SYSLOG_FACILITY = 'LOG_DAEMON'
27. 18. ENABLE_IPT_FORWARDING = 'N'
28. 19. ENABLE_IPT_LOCAL_NAT = 'Y'
29. 20. ENABLE_IPT_SNAT = 'N'
30. 21. SNAT_TRANSLATE_IP = '<not set>'
31. 22. ENABLE_IPT_OUTPUT = 'N'
32. 23. FLUSH_IPT_AT_INIT = 'Y'
33. 24. FLUSH_IPT_AT_EXIT = 'Y'
34. 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
35. 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
36. 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
37. 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
38. 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
39. 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
40. 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
41. 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
42. 33. ACCESS_FILE = 'conf/default_access.conf'
43. 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
44. 35. DIGEST_FILE = 'run/digest.cache'
45. 36. GPG_HOME_DIR = '/root/.gnupg'
46. 37. FIREWALL_EXE = '/sbin/iptables'
47.  
48. Current fwknopd access settings:
49. SOURCE (1): ANY
50. ==============================================================
51. OPEN_PORTS: <not set>
52. RESTRICT_PORTS: <not set>
53. KEY: <see the access.conf file>
54. FW_ACCESS_TIMEOUT: 3
55. ENABLE_CMD_EXEC: No
56. CMD_EXEC_USER: <not set>
57. REQUIRE_USERNAME: <not set>
58. REQUIRE_SOURCE_ADDRESS: No
59. ACCESS_EXPIRE: <not set>
60. GPG_HOME_DIR: <not set>
61. GPG_DECRYPT_ID: <not set>
62. GPG_DECRYPT_PW: <see the access.conf file>
63. GPG_REQUIRE_SIG: No
64. GPG_IGNORE_SIG_VERIFY_ERROR: No
65. GPG_REMOTE_ID: <not set>
66.  
67.  
68. Using Digest Cache: 'run/digest.cache' (entry count = 0)
69. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
70. iptables: No chain/target/match by that name.
71. )
72. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
73. add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
74. Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
75. PCAP filter is: udp port 62201
76. Starting fwknopd main event loop.
77. (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
78. SPA Packet: '+Di94RpHfcCSCFS2W7nifULBm+d+Ix6BK1svd8Us56B4r3a3eaP+jVIdbK15Q9Qs/q1yy/zx3dcoy08+NUgtu4rJNpl5A00oggUa+fA5C1P8wEyoNS7OxPeAWMV56KZh2iwpsnIevl7+HOroPUAA85aM/abqoer5I'
79.  
80. (stanza #1) SPA Decode (res=0):
81. SPA Field Values:
82. =================
83. Random Value: 1594849460569645
84. Username: root
85. Timestamp: 1330587774
86. FKO Version: 1.9.12
87. Message Type: 1
88. Message String: 127.0.0.2,tcp/22
89. Nat Access: <NULL>
90. Server Auth: <NULL>
91. Client Timeout: 0
92. Digest Type: 3
93. Encoded Data: 1594849460569645:cm9vdA:1330587774:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
94. SPA Data Digest: XY/G/K33jvAG10SzNg2y5JuFDSwEjtj5k/3wcewpZ0U
95.  
96. process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587777 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
97. )
98. Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587777
99. Gracefully leaving the fwknopd event loop.
100. Got SIGTERM. Exiting...
101. Shutting Down fwknopd.
102. delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
103. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
104. [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
105.  
106. ==== END 42_fwknopd.test ====
107.  
108. ==== 48_fwknopd.test ====
109.  
110. [+] TEST: [Rijndael SPA] [client+server] future expired stanza (tcp/22 ssh)
111. Thu Mar 1 08:43:21 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/future_expired_stanza_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
112. [+] Writing my PID (7654) to the lock file: run/fwknopd.pid
113.  
114. Starting fwknopd
115. Current fwknopd config settings:
116. 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
117. 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
118. 2. PCAP_INTF = 'lo'
119. 3. ENABLE_PCAP_PROMISC = 'N'
120. 4. PCAP_FILTER = 'udp port 62201'
121. 5. PCAP_DISPATCH_COUNT = '0'
122. 6. PCAP_LOOP_SLEEP = '10000'
123. 7. MAX_SNIFF_BYTES = '1500'
124. 8. ENABLE_SPA_PACKET_AGING = 'Y'
125. 9. MAX_SPA_PACKET_AGE = '120'
126. 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
127. 11. CMD_EXEC_TIMEOUT = '<not set>'
128. 12. ENABLE_SPA_OVER_HTTP = 'N'
129. 13. ENABLE_TCP_SERVER = 'N'
130. 14. TCPSERV_PORT = '62201'
131. 15. LOCALE = '<not set>'
132. 16. SYSLOG_IDENTITY = 'fwknopd'
133. 17. SYSLOG_FACILITY = 'LOG_DAEMON'
134. 18. ENABLE_IPT_FORWARDING = 'N'
135. 19. ENABLE_IPT_LOCAL_NAT = 'Y'
136. 20. ENABLE_IPT_SNAT = 'N'
137. 21. SNAT_TRANSLATE_IP = '<not set>'
138. 22. ENABLE_IPT_OUTPUT = 'N'
139. 23. FLUSH_IPT_AT_INIT = 'Y'
140. 24. FLUSH_IPT_AT_EXIT = 'Y'
141. 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
142. 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
143. 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
144. 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
145. 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
146. 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
147. 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
148. 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
149. 33. ACCESS_FILE = 'conf/future_expired_stanza_access.conf'
150. 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
151. 35. DIGEST_FILE = 'run/digest.cache'
152. 36. GPG_HOME_DIR = '/root/.gnupg'
153. 37. FIREWALL_EXE = '/sbin/iptables'
154.  
155. Current fwknopd access settings:
156. SOURCE (1): ANY
157. ==============================================================
158. OPEN_PORTS: <not set>
159. RESTRICT_PORTS: <not set>
160. KEY: <see the access.conf file>
161. FW_ACCESS_TIMEOUT: 3
162. ENABLE_CMD_EXEC: No
163. CMD_EXEC_USER: <not set>
164. REQUIRE_USERNAME: <not set>
165. REQUIRE_SOURCE_ADDRESS: No
166. ACCESS_EXPIRE: Wed Mar 10 00:00:00 2500
167. GPG_HOME_DIR: <not set>
168. GPG_DECRYPT_ID: <not set>
169. GPG_DECRYPT_PW: <see the access.conf file>
170. GPG_REQUIRE_SIG: No
171. GPG_IGNORE_SIG_VERIFY_ERROR: No
172. GPG_REMOTE_ID: <not set>
173.  
174.  
175. Using Digest Cache: 'run/digest.cache' (entry count = 3)
176. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
177. iptables: No chain/target/match by that name.
178. )
179. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
180. add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
181. Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
182. PCAP filter is: udp port 62201
183. Starting fwknopd main event loop.
184. (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
185. SPA Packet: '/S0ueq/iqj0KdCr6I/wYmSGsJmacbZ1WnvoXhtKVgxJ6ObH/pkjUKC0eBDRZlcZ92+93Q2YJzJw0YRZPq4eUtRFd0yDZydvYi2yum6Ez72PP8IkdnBCwSBkVPdVkI214le8aY+Tg9JfW8Kj6hv+W8xJf5qXQRddhg'
186.  
187. (stanza #1) SPA Decode (res=0):
188. SPA Field Values:
189. =================
190. Random Value: 1826456026134468
191. Username: root
192. Timestamp: 1330587803
193. FKO Version: 1.9.12
194. Message Type: 1
195. Message String: 127.0.0.2,tcp/22
196. Nat Access: <NULL>
197. Server Auth: <NULL>
198. Client Timeout: 0
199. Digest Type: 3
200. Encoded Data: 1826456026134468:cm9vdA:1330587803:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
201. SPA Data Digest: xP2SrrHCZGtIm4B/SoTKUzXSM48BqoI/0khDyOnKB5A
202.  
203. process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587806 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
204. )
205. Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587806
206. Gracefully leaving the fwknopd event loop.
207. Got SIGTERM. Exiting...
208. Shutting Down fwknopd.
209. delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
210. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
211. [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
212.  
213. ==== END 48_fwknopd.test ====
214.  
215. ==== 49_fwknopd.test ====
216.  
217. [+] TEST: [Rijndael SPA] [client+server] OPEN_PORTS (tcp/22 ssh)
218. Thu Mar 1 08:43:26 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/open_ports_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
219. [+] Writing my PID (7704) to the lock file: run/fwknopd.pid
220.  
221. Starting fwknopd
222. Current fwknopd config settings:
223. 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
224. 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
225. 2. PCAP_INTF = 'lo'
226. 3. ENABLE_PCAP_PROMISC = 'N'
227. 4. PCAP_FILTER = 'udp port 62201'
228. 5. PCAP_DISPATCH_COUNT = '0'
229. 6. PCAP_LOOP_SLEEP = '10000'
230. 7. MAX_SNIFF_BYTES = '1500'
231. 8. ENABLE_SPA_PACKET_AGING = 'Y'
232. 9. MAX_SPA_PACKET_AGE = '120'
233. 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
234. 11. CMD_EXEC_TIMEOUT = '<not set>'
235. 12. ENABLE_SPA_OVER_HTTP = 'N'
236. 13. ENABLE_TCP_SERVER = 'N'
237. 14. TCPSERV_PORT = '62201'
238. 15. LOCALE = '<not set>'
239. 16. SYSLOG_IDENTITY = 'fwknopd'
240. 17. SYSLOG_FACILITY = 'LOG_DAEMON'
241. 18. ENABLE_IPT_FORWARDING = 'N'
242. 19. ENABLE_IPT_LOCAL_NAT = 'Y'
243. 20. ENABLE_IPT_SNAT = 'N'
244. 21. SNAT_TRANSLATE_IP = '<not set>'
245. 22. ENABLE_IPT_OUTPUT = 'N'
246. 23. FLUSH_IPT_AT_INIT = 'Y'
247. 24. FLUSH_IPT_AT_EXIT = 'Y'
248. 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
249. 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
250. 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
251. 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
252. 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
253. 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
254. 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
255. 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
256. 33. ACCESS_FILE = 'conf/open_ports_access.conf'
257. 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
258. 35. DIGEST_FILE = 'run/digest.cache'
259. 36. GPG_HOME_DIR = '/root/.gnupg'
260. 37. FIREWALL_EXE = '/sbin/iptables'
261.  
262. Current fwknopd access settings:
263. SOURCE (1): 4.3.2.0/24, 127.0.0.0/24, 23.43.0.0/16, 10.10.10.10
264. ==============================================================
265. OPEN_PORTS: udp/6001, tcp/22, tcp/80
266. RESTRICT_PORTS: <not set>
267. KEY: <see the access.conf file>
268. FW_ACCESS_TIMEOUT: 3
269. ENABLE_CMD_EXEC: No
270. CMD_EXEC_USER: <not set>
271. REQUIRE_USERNAME: <not set>
272. REQUIRE_SOURCE_ADDRESS: No
273. ACCESS_EXPIRE: <not set>
274. GPG_HOME_DIR: <not set>
275. GPG_DECRYPT_ID: <not set>
276. GPG_DECRYPT_PW: <see the access.conf file>
277. GPG_REQUIRE_SIG: No
278. GPG_IGNORE_SIG_VERIFY_ERROR: No
279. GPG_REMOTE_ID: <not set>
280.  
281.  
282. Using Digest Cache: 'run/digest.cache' (entry count = 4)
283. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
284. iptables: No chain/target/match by that name.
285. )
286. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
287. add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
288. Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
289. PCAP filter is: udp port 62201
290. Starting fwknopd main event loop.
291. (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
292. SPA Packet: '9W3wqMjo/5QPGArHttsWvuouA6OgPX6a+JWo9Scb4BpyP2XHKm7wsTIA/9NyPb46k4pdyA7BsImufOhNvu4zlkZHn9wlj2A8j+Cnbb7CgrXnTZF7UCjjHWr975K6a4KdaJiAk5CiZ1zgzbfM+SaquUYmesjHDlt1E'
293.  
294. (stanza #1) SPA Decode (res=0):
295. SPA Field Values:
296. =================
297. Random Value: 1849586590101971
298. Username: root
299. Timestamp: 1330587808
300. FKO Version: 1.9.12
301. Message Type: 1
302. Message String: 127.0.0.2,tcp/22
303. Nat Access: <NULL>
304. Server Auth: <NULL>
305. Client Timeout: 0
306. Digest Type: 3
307. Encoded Data: 1849586590101971:cm9vdA:1330587808:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
308. SPA Data Digest: /91RhB85JRbeqnHxTGKotlqZ6CNXuAh5baaLK+wZ9yw
309.  
310. process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587811 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
311. )
312. Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587811
313. Gracefully leaving the fwknopd event loop.
314. Got SIGTERM. Exiting...
315. Shutting Down fwknopd.
316. delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
317. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
318. [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
319.  
320. ==== END 49_fwknopd.test ====
321.  
322. ==== 51_fwknopd.test ====
323.  
324. [+] TEST: [Rijndael SPA] [client+server] require user (tcp/22 ssh)
325. Thu Mar 1 08:43:36 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/require_user_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
326. [+] Writing my PID (7800) to the lock file: run/fwknopd.pid
327.  
328. Starting fwknopd
329. Current fwknopd config settings:
330. 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
331. 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
332. 2. PCAP_INTF = 'lo'
333. 3. ENABLE_PCAP_PROMISC = 'N'
334. 4. PCAP_FILTER = 'udp port 62201'
335. 5. PCAP_DISPATCH_COUNT = '0'
336. 6. PCAP_LOOP_SLEEP = '10000'
337. 7. MAX_SNIFF_BYTES = '1500'
338. 8. ENABLE_SPA_PACKET_AGING = 'Y'
339. 9. MAX_SPA_PACKET_AGE = '120'
340. 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
341. 11. CMD_EXEC_TIMEOUT = '<not set>'
342. 12. ENABLE_SPA_OVER_HTTP = 'N'
343. 13. ENABLE_TCP_SERVER = 'N'
344. 14. TCPSERV_PORT = '62201'
345. 15. LOCALE = '<not set>'
346. 16. SYSLOG_IDENTITY = 'fwknopd'
347. 17. SYSLOG_FACILITY = 'LOG_DAEMON'
348. 18. ENABLE_IPT_FORWARDING = 'N'
349. 19. ENABLE_IPT_LOCAL_NAT = 'Y'
350. 20. ENABLE_IPT_SNAT = 'N'
351. 21. SNAT_TRANSLATE_IP = '<not set>'
352. 22. ENABLE_IPT_OUTPUT = 'N'
353. 23. FLUSH_IPT_AT_INIT = 'Y'
354. 24. FLUSH_IPT_AT_EXIT = 'Y'
355. 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
356. 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
357. 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
358. 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
359. 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
360. 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
361. 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
362. 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
363. 33. ACCESS_FILE = 'conf/require_user_access.conf'
364. 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
365. 35. DIGEST_FILE = 'run/digest.cache'
366. 36. GPG_HOME_DIR = '/root/.gnupg'
367. 37. FIREWALL_EXE = '/sbin/iptables'
368.  
369. Current fwknopd access settings:
370. SOURCE (1): ANY
371. ==============================================================
372. OPEN_PORTS: <not set>
373. RESTRICT_PORTS: <not set>
374. KEY: <see the access.conf file>
375. FW_ACCESS_TIMEOUT: 3
376. ENABLE_CMD_EXEC: No
377. CMD_EXEC_USER: <not set>
378. REQUIRE_USERNAME: testuser
379. REQUIRE_SOURCE_ADDRESS: No
380. ACCESS_EXPIRE: <not set>
381. GPG_HOME_DIR: <not set>
382. GPG_DECRYPT_ID: <not set>
383. GPG_DECRYPT_PW: <see the access.conf file>
384. GPG_REQUIRE_SIG: No
385. GPG_IGNORE_SIG_VERIFY_ERROR: No
386. GPG_REMOTE_ID: <not set>
387.  
388.  
389. Using Digest Cache: 'run/digest.cache' (entry count = 6)
390. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
391. iptables: No chain/target/match by that name.
392. )
393. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
394. add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
395. Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
396. PCAP filter is: udp port 62201
397. Starting fwknopd main event loop.
398. (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
399. SPA Packet: '9kTNkoPdxVUhDXMlfWdPdqplLkzMnCJouIUQnDTDzwvOr+GgIoyrNCBEGuq8jl1j1KOjX4Q5hQnCECXnEvlwZs9+EI88VKRGXvNp1dXm7MNAYumVtmlqlsYThZhZGmlkttp2nF/XseBebGfn/TmhhixXnVctMYxgmWhh0dxuQu3TYBqaxg5KEO'
400.  
401. (stanza #1) SPA Decode (res=0):
402. SPA Field Values:
403. =================
404. Random Value: 1339416390673350
405. Username: testuser
406. Timestamp: 1330587818
407. FKO Version: 1.9.12
408. Message Type: 1
409. Message String: 127.0.0.2,tcp/22
410. Nat Access: <NULL>
411. Server Auth: <NULL>
412. Client Timeout: 0
413. Digest Type: 3
414. Encoded Data: 1339416390673350:dGVzdHVzZXI:1330587818:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
415. SPA Data Digest: vN9eWq+n5+OxCrWgeGluefcpSr2Gw1+idw+Nlkr8Cho
416.  
417. process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587821 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
418. )
419. Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587821
420. Gracefully leaving the fwknopd event loop.
421. Got SIGTERM. Exiting...
422. Shutting Down fwknopd.
423. delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
424. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
425. [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
426.  
427. ==== END 51_fwknopd.test ====
428.  
429. ==== 53_fwknopd.test ====
430.  
431. [+] TEST: [Rijndael SPA] [client+server] require src (tcp/22 ssh)
432. Thu Mar 1 08:43:46 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/require_src_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
433. [+] Writing my PID (7896) to the lock file: run/fwknopd.pid
434.  
435. Starting fwknopd
436. Current fwknopd config settings:
437. 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
438. 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
439. 2. PCAP_INTF = 'lo'
440. 3. ENABLE_PCAP_PROMISC = 'N'
441. 4. PCAP_FILTER = 'udp port 62201'
442. 5. PCAP_DISPATCH_COUNT = '0'
443. 6. PCAP_LOOP_SLEEP = '10000'
444. 7. MAX_SNIFF_BYTES = '1500'
445. 8. ENABLE_SPA_PACKET_AGING = 'Y'
446. 9. MAX_SPA_PACKET_AGE = '120'
447. 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
448. 11. CMD_EXEC_TIMEOUT = '<not set>'
449. 12. ENABLE_SPA_OVER_HTTP = 'N'
450. 13. ENABLE_TCP_SERVER = 'N'
451. 14. TCPSERV_PORT = '62201'
452. 15. LOCALE = '<not set>'
453. 16. SYSLOG_IDENTITY = 'fwknopd'
454. 17. SYSLOG_FACILITY = 'LOG_DAEMON'
455. 18. ENABLE_IPT_FORWARDING = 'N'
456. 19. ENABLE_IPT_LOCAL_NAT = 'Y'
457. 20. ENABLE_IPT_SNAT = 'N'
458. 21. SNAT_TRANSLATE_IP = '<not set>'
459. 22. ENABLE_IPT_OUTPUT = 'N'
460. 23. FLUSH_IPT_AT_INIT = 'Y'
461. 24. FLUSH_IPT_AT_EXIT = 'Y'
462. 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
463. 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
464. 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
465. 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
466. 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
467. 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
468. 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
469. 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
470. 33. ACCESS_FILE = 'conf/require_src_access.conf'
471. 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
472. 35. DIGEST_FILE = 'run/digest.cache'
473. 36. GPG_HOME_DIR = '/root/.gnupg'
474. 37. FIREWALL_EXE = '/sbin/iptables'
475.  
476. Current fwknopd access settings:
477. SOURCE (1): 4.3.2.0/24, 127.0.0.0/24, 23.43.0.0/16, 10.10.10.10
478. ==============================================================
479. OPEN_PORTS: udp/6001, tcp/22, tcp/80
480. RESTRICT_PORTS: <not set>
481. KEY: <see the access.conf file>
482. FW_ACCESS_TIMEOUT: 3
483. ENABLE_CMD_EXEC: No
484. CMD_EXEC_USER: <not set>
485. REQUIRE_USERNAME: <not set>
486. REQUIRE_SOURCE_ADDRESS: Yes
487. ACCESS_EXPIRE: <not set>
488. GPG_HOME_DIR: <not set>
489. GPG_DECRYPT_ID: <not set>
490. GPG_DECRYPT_PW: <see the access.conf file>
491. GPG_REQUIRE_SIG: No
492. GPG_IGNORE_SIG_VERIFY_ERROR: No
493. GPG_REMOTE_ID: <not set>
494.  
495.  
496. Using Digest Cache: 'run/digest.cache' (entry count = 8)
497. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
498. iptables: No chain/target/match by that name.
499. )
500. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
501. add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
502. Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
503. PCAP filter is: udp port 62201
504. Starting fwknopd main event loop.
505. (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
506. SPA Packet: '8qHD8V6tkc/1BoHeSAxr4JsQtxR3r0kZhi0OvYJWLqGhGODgnPrHJARYIQFfOnck2IU0sKS3AfLYBJ7B6ps/Kcii+wvAMfukYwYdf/ODZM9Vd8mh3/V4xybzGOzptMCsGO9FFDdEiYrN66dVQHdS3gkqsXlccJC3k'
507.  
508. (stanza #1) SPA Decode (res=0):
509. SPA Field Values:
510. =================
511. Random Value: 1168796338156489
512. Username: root
513. Timestamp: 1330587828
514. FKO Version: 1.9.12
515. Message Type: 1
516. Message String: 127.0.0.2,tcp/22
517. Nat Access: <NULL>
518. Server Auth: <NULL>
519. Client Timeout: 0
520. Digest Type: 3
521. Encoded Data: 1168796338156489:cm9vdA:1330587828:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
522. SPA Data Digest: QAkwt9DmpSgi3ix5nil3uhTyBqI02ZbtOmiItn5bocY
523.  
524. process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587831 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
525. )
526. Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587831
527. Gracefully leaving the fwknopd event loop.
528. Got SIGTERM. Exiting...
529. Shutting Down fwknopd.
530. delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
531. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
532. [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
533.  
534. ==== END 53_fwknopd.test ====
535.  
536. ==== 58_fwknopd.test ====
537.  
538. [+] TEST: [Rijndael SPA] [client+server] IP match (tcp/22 ssh)
539. Thu Mar 1 08:44:11 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/ip_source_match_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
540. [+] Writing my PID (8130) to the lock file: run/fwknopd.pid
541.  
542. Starting fwknopd
543. Current fwknopd config settings:
544. 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
545. 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
546. 2. PCAP_INTF = 'lo'
547. 3. ENABLE_PCAP_PROMISC = 'N'
548. 4. PCAP_FILTER = 'udp port 62201'
549. 5. PCAP_DISPATCH_COUNT = '0'
550. 6. PCAP_LOOP_SLEEP = '10000'
551. 7. MAX_SNIFF_BYTES = '1500'
552. 8. ENABLE_SPA_PACKET_AGING = 'Y'
553. 9. MAX_SPA_PACKET_AGE = '120'
554. 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
555. 11. CMD_EXEC_TIMEOUT = '<not set>'
556. 12. ENABLE_SPA_OVER_HTTP = 'N'
557. 13. ENABLE_TCP_SERVER = 'N'
558. 14. TCPSERV_PORT = '62201'
559. 15. LOCALE = '<not set>'
560. 16. SYSLOG_IDENTITY = 'fwknopd'
561. 17. SYSLOG_FACILITY = 'LOG_DAEMON'
562. 18. ENABLE_IPT_FORWARDING = 'N'
563. 19. ENABLE_IPT_LOCAL_NAT = 'Y'
564. 20. ENABLE_IPT_SNAT = 'N'
565. 21. SNAT_TRANSLATE_IP = '<not set>'
566. 22. ENABLE_IPT_OUTPUT = 'N'
567. 23. FLUSH_IPT_AT_INIT = 'Y'
568. 24. FLUSH_IPT_AT_EXIT = 'Y'
569. 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
570. 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
571. 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
572. 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
573. 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
574. 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
575. 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
576. 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
577. 33. ACCESS_FILE = 'conf/ip_source_match_access.conf'
578. 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
579. 35. DIGEST_FILE = 'run/digest.cache'
580. 36. GPG_HOME_DIR = '/root/.gnupg'
581. 37. FIREWALL_EXE = '/sbin/iptables'
582.  
583. Current fwknopd access settings:
584. SOURCE (1): 127.0.0.1
585. ==============================================================
586. OPEN_PORTS: <not set>
587. RESTRICT_PORTS: <not set>
588. KEY: <see the access.conf file>
589. FW_ACCESS_TIMEOUT: 3
590. ENABLE_CMD_EXEC: No
591. CMD_EXEC_USER: <not set>
592. REQUIRE_USERNAME: <not set>
593. REQUIRE_SOURCE_ADDRESS: No
594. ACCESS_EXPIRE: <not set>
595. GPG_HOME_DIR: <not set>
596. GPG_DECRYPT_ID: <not set>
597. GPG_DECRYPT_PW: <see the access.conf file>
598. GPG_REQUIRE_SIG: No
599. GPG_IGNORE_SIG_VERIFY_ERROR: No
600. GPG_REMOTE_ID: <not set>
601.  
602.  
603. Using Digest Cache: 'run/digest.cache' (entry count = 10)
604. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
605. iptables: No chain/target/match by that name.
606. )
607. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
608. add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
609. Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
610. PCAP filter is: udp port 62201
611. Starting fwknopd main event loop.
612. (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
613. SPA Packet: '+Q7Olpgnjyn9H+H4fQGs9M7FdcBZTI9gQFALI07YEWtzln/8WQYwaYRL+KJNwL+pJWexiPod2waBYKHSJqE2fvahXLfOpQA4ZcTL9kGEGDwF+SdaqD/W0J0hSqd7i8t9v1tLwgJgWCZXDciNSietq9dLDklvpwRvc'
614.  
615. (stanza #1) SPA Decode (res=0):
616. SPA Field Values:
617. =================
618. Random Value: 7501374906630001
619. Username: root
620. Timestamp: 1330587853
621. FKO Version: 1.9.12
622. Message Type: 1
623. Message String: 127.0.0.2,tcp/22
624. Nat Access: <NULL>
625. Server Auth: <NULL>
626. Client Timeout: 0
627. Digest Type: 3
628. Encoded Data: 7501374906630001:cm9vdA:1330587853:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
629. SPA Data Digest: 0EC4TCB35KZtVmGHvVC7J4d+y8X+bpiCWpZE9a6UHrc
630.  
631. process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587857 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
632. )
633. Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587857
634. Gracefully leaving the fwknopd event loop.
635. Got SIGTERM. Exiting...
636. Shutting Down fwknopd.
637. delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
638. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
639. [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
640.  
641. ==== END 58_fwknopd.test ====
642.  
643. ==== 59_fwknopd.test ====
644.  
645. [+] TEST: [Rijndael SPA] [client+server] subnet match (tcp/22 ssh)
646. Thu Mar 1 08:44:17 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/subnet_source_match_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
647. [+] Writing my PID (8180) to the lock file: run/fwknopd.pid
648.  
649. Starting fwknopd
650. Current fwknopd config settings:
651. 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
652. 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
653. 2. PCAP_INTF = 'lo'
654. 3. ENABLE_PCAP_PROMISC = 'N'
655. 4. PCAP_FILTER = 'udp port 62201'
656. 5. PCAP_DISPATCH_COUNT = '0'
657. 6. PCAP_LOOP_SLEEP = '10000'
658. 7. MAX_SNIFF_BYTES = '1500'
659. 8. ENABLE_SPA_PACKET_AGING = 'Y'
660. 9. MAX_SPA_PACKET_AGE = '120'
661. 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
662. 11. CMD_EXEC_TIMEOUT = '<not set>'
663. 12. ENABLE_SPA_OVER_HTTP = 'N'
664. 13. ENABLE_TCP_SERVER = 'N'
665. 14. TCPSERV_PORT = '62201'
666. 15. LOCALE = '<not set>'
667. 16. SYSLOG_IDENTITY = 'fwknopd'
668. 17. SYSLOG_FACILITY = 'LOG_DAEMON'
669. 18. ENABLE_IPT_FORWARDING = 'N'
670. 19. ENABLE_IPT_LOCAL_NAT = 'Y'
671. 20. ENABLE_IPT_SNAT = 'N'
672. 21. SNAT_TRANSLATE_IP = '<not set>'
673. 22. ENABLE_IPT_OUTPUT = 'N'
674. 23. FLUSH_IPT_AT_INIT = 'Y'
675. 24. FLUSH_IPT_AT_EXIT = 'Y'
676. 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
677. 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
678. 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
679. 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
680. 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
681. 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
682. 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
683. 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
684. 33. ACCESS_FILE = 'conf/subnet_source_match_access.conf'
685. 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
686. 35. DIGEST_FILE = 'run/digest.cache'
687. 36. GPG_HOME_DIR = '/root/.gnupg'
688. 37. FIREWALL_EXE = '/sbin/iptables'
689.  
690. Current fwknopd access settings:
691. SOURCE (1): 127.0.0.0/24
692. ==============================================================
693. OPEN_PORTS: <not set>
694. RESTRICT_PORTS: <not set>
695. KEY: <see the access.conf file>
696. FW_ACCESS_TIMEOUT: 3
697. ENABLE_CMD_EXEC: No
698. CMD_EXEC_USER: <not set>
699. REQUIRE_USERNAME: <not set>
700. REQUIRE_SOURCE_ADDRESS: No
701. ACCESS_EXPIRE: <not set>
702. GPG_HOME_DIR: <not set>
703. GPG_DECRYPT_ID: <not set>
704. GPG_DECRYPT_PW: <see the access.conf file>
705. GPG_REQUIRE_SIG: No
706. GPG_IGNORE_SIG_VERIFY_ERROR: No
707. GPG_REMOTE_ID: <not set>
708.  
709.  
710. Using Digest Cache: 'run/digest.cache' (entry count = 11)
711. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
712. iptables: No chain/target/match by that name.
713. )
714. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
715. add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
716. Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
717. PCAP filter is: udp port 62201
718. Starting fwknopd main event loop.
719. (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
720. SPA Packet: '9fSEkmQ2UuwD8MuPjU+HS0X38fllIk146nn9tvjJtRiFyHI/1V76skxSgCCvNuW/DT0qMEsHcWJg16a592U5rs/4n5BhqkSp6aihfcWW1N7YzBNn3W5Wk1s6A2VvoHUZqmPz+j840GgDM34F5XK231sqob0os7Ics'
721.  
722. (stanza #1) SPA Decode (res=0):
723. SPA Field Values:
724. =================
725. Random Value: 1079773555551209
726. Username: root
727. Timestamp: 1330587859
728. FKO Version: 1.9.12
729. Message Type: 1
730. Message String: 127.0.0.2,tcp/22
731. Nat Access: <NULL>
732. Server Auth: <NULL>
733. Client Timeout: 0
734. Digest Type: 3
735. Encoded Data: 1079773555551209:cm9vdA:1330587859:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
736. SPA Data Digest: XCKgm9pyDAbDg3grd6KgMqiDu/U2jR7aAA8yONbWwT0
737.  
738. process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587862 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
739. )
740. Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587862
741. Gracefully leaving the fwknopd event loop.
742. Got SIGTERM. Exiting...
743. Shutting Down fwknopd.
744. delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
745. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
746. [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
747.  
748. ==== END 59_fwknopd.test ====
749.  
750. ==== 60_fwknopd.test ====
751.  
752. [+] TEST: [Rijndael SPA] [client+server] multi IP/net match (tcp/22 ssh)
753. Thu Mar 1 08:44:22 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/multi_source_match_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
754. [+] Writing my PID (9254) to the lock file: run/fwknopd.pid
755.  
756. Starting fwknopd
757. Current fwknopd config settings:
758. 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
759. 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
760. 2. PCAP_INTF = 'lo'
761. 3. ENABLE_PCAP_PROMISC = 'N'
762. 4. PCAP_FILTER = 'udp port 62201'
763. 5. PCAP_DISPATCH_COUNT = '0'
764. 6. PCAP_LOOP_SLEEP = '10000'
765. 7. MAX_SNIFF_BYTES = '1500'
766. 8. ENABLE_SPA_PACKET_AGING = 'Y'
767. 9. MAX_SPA_PACKET_AGE = '120'
768. 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
769. 11. CMD_EXEC_TIMEOUT = '<not set>'
770. 12. ENABLE_SPA_OVER_HTTP = 'N'
771. 13. ENABLE_TCP_SERVER = 'N'
772. 14. TCPSERV_PORT = '62201'
773. 15. LOCALE = '<not set>'
774. 16. SYSLOG_IDENTITY = 'fwknopd'
775. 17. SYSLOG_FACILITY = 'LOG_DAEMON'
776. 18. ENABLE_IPT_FORWARDING = 'N'
777. 19. ENABLE_IPT_LOCAL_NAT = 'Y'
778. 20. ENABLE_IPT_SNAT = 'N'
779. 21. SNAT_TRANSLATE_IP = '<not set>'
780. 22. ENABLE_IPT_OUTPUT = 'N'
781. 23. FLUSH_IPT_AT_INIT = 'Y'
782. 24. FLUSH_IPT_AT_EXIT = 'Y'
783. 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
784. 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
785. 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
786. 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
787. 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
788. 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
789. 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
790. 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
791. 33. ACCESS_FILE = 'conf/multi_source_match_access.conf'
792. 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
793. 35. DIGEST_FILE = 'run/digest.cache'
794. 36. GPG_HOME_DIR = '/root/.gnupg'
795. 37. FIREWALL_EXE = '/sbin/iptables'
796.  
797. Current fwknopd access settings:
798. SOURCE (1): 4.3.2.0/24, 127.0.0.0/24, 23.43.0.0/16, 10.10.10.10
799. ==============================================================
800. OPEN_PORTS: <not set>
801. RESTRICT_PORTS: <not set>
802. KEY: <see the access.conf file>
803. FW_ACCESS_TIMEOUT: 3
804. ENABLE_CMD_EXEC: No
805. CMD_EXEC_USER: <not set>
806. REQUIRE_USERNAME: <not set>
807. REQUIRE_SOURCE_ADDRESS: No
808. ACCESS_EXPIRE: <not set>
809. GPG_HOME_DIR: <not set>
810. GPG_DECRYPT_ID: <not set>
811. GPG_DECRYPT_PW: <see the access.conf file>
812. GPG_REQUIRE_SIG: No
813. GPG_IGNORE_SIG_VERIFY_ERROR: No
814. GPG_REMOTE_ID: <not set>
815.  
816.  
817. Using Digest Cache: 'run/digest.cache' (entry count = 12)
818. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
819. iptables: No chain/target/match by that name.
820. )
821. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
822. add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
823. Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
824. PCAP filter is: udp port 62201
825. Starting fwknopd main event loop.
826. (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
827. SPA Packet: '9FPvqNnu4HvMRGvtMVycVt+BQxixw6Q+BOqdxPTbWJnAmYz/QHgHOxw9X/+ZaU52NG3ZQeE9VbAswY3TLU2VqbHzpyqRUS0y233L8TzOrELaXehwr2sN/rj1scCh7GG9ubbwliIy0tTltiUOeUOE/G5+LhYgDl2bo'
828.  
829. (stanza #1) SPA Decode (res=0):
830. SPA Field Values:
831. =================
832. Random Value: 8553414479018286
833. Username: root
834. Timestamp: 1330587864
835. FKO Version: 1.9.12
836. Message Type: 1
837. Message String: 127.0.0.2,tcp/22
838. Nat Access: <NULL>
839. Server Auth: <NULL>
840. Client Timeout: 0
841. Digest Type: 3
842. Encoded Data: 8553414479018286:cm9vdA:1330587864:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
843. SPA Data Digest: 1GTZdWzoNOPWuw+nD7T+leBCO+8/KgDh5RONHFpnIt8
844.  
845. process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587867 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
846. )
847. Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587867
848. Gracefully leaving the fwknopd event loop.
849. Got SIGTERM. Exiting...
850. Shutting Down fwknopd.
851. delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
852. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
853. [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
854.  
855. ==== END 60_fwknopd.test ====
856.  
857. ==== 61_fwknopd.test ====
858.  
859. [+] TEST: [Rijndael SPA] [client+server] multi access stanzas (tcp/22 ssh)
860. Thu Mar 1 08:44:27 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/multi_stanzas_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
861. [+] Writing my PID (9304) to the lock file: run/fwknopd.pid
862.  
863. Starting fwknopd
864. Current fwknopd config settings:
865. 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
866. 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
867. 2. PCAP_INTF = 'lo'
868. 3. ENABLE_PCAP_PROMISC = 'N'
869. 4. PCAP_FILTER = 'udp port 62201'
870. 5. PCAP_DISPATCH_COUNT = '0'
871. 6. PCAP_LOOP_SLEEP = '10000'
872. 7. MAX_SNIFF_BYTES = '1500'
873. 8. ENABLE_SPA_PACKET_AGING = 'Y'
874. 9. MAX_SPA_PACKET_AGE = '120'
875. 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
876. 11. CMD_EXEC_TIMEOUT = '<not set>'
877. 12. ENABLE_SPA_OVER_HTTP = 'N'
878. 13. ENABLE_TCP_SERVER = 'N'
879. 14. TCPSERV_PORT = '62201'
880. 15. LOCALE = '<not set>'
881. 16. SYSLOG_IDENTITY = 'fwknopd'
882. 17. SYSLOG_FACILITY = 'LOG_DAEMON'
883. 18. ENABLE_IPT_FORWARDING = 'N'
884. 19. ENABLE_IPT_LOCAL_NAT = 'Y'
885. 20. ENABLE_IPT_SNAT = 'N'
886. 21. SNAT_TRANSLATE_IP = '<not set>'
887. 22. ENABLE_IPT_OUTPUT = 'N'
888. 23. FLUSH_IPT_AT_INIT = 'Y'
889. 24. FLUSH_IPT_AT_EXIT = 'Y'
890. 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
891. 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
892. 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
893. 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
894. 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
895. 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
896. 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
897. 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
898. 33. ACCESS_FILE = 'conf/multi_stanzas_access.conf'
899. 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
900. 35. DIGEST_FILE = 'run/digest.cache'
901. 36. GPG_HOME_DIR = '/root/.gnupg'
902. 37. FIREWALL_EXE = '/sbin/iptables'
903.  
904. Current fwknopd access settings:
905. SOURCE (1): 4.3.2.0/24, 23.43.0.0/16, 10.10.10.10
906. ==============================================================
907. OPEN_PORTS: <not set>
908. RESTRICT_PORTS: <not set>
909. KEY: <see the access.conf file>
910. FW_ACCESS_TIMEOUT: 3
911. ENABLE_CMD_EXEC: No
912. CMD_EXEC_USER: <not set>
913. REQUIRE_USERNAME: <not set>
914. REQUIRE_SOURCE_ADDRESS: No
915. ACCESS_EXPIRE: <not set>
916. GPG_HOME_DIR: <not set>
917. GPG_DECRYPT_ID: <not set>
918. GPG_DECRYPT_PW: <see the access.conf file>
919. GPG_REQUIRE_SIG: No
920. GPG_IGNORE_SIG_VERIFY_ERROR: No
921. GPG_REMOTE_ID: <not set>
922.  
923. SOURCE (2): 23.43.0.0/16, 10.10.10.10
924. ==============================================================
925. OPEN_PORTS: <not set>
926. RESTRICT_PORTS: <not set>
927. KEY: <see the access.conf file>
928. FW_ACCESS_TIMEOUT: 3
929. ENABLE_CMD_EXEC: No
930. CMD_EXEC_USER: <not set>
931. REQUIRE_USERNAME: <not set>
932. REQUIRE_SOURCE_ADDRESS: No
933. ACCESS_EXPIRE: <not set>
934. GPG_HOME_DIR: <not set>
935. GPG_DECRYPT_ID: <not set>
936. GPG_DECRYPT_PW: <see the access.conf file>
937. GPG_REQUIRE_SIG: No
938. GPG_IGNORE_SIG_VERIFY_ERROR: No
939. GPG_REMOTE_ID: <not set>
940.  
941. SOURCE (3): 4.3.2.0/24, 127.0.0.0/24, 23.43.0.0/16, 10.10.10.10
942. ==============================================================
943. OPEN_PORTS: <not set>
944. RESTRICT_PORTS: <not set>
945. KEY: <see the access.conf file>
946. FW_ACCESS_TIMEOUT: 3
947. ENABLE_CMD_EXEC: No
948. CMD_EXEC_USER: <not set>
949. REQUIRE_USERNAME: <not set>
950. REQUIRE_SOURCE_ADDRESS: No
951. ACCESS_EXPIRE: <not set>
952. GPG_HOME_DIR: <not set>
953. GPG_DECRYPT_ID: <not set>
954. GPG_DECRYPT_PW: <see the access.conf file>
955. GPG_REQUIRE_SIG: No
956. GPG_IGNORE_SIG_VERIFY_ERROR: No
957. GPG_REMOTE_ID: <not set>
958.  
959. SOURCE (4): 4.3.2.0/24, 10.10.10.10
960. ==============================================================
961. OPEN_PORTS: <not set>
962. RESTRICT_PORTS: <not set>
963. KEY: <see the access.conf file>
964. FW_ACCESS_TIMEOUT: 3
965. ENABLE_CMD_EXEC: No
966. CMD_EXEC_USER: <not set>
967. REQUIRE_USERNAME: <not set>
968. REQUIRE_SOURCE_ADDRESS: No
969. ACCESS_EXPIRE: <not set>
970. GPG_HOME_DIR: <not set>
971. GPG_DECRYPT_ID: <not set>
972. GPG_DECRYPT_PW: <see the access.conf file>
973. GPG_REQUIRE_SIG: No
974. GPG_IGNORE_SIG_VERIFY_ERROR: No
975. GPG_REMOTE_ID: <not set>
976.  
977.  
978. Using Digest Cache: 'run/digest.cache' (entry count = 13)
979. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
980. iptables: No chain/target/match by that name.
981. )
982. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
983. add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
984. Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
985. PCAP filter is: udp port 62201
986. Starting fwknopd main event loop.
987. (stanza #3) SPA Packet from IP: 127.0.0.1 received with access source match
988. SPA Packet: '8byEJeLH0PtA3KFpj+jE7YRuz0zD8nj56PujTHSLP1YTlvmP3182X1U8VFZrgQhtx2Vlnh0moStWjBAJnxU8Uh/ABJznxZDun97TU0VwYtv6lbkA6PwA93u6PCDAjmDN4azfQS1TmIUfIRvJCULktG1TBMji9HbBU'
989.  
990. (stanza #3) SPA Decode (res=0):
991. SPA Field Values:
992. =================
993. Random Value: 6036029291678890
994. Username: root
995. Timestamp: 1330587869
996. FKO Version: 1.9.12
997. Message Type: 1
998. Message String: 127.0.0.2,tcp/22
999. Nat Access: <NULL>
1000. Server Auth: <NULL>
1001. Client Timeout: 0
1002. Digest Type: 3
1003. Encoded Data: 6036029291678890:cm9vdA:1330587869:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
1004. SPA Data Digest: r2+RNw1xutjwNxIY8wJ3LW1eH1PUaMuTPWxb/HAbBgI
1005.  
1006. process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587872 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
1007. )
1008. Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587872
1009. Gracefully leaving the fwknopd event loop.
1010. Got SIGTERM. Exiting...
1011. Shutting Down fwknopd.
1012. delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
1013. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
1014. [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
1015.  
1016. ==== END 61_fwknopd.test ====
1017.  
1018. ==== 62_fwknopd.test ====
1019.  
1020. [+] TEST: [Rijndael SPA] [client+server] bad/good key stanzas (tcp/22 ssh)
1021. Thu Mar 1 08:44:32 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/multi_stanzas_with_broken_keys.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
1022. [+] Writing my PID (9354) to the lock file: run/fwknopd.pid
1023.  
1024. Starting fwknopd
1025. Current fwknopd config settings:
1026. 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
1027. 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
1028. 2. PCAP_INTF = 'lo'
1029. 3. ENABLE_PCAP_PROMISC = 'N'
1030. 4. PCAP_FILTER = 'udp port 62201'
1031. 5. PCAP_DISPATCH_COUNT = '0'
1032. 6. PCAP_LOOP_SLEEP = '10000'
1033. 7. MAX_SNIFF_BYTES = '1500'
1034. 8. ENABLE_SPA_PACKET_AGING = 'Y'
1035. 9. MAX_SPA_PACKET_AGE = '120'
1036. 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
1037. 11. CMD_EXEC_TIMEOUT = '<not set>'
1038. 12. ENABLE_SPA_OVER_HTTP = 'N'
1039. 13. ENABLE_TCP_SERVER = 'N'
1040. 14. TCPSERV_PORT = '62201'
1041. 15. LOCALE = '<not set>'
1042. 16. SYSLOG_IDENTITY = 'fwknopd'
1043. 17. SYSLOG_FACILITY = 'LOG_DAEMON'
1044. 18. ENABLE_IPT_FORWARDING = 'N'
1045. 19. ENABLE_IPT_LOCAL_NAT = 'Y'
1046. 20. ENABLE_IPT_SNAT = 'N'
1047. 21. SNAT_TRANSLATE_IP = '<not set>'
1048. 22. ENABLE_IPT_OUTPUT = 'N'
1049. 23. FLUSH_IPT_AT_INIT = 'Y'
1050. 24. FLUSH_IPT_AT_EXIT = 'Y'
1051. 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
1052. 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
1053. 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
1054. 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
1055. 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
1056. 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
1057. 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
1058. 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
1059. 33. ACCESS_FILE = 'conf/multi_stanzas_with_broken_keys.conf'
1060. 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
1061. 35. DIGEST_FILE = 'run/digest.cache'
1062. 36. GPG_HOME_DIR = '/root/.gnupg'
1063. 37. FIREWALL_EXE = '/sbin/iptables'
1064.  
1065. Current fwknopd access settings:
1066. SOURCE (1): 4.3.2.0/24, 23.43.0.0/16, 10.10.10.10
1067. ==============================================================
1068. OPEN_PORTS: <not set>
1069. RESTRICT_PORTS: <not set>
1070. KEY: <see the access.conf file>
1071. FW_ACCESS_TIMEOUT: 3
1072. ENABLE_CMD_EXEC: No
1073. CMD_EXEC_USER: <not set>
1074. REQUIRE_USERNAME: <not set>
1075. REQUIRE_SOURCE_ADDRESS: No
1076. ACCESS_EXPIRE: <not set>
1077. GPG_HOME_DIR: <not set>
1078. GPG_DECRYPT_ID: <not set>
1079. GPG_DECRYPT_PW: <see the access.conf file>
1080. GPG_REQUIRE_SIG: No
1081. GPG_IGNORE_SIG_VERIFY_ERROR: No
1082. GPG_REMOTE_ID: <not set>
1083.  
1084. SOURCE (2): 23.43.0.0/16, 10.10.10.10
1085. ==============================================================
1086. OPEN_PORTS: <not set>
1087. RESTRICT_PORTS: <not set>
1088. KEY: <see the access.conf file>
1089. FW_ACCESS_TIMEOUT: 3
1090. ENABLE_CMD_EXEC: No
1091. CMD_EXEC_USER: <not set>
1092. REQUIRE_USERNAME: <not set>
1093. REQUIRE_SOURCE_ADDRESS: No
1094. ACCESS_EXPIRE: <not set>
1095. GPG_HOME_DIR: <not set>
1096. GPG_DECRYPT_ID: <not set>
1097. GPG_DECRYPT_PW: <see the access.conf file>
1098. GPG_REQUIRE_SIG: No
1099. GPG_IGNORE_SIG_VERIFY_ERROR: No
1100. GPG_REMOTE_ID: <not set>
1101.  
1102. SOURCE (3): 4.3.2.0/24, 127.0.0.0/24, 23.43.0.0/16, 10.10.10.10
1103. ==============================================================
1104. OPEN_PORTS: <not set>
1105. RESTRICT_PORTS: <not set>
1106. KEY: <see the access.conf file>
1107. FW_ACCESS_TIMEOUT: 3
1108. ENABLE_CMD_EXEC: No
1109. CMD_EXEC_USER: <not set>
1110. REQUIRE_USERNAME: <not set>
1111. REQUIRE_SOURCE_ADDRESS: No
1112. ACCESS_EXPIRE: <not set>
1113. GPG_HOME_DIR: <not set>
1114. GPG_DECRYPT_ID: <not set>
1115. GPG_DECRYPT_PW: <see the access.conf file>
1116. GPG_REQUIRE_SIG: No
1117. GPG_IGNORE_SIG_VERIFY_ERROR: No
1118. GPG_REMOTE_ID: <not set>
1119.  
1120. SOURCE (4): 4.3.2.0/24, 127.0.0.0/24, 23.43.0.0/16, 10.10.10.10
1121. ==============================================================
1122. OPEN_PORTS: <not set>
1123. RESTRICT_PORTS: <not set>
1124. KEY: <see the access.conf file>
1125. FW_ACCESS_TIMEOUT: 3
1126. ENABLE_CMD_EXEC: No
1127. CMD_EXEC_USER: <not set>
1128. REQUIRE_USERNAME: <not set>
1129. REQUIRE_SOURCE_ADDRESS: No
1130. ACCESS_EXPIRE: <not set>
1131. GPG_HOME_DIR: <not set>
1132. GPG_DECRYPT_ID: <not set>
1133. GPG_DECRYPT_PW: <see the access.conf file>
1134. GPG_REQUIRE_SIG: No
1135. GPG_IGNORE_SIG_VERIFY_ERROR: No
1136. GPG_REMOTE_ID: <not set>
1137.  
1138. SOURCE (5): 4.3.2.0/24, 10.10.10.10
1139. ==============================================================
1140. OPEN_PORTS: <not set>
1141. RESTRICT_PORTS: <not set>
1142. KEY: <see the access.conf file>
1143. FW_ACCESS_TIMEOUT: 3
1144. ENABLE_CMD_EXEC: No
1145. CMD_EXEC_USER: <not set>
1146. REQUIRE_USERNAME: <not set>
1147. REQUIRE_SOURCE_ADDRESS: No
1148. ACCESS_EXPIRE: <not set>
1149. GPG_HOME_DIR: <not set>
1150. GPG_DECRYPT_ID: <not set>
1151. GPG_DECRYPT_PW: <see the access.conf file>
1152. GPG_REQUIRE_SIG: No
1153. GPG_IGNORE_SIG_VERIFY_ERROR: No
1154. GPG_REMOTE_ID: <not set>
1155.  
1156.  
1157. Using Digest Cache: 'run/digest.cache' (entry count = 14)
1158. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
1159. iptables: No chain/target/match by that name.
1160. )
1161. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
1162. add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
1163. Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
1164. PCAP filter is: udp port 62201
1165. Starting fwknopd main event loop.
1166. (stanza #3) SPA Packet from IP: 127.0.0.1 received with access source match
1167. SPA Packet: '/dtBbrqTJFz3w83dtGvA2QY4+xyXtFzC9ddjs2uh3cAV77Ag1dw7jWk3Y1F7QzqQQLurXIjddHygpolIw4Kl6Xlkadmn/sJBBftkMc4+oqdaRDggbhdv/cZVNO3oozlch2PbXBj3hrAnb6CXHAIolsDKvMGH0gXGc'
1168.  
1169. (stanza #3) Error creating fko context: Decryption failed or decrypted data is invalid
1170. (stanza #4) SPA Packet from IP: 127.0.0.1 received with access source match
1171. SPA Packet: '/dtBbrqTJFz3w83dtGvA2QY4+xyXtFzC9ddjs2uh3cAV77Ag1dw7jWk3Y1F7QzqQQLurXIjddHygpolIw4Kl6Xlkadmn/sJBBftkMc4+oqdaRDggbhdv/cZVNO3oozlch2PbXBj3hrAnb6CXHAIolsDKvMGH0gXGc'
1172.  
1173. (stanza #4) SPA Decode (res=0):
1174. SPA Field Values:
1175. =================
1176. Random Value: 2136587307201522
1177. Username: root
1178. Timestamp: 1330587874
1179. FKO Version: 1.9.12
1180. Message Type: 1
1181. Message String: 127.0.0.2,tcp/22
1182. Nat Access: <NULL>
1183. Server Auth: <NULL>
1184. Client Timeout: 0
1185. Digest Type: 3
1186. Encoded Data: 2136587307201522:cm9vdA:1330587874:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
1187. SPA Data Digest: Z1aLe+AjEWQ/J4sQ1ToMlnDCvWhra/JBaC6faVKK02I
1188.  
1189. process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587877 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
1190. )
1191. Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587877
1192. Gracefully leaving the fwknopd event loop.
1193. Got SIGTERM. Exiting...
1194. Shutting Down fwknopd.
1195. delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
1196. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
1197. [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
1198.  
1199. ==== END 62_fwknopd.test ====
1200.  
1201. ==== 64_fwknopd.test ====
1202.  
1203. [+] TEST: [Rijndael SPA] [client+server] NAT to 192.168.1.2 (tcp/22 ssh)
1204. Thu Mar 1 08:44:42 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/nat_fwknopd.conf -a conf/open_ports_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
1205. [+] Writing my PID (9462) to the lock file: run/fwknopd.pid
1206.  
1207. Starting fwknopd
1208. Current fwknopd config settings:
1209. 0. CONFIG_FILE = 'conf/nat_fwknopd.conf'
1210. 1. OVERRIDE_CONFIG = 'conf/nat_fwknopd.conf'
1211. 2. PCAP_INTF = 'lo'
1212. 3. ENABLE_PCAP_PROMISC = 'N'
1213. 4. PCAP_FILTER = 'udp port 62201'
1214. 5. PCAP_DISPATCH_COUNT = '0'
1215. 6. PCAP_LOOP_SLEEP = '10000'
1216. 7. MAX_SNIFF_BYTES = '1500'
1217. 8. ENABLE_SPA_PACKET_AGING = 'Y'
1218. 9. MAX_SPA_PACKET_AGE = '120'
1219. 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
1220. 11. CMD_EXEC_TIMEOUT = '<not set>'
1221. 12. ENABLE_SPA_OVER_HTTP = 'N'
1222. 13. ENABLE_TCP_SERVER = 'N'
1223. 14. TCPSERV_PORT = '62201'
1224. 15. LOCALE = '<not set>'
1225. 16. SYSLOG_IDENTITY = 'fwknopd'
1226. 17. SYSLOG_FACILITY = 'LOG_DAEMON'
1227. 18. ENABLE_IPT_FORWARDING = 'Y'
1228. 19. ENABLE_IPT_LOCAL_NAT = 'Y'
1229. 20. ENABLE_IPT_SNAT = 'N'
1230. 21. SNAT_TRANSLATE_IP = '<not set>'
1231. 22. ENABLE_IPT_OUTPUT = 'N'
1232. 23. FLUSH_IPT_AT_INIT = 'Y'
1233. 24. FLUSH_IPT_AT_EXIT = 'Y'
1234. 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
1235. 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
1236. 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
1237. 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
1238. 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
1239. 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
1240. 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
1241. 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
1242. 33. ACCESS_FILE = 'conf/open_ports_access.conf'
1243. 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
1244. 35. DIGEST_FILE = 'run/digest.cache'
1245. 36. GPG_HOME_DIR = '/root/.gnupg'
1246. 37. FIREWALL_EXE = '/sbin/iptables'
1247.  
1248. Current fwknopd access settings:
1249. SOURCE (1): 4.3.2.0/24, 127.0.0.0/24, 23.43.0.0/16, 10.10.10.10
1250. ==============================================================
1251. OPEN_PORTS: udp/6001, tcp/22, tcp/80
1252. RESTRICT_PORTS: <not set>
1253. KEY: <see the access.conf file>
1254. FW_ACCESS_TIMEOUT: 3
1255. ENABLE_CMD_EXEC: No
1256. CMD_EXEC_USER: <not set>
1257. REQUIRE_USERNAME: <not set>
1258. REQUIRE_SOURCE_ADDRESS: No
1259. ACCESS_EXPIRE: <not set>
1260. GPG_HOME_DIR: <not set>
1261. GPG_DECRYPT_ID: <not set>
1262. GPG_DECRYPT_PW: <see the access.conf file>
1263. GPG_REQUIRE_SIG: No
1264. GPG_IGNORE_SIG_VERIFY_ERROR: No
1265. GPG_REMOTE_ID: <not set>
1266.  
1267.  
1268. Using Digest Cache: 'run/digest.cache' (entry count = 16)
1269. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
1270. iptables: No chain/target/match by that name.
1271. )
1272. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_FORWARD 2>&1; /sbin/iptables -t filter -X FWKNOP_FORWARD 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
1273. iptables: No chain/target/match by that name.
1274. )
1275. delete_all_chains() CMD: '(/sbin/iptables -t nat -F FWKNOP_PREROUTING 2>&1; /sbin/iptables -t nat -X FWKNOP_PREROUTING 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
1276. iptables: No chain/target/match by that name.
1277. )
1278. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
1279. add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
1280. Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
1281. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_FORWARD 2>&1' (res: 0, err: )
1282. add_jump_rule() CMD: '/sbin/iptables -t filter -I FORWARD 1 -j FWKNOP_FORWARD 2>&1' (res: 0, err: )
1283. Added jump rule from chain: FORWARD to chain: FWKNOP_FORWARD
1284. create_fw_chains() CMD: '/sbin/iptables -t nat -N FWKNOP_PREROUTING 2>&1' (res: 0, err: )
1285. add_jump_rule() CMD: '/sbin/iptables -t nat -I PREROUTING 1 -j FWKNOP_PREROUTING 2>&1' (res: 0, err: )
1286. Added jump rule from chain: PREROUTING to chain: FWKNOP_PREROUTING
1287. PCAP filter is: udp port 62201
1288. Starting fwknopd main event loop.
1289. (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
1290. SPA Packet: '+v7+NcB//KsvrF+pnoIRUR2Vej2Vbh/NQ6REdOo1NVGT4COaqafhyFFRIvYnLSoRrmOHsApp0/hchwDwvzpn7zm0h3RwrZYT/O0DdJpmfIld4oK8RMkAxxGqqckQytCy7b4vdJ/RnK9pNS5dNjK1yM/R0Sa9X7U8F851EFdNp15EHqenD0sxUiUI+ln512AES1omOIRDDwpg'
1291.  
1292. (stanza #1) SPA Decode (res=0):
1293. SPA Field Values:
1294. =================
1295. Random Value: 7492771951729498
1296. Username: root
1297. Timestamp: 1330587884
1298. FKO Version: 1.9.12
1299. Message Type: 2
1300. Message String: 127.0.0.2,tcp/22
1301. Nat Access: 192.168.1.2,22
1302. Server Auth: <NULL>
1303. Client Timeout: 0
1304. Digest Type: 3
1305. Encoded Data: 7492771951729498:cm9vdA:1330587884:1.9.12:2:MTI3LjAuMC4yLHRjcC8yMg:MTkyLjE2OC4xLjIsMjI
1306. SPA Data Digest: 4Szu8WhXryQx9kEZjmBhjo1Hbha7XIbcYwOg4UwSg44
1307.  
1308. process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_FORWARD -p 6 -s 127.0.0.2 -d 192.168.1.2 --dport 22 -m comment --comment _exp_1330587887 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
1309. )
1310. Added FORWARD Rule to FWKNOP_FORWARD for 127.0.0.2, tcp/22 expires at 1330587887
1311. process_spa_request() CMD: '/sbin/iptables -t nat -A FWKNOP_PREROUTING -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587887 -j DNAT --to-destination 192.168.1.2:22 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
1312. )
1313. Added DNAT Rule to FWKNOP_PREROUTING for 127.0.0.2, tcp/22 expires at 1330587887
1314. Gracefully leaving the fwknopd event loop.
1315. Got SIGTERM. Exiting...
1316. Shutting Down fwknopd.
1317. delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
1318. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
1319. delete_all_chains() CMD: '/sbin/iptables -t filter -D FORWARD 1 2>&1' (res: 0, err: )
1320. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_FORWARD 2>&1; /sbin/iptables -t filter -X FWKNOP_FORWARD 2>&1)' (res: 0, err: )
1321. delete_all_chains() CMD: '/sbin/iptables -t nat -D PREROUTING 1 2>&1' (res: 0, err: )
1322. delete_all_chains() CMD: '(/sbin/iptables -t nat -F FWKNOP_PREROUTING 2>&1; /sbin/iptables -t nat -X FWKNOP_PREROUTING 2>&1)' (res: 0, err: )
1323. [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
1324. [.] find_find_regex() Did not match any regex in: '(?i-xsm:to\:192.168.1.2\:22)'
1325.  
1326. ==== END 64_fwknopd.test ====
1327.  
1328. ==== 65_fwknopd.test ====
1329.  
1330. [+] TEST: [Rijndael SPA] [client+server] force NAT 192.168.1.123 (tcp/22 ssh)
1331. Thu Mar 1 08:44:47 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/nat_fwknopd.conf -a conf/force_nat_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
1332. [+] Writing my PID (9560) to the lock file: run/fwknopd.pid
1333.  
1334. Starting fwknopd
1335. Current fwknopd config settings:
1336. 0. CONFIG_FILE = 'conf/nat_fwknopd.conf'
1337. 1. OVERRIDE_CONFIG = 'conf/nat_fwknopd.conf'
1338. 2. PCAP_INTF = 'lo'
1339. 3. ENABLE_PCAP_PROMISC = 'N'
1340. 4. PCAP_FILTER = 'udp port 62201'
1341. 5. PCAP_DISPATCH_COUNT = '0'
1342. 6. PCAP_LOOP_SLEEP = '10000'
1343. 7. MAX_SNIFF_BYTES = '1500'
1344. 8. ENABLE_SPA_PACKET_AGING = 'Y'
1345. 9. MAX_SPA_PACKET_AGE = '120'
1346. 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
1347. 11. CMD_EXEC_TIMEOUT = '<not set>'
1348. 12. ENABLE_SPA_OVER_HTTP = 'N'
1349. 13. ENABLE_TCP_SERVER = 'N'
1350. 14. TCPSERV_PORT = '62201'
1351. 15. LOCALE = '<not set>'
1352. 16. SYSLOG_IDENTITY = 'fwknopd'
1353. 17. SYSLOG_FACILITY = 'LOG_DAEMON'
1354. 18. ENABLE_IPT_FORWARDING = 'Y'
1355. 19. ENABLE_IPT_LOCAL_NAT = 'Y'
1356. 20. ENABLE_IPT_SNAT = 'N'
1357. 21. SNAT_TRANSLATE_IP = '<not set>'
1358. 22. ENABLE_IPT_OUTPUT = 'N'
1359. 23. FLUSH_IPT_AT_INIT = 'Y'
1360. 24. FLUSH_IPT_AT_EXIT = 'Y'
1361. 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
1362. 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
1363. 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
1364. 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
1365. 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
1366. 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
1367. 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
1368. 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
1369. 33. ACCESS_FILE = 'conf/force_nat_access.conf'
1370. 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
1371. 35. DIGEST_FILE = 'run/digest.cache'
1372. 36. GPG_HOME_DIR = '/root/.gnupg'
1373. 37. FIREWALL_EXE = '/sbin/iptables'
1374.  
1375. Current fwknopd access settings:
1376. SOURCE (1): ANY
1377. ==============================================================
1378. OPEN_PORTS: <not set>
1379. RESTRICT_PORTS: <not set>
1380. KEY: <see the access.conf file>
1381. FW_ACCESS_TIMEOUT: 3
1382. ENABLE_CMD_EXEC: No
1383. CMD_EXEC_USER: <not set>
1384. REQUIRE_USERNAME: <not set>
1385. REQUIRE_SOURCE_ADDRESS: No
1386. ACCESS_EXPIRE: <not set>
1387. GPG_HOME_DIR: <not set>
1388. GPG_DECRYPT_ID: <not set>
1389. GPG_DECRYPT_PW: <see the access.conf file>
1390. GPG_REQUIRE_SIG: No
1391. GPG_IGNORE_SIG_VERIFY_ERROR: No
1392. GPG_REMOTE_ID: <not set>
1393.  
1394.  
1395. Using Digest Cache: 'run/digest.cache' (entry count = 17)
1396. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
1397. iptables: No chain/target/match by that name.
1398. )
1399. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_FORWARD 2>&1; /sbin/iptables -t filter -X FWKNOP_FORWARD 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
1400. iptables: No chain/target/match by that name.
1401. )
1402. delete_all_chains() CMD: '(/sbin/iptables -t nat -F FWKNOP_PREROUTING 2>&1; /sbin/iptables -t nat -X FWKNOP_PREROUTING 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
1403. iptables: No chain/target/match by that name.
1404. )
1405. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
1406. add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
1407. Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
1408. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_FORWARD 2>&1' (res: 0, err: )
1409. add_jump_rule() CMD: '/sbin/iptables -t filter -I FORWARD 1 -j FWKNOP_FORWARD 2>&1' (res: 0, err: )
1410. Added jump rule from chain: FORWARD to chain: FWKNOP_FORWARD
1411. create_fw_chains() CMD: '/sbin/iptables -t nat -N FWKNOP_PREROUTING 2>&1' (res: 0, err: )
1412. add_jump_rule() CMD: '/sbin/iptables -t nat -I PREROUTING 1 -j FWKNOP_PREROUTING 2>&1' (res: 0, err: )
1413. Added jump rule from chain: PREROUTING to chain: FWKNOP_PREROUTING
1414. PCAP filter is: udp port 62201
1415. Starting fwknopd main event loop.
1416. (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
1417. SPA Packet: '+ig9uGdNfkN6NXx44PKi/P8QYRBRe7bBVMEGriZVP6aAksUe08ezgs9hD4eR2CWOk3eLiLRii05CNbG3uTixi8GSk3avP2Djf7MhodRMPeC81gwfkyO28udmm8GsU85Q98BciqqDHOGWd2+hmMOA442BaLsi8Csho'
1418.  
1419. (stanza #1) SPA Decode (res=0):
1420. SPA Field Values:
1421. =================
1422. Random Value: 1627115048258174
1423. Username: root
1424. Timestamp: 1330587889
1425. FKO Version: 1.9.12
1426. Message Type: 1
1427. Message String: 127.0.0.2,tcp/22
1428. Nat Access: <NULL>
1429. Server Auth: <NULL>
1430. Client Timeout: 0
1431. Digest Type: 3
1432. Encoded Data: 1627115048258174:cm9vdA:1330587889:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
1433. SPA Data Digest: +QyBBrMkCcVdycoyJbAYjox0qO1uoDECFzSJVbA53mk
1434.  
1435. process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_FORWARD -p 6 -s 127.0.0.2 -d 192.168.1.123 --dport 22 -m comment --comment _exp_1330587892 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
1436. )
1437. Added FORWARD Rule to FWKNOP_FORWARD for 127.0.0.2, tcp/22 expires at 1330587892
1438. process_spa_request() CMD: '/sbin/iptables -t nat -A FWKNOP_PREROUTING -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587892 -j DNAT --to-destination 192.168.1.123:22 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
1439. )
1440. Added DNAT Rule to FWKNOP_PREROUTING for 127.0.0.2, tcp/22 expires at 1330587892
1441. Gracefully leaving the fwknopd event loop.
1442. Got SIGTERM. Exiting...
1443. Shutting Down fwknopd.
1444. delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
1445. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
1446. delete_all_chains() CMD: '/sbin/iptables -t filter -D FORWARD 1 2>&1' (res: 0, err: )
1447. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_FORWARD 2>&1; /sbin/iptables -t filter -X FWKNOP_FORWARD 2>&1)' (res: 0, err: )
1448. delete_all_chains() CMD: '/sbin/iptables -t nat -D PREROUTING 1 2>&1' (res: 0, err: )
1449. delete_all_chains() CMD: '(/sbin/iptables -t nat -F FWKNOP_PREROUTING 2>&1; /sbin/iptables -t nat -X FWKNOP_PREROUTING 2>&1)' (res: 0, err: )
1450. [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
1451. [.] find_find_regex() Did not match any regex in: '(?i-xsm:to\:192.168.1.123\:22)'
1452. [.] find_find_regex() Did not match any regex in: '(?i-xsm:to\:192.168.1.2\:22)'
1453.  
1454. ==== END 65_fwknopd.test ====
1455.  
1456. ==== 66_fwknopd.test ====
1457.  
1458. [+] TEST: [Rijndael SPA] [client+server] complete cycle (tcp/23 telnet)
1459. Thu Mar 1 08:44:52 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
1460. [+] Writing my PID (9658) to the lock file: run/fwknopd.pid
1461.  
1462. Starting fwknopd
1463. Current fwknopd config settings:
1464. 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
1465. 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
1466. 2. PCAP_INTF = 'lo'
1467. 3. ENABLE_PCAP_PROMISC = 'N'
1468. 4. PCAP_FILTER = 'udp port 62201'
1469. 5. PCAP_DISPATCH_COUNT = '0'
1470. 6. PCAP_LOOP_SLEEP = '10000'
1471. 7. MAX_SNIFF_BYTES = '1500'
1472. 8. ENABLE_SPA_PACKET_AGING = 'Y'
1473. 9. MAX_SPA_PACKET_AGE = '120'
1474. 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
1475. 11. CMD_EXEC_TIMEOUT = '<not set>'
1476. 12. ENABLE_SPA_OVER_HTTP = 'N'
1477. 13. ENABLE_TCP_SERVER = 'N'
1478. 14. TCPSERV_PORT = '62201'
1479. 15. LOCALE = '<not set>'
1480. 16. SYSLOG_IDENTITY = 'fwknopd'
1481. 17. SYSLOG_FACILITY = 'LOG_DAEMON'
1482. 18. ENABLE_IPT_FORWARDING = 'N'
1483. 19. ENABLE_IPT_LOCAL_NAT = 'Y'
1484. 20. ENABLE_IPT_SNAT = 'N'
1485. 21. SNAT_TRANSLATE_IP = '<not set>'
1486. 22. ENABLE_IPT_OUTPUT = 'N'
1487. 23. FLUSH_IPT_AT_INIT = 'Y'
1488. 24. FLUSH_IPT_AT_EXIT = 'Y'
1489. 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
1490. 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
1491. 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
1492. 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
1493. 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
1494. 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
1495. 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
1496. 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
1497. 33. ACCESS_FILE = 'conf/default_access.conf'
1498. 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
1499. 35. DIGEST_FILE = 'run/digest.cache'
1500. 36. GPG_HOME_DIR = '/root/.gnupg'
1501. 37. FIREWALL_EXE = '/sbin/iptables'
1502.  
1503. Current fwknopd access settings:
1504. SOURCE (1): ANY
1505. ==============================================================
1506. OPEN_PORTS: <not set>
1507. RESTRICT_PORTS: <not set>
1508. KEY: <see the access.conf file>
1509. FW_ACCESS_TIMEOUT: 3
1510. ENABLE_CMD_EXEC: No
1511. CMD_EXEC_USER: <not set>
1512. REQUIRE_USERNAME: <not set>
1513. REQUIRE_SOURCE_ADDRESS: No
1514. ACCESS_EXPIRE: <not set>
1515. GPG_HOME_DIR: <not set>
1516. GPG_DECRYPT_ID: <not set>
1517. GPG_DECRYPT_PW: <see the access.conf file>
1518. GPG_REQUIRE_SIG: No
1519. GPG_IGNORE_SIG_VERIFY_ERROR: No
1520. GPG_REMOTE_ID: <not set>
1521.  
1522.  
1523. Using Digest Cache: 'run/digest.cache' (entry count = 18)
1524. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
1525. iptables: No chain/target/match by that name.
1526. )
1527. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
1528. add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
1529. Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
1530. PCAP filter is: udp port 62201
1531. Starting fwknopd main event loop.
1532. (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
1533. SPA Packet: '8UWRNpo/1aJw4Vrt/aRQ1fgsXKFQkn603Stegs/QA88a7+igqQk/23ve2HZwSntOoGI9ZAIDN8uCfe8SWbga9lCE6eOFLUdeeIkogtQFKF8lc4ZydNGVh5qAJqdy4eI3Aj0U8t/QX/kBS4dorhReQcoQZNa2jPdl4'
1534.  
1535. (stanza #1) SPA Decode (res=0):
1536. SPA Field Values:
1537. =================
1538. Random Value: 1716863939491698
1539. Username: root
1540. Timestamp: 1330587894
1541. FKO Version: 1.9.12
1542. Message Type: 1
1543. Message String: 127.0.0.2,tcp/23
1544. Nat Access: <NULL>
1545. Server Auth: <NULL>
1546. Client Timeout: 0
1547. Digest Type: 3
1548. Encoded Data: 1716863939491698:cm9vdA:1330587894:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMw
1549. SPA Data Digest: hRF+s1g1ngEA4usjENOshHLGBN4kkkyVsBiaqZ/QpIg
1550.  
1551. process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 23 -m comment --comment _exp_1330587897 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
1552. )
1553. Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/23 expires at 1330587897
1554. Gracefully leaving the fwknopd event loop.
1555. Got SIGTERM. Exiting...
1556. Shutting Down fwknopd.
1557. delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
1558. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
1559. [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
1560.  
1561. ==== END 66_fwknopd.test ====
1562.  
1563. ==== 67_fwknopd.test ====
1564.  
1565. [+] TEST: [Rijndael SPA] [client+server] complete cycle (tcp/9418 git)
1566. Thu Mar 1 08:44:57 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
1567. [+] Writing my PID (9708) to the lock file: run/fwknopd.pid
1568.  
1569. Starting fwknopd
1570. Current fwknopd config settings:
1571. 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
1572. 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
1573. 2. PCAP_INTF = 'lo'
1574. 3. ENABLE_PCAP_PROMISC = 'N'
1575. 4. PCAP_FILTER = 'udp port 62201'
1576. 5. PCAP_DISPATCH_COUNT = '0'
1577. 6. PCAP_LOOP_SLEEP = '10000'
1578. 7. MAX_SNIFF_BYTES = '1500'
1579. 8. ENABLE_SPA_PACKET_AGING = 'Y'
1580. 9. MAX_SPA_PACKET_AGE = '120'
1581. 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
1582. 11. CMD_EXEC_TIMEOUT = '<not set>'
1583. 12. ENABLE_SPA_OVER_HTTP = 'N'
1584. 13. ENABLE_TCP_SERVER = 'N'
1585. 14. TCPSERV_PORT = '62201'
1586. 15. LOCALE = '<not set>'
1587. 16. SYSLOG_IDENTITY = 'fwknopd'
1588. 17. SYSLOG_FACILITY = 'LOG_DAEMON'
1589. 18. ENABLE_IPT_FORWARDING = 'N'
1590. 19. ENABLE_IPT_LOCAL_NAT = 'Y'
1591. 20. ENABLE_IPT_SNAT = 'N'
1592. 21. SNAT_TRANSLATE_IP = '<not set>'
1593. 22. ENABLE_IPT_OUTPUT = 'N'
1594. 23. FLUSH_IPT_AT_INIT = 'Y'
1595. 24. FLUSH_IPT_AT_EXIT = 'Y'
1596. 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
1597. 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
1598. 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
1599. 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
1600. 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
1601. 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
1602. 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
1603. 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
1604. 33. ACCESS_FILE = 'conf/default_access.conf'
1605. 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
1606. 35. DIGEST_FILE = 'run/digest.cache'
1607. 36. GPG_HOME_DIR = '/root/.gnupg'
1608. 37. FIREWALL_EXE = '/sbin/iptables'
1609.  
1610. Current fwknopd access settings:
1611. SOURCE (1): ANY
1612. ==============================================================
1613. OPEN_PORTS: <not set>
1614. RESTRICT_PORTS: <not set>
1615. KEY: <see the access.conf file>
1616. FW_ACCESS_TIMEOUT: 3
1617. ENABLE_CMD_EXEC: No
1618. CMD_EXEC_USER: <not set>
1619. REQUIRE_USERNAME: <not set>
1620. REQUIRE_SOURCE_ADDRESS: No
1621. ACCESS_EXPIRE: <not set>
1622. GPG_HOME_DIR: <not set>
1623. GPG_DECRYPT_ID: <not set>
1624. GPG_DECRYPT_PW: <see the access.conf file>
1625. GPG_REQUIRE_SIG: No
1626. GPG_IGNORE_SIG_VERIFY_ERROR: No
1627. GPG_REMOTE_ID: <not set>
1628.  
1629.  
1630. Using Digest Cache: 'run/digest.cache' (entry count = 19)
1631. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
1632. iptables: No chain/target/match by that name.
1633. )
1634. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
1635. add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
1636. Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
1637. PCAP filter is: udp port 62201
1638. Starting fwknopd main event loop.
1639. (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
1640. SPA Packet: '/+e6rqjdByeVeDPsOXpY254IoH/TtjqHZa6xCKwoSJ703S1IZpU0YeDEtWFKgUqbMCad57u6CLOUD49cXVTr6lzKX5Vqa09O5P5ze1kFQozEj8iI0qd7ryaN/Mx3wEKrWpKdQ6O5OyI+HgAeCyDB6ik0oZD/yEZP4'
1641.  
1642. (stanza #1) SPA Decode (res=0):
1643. SPA Field Values:
1644. =================
1645. Random Value: 4765783826072911
1646. Username: root
1647. Timestamp: 1330587899
1648. FKO Version: 1.9.12
1649. Message Type: 1
1650. Message String: 127.0.0.2,tcp/9418
1651. Nat Access: <NULL>
1652. Server Auth: <NULL>
1653. Client Timeout: 0
1654. Digest Type: 3
1655. Encoded Data: 4765783826072911:cm9vdA:1330587899:1.9.12:1:MTI3LjAuMC4yLHRjcC85NDE4
1656. SPA Data Digest: fNxbYtkb8Z5Y5Vm4SbvYV5T8fl7JxJMgFM2GPoHPPGM
1657.  
1658. process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 9418 -m comment --comment _exp_1330587902 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
1659. )
1660. Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/9418 expires at 1330587902
1661. Gracefully leaving the fwknopd event loop.
1662. Got SIGTERM. Exiting...
1663. Shutting Down fwknopd.
1664. delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
1665. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
1666. [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
1667.  
1668. ==== END 67_fwknopd.test ====
1669.  
1670. ==== 68_fwknopd.test ====
1671.  
1672. [+] TEST: [Rijndael SPA] [client+server] complete cycle (udp/53 dns)
1673. Thu Mar 1 08:45:02 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose
1674. [+] Writing my PID (9758) to the lock file: run/fwknopd.pid
1675.  
1676. Starting fwknopd
1677. Current fwknopd config settings:
1678. 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
1679. 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
1680. 2. PCAP_INTF = 'lo'
1681. 3. ENABLE_PCAP_PROMISC = 'N'
1682. 4. PCAP_FILTER = 'udp port 62201'
1683. 5. PCAP_DISPATCH_COUNT = '0'
1684. 6. PCAP_LOOP_SLEEP = '10000'
1685. 7. MAX_SNIFF_BYTES = '1500'
1686. 8. ENABLE_SPA_PACKET_AGING = 'Y'
1687. 9. MAX_SPA_PACKET_AGE = '120'
1688. 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
1689. 11. CMD_EXEC_TIMEOUT = '<not set>'
1690. 12. ENABLE_SPA_OVER_HTTP = 'N'
1691. 13. ENABLE_TCP_SERVER = 'N'
1692. 14. TCPSERV_PORT = '62201'
1693. 15. LOCALE = '<not set>'
1694. 16. SYSLOG_IDENTITY = 'fwknopd'
1695. 17. SYSLOG_FACILITY = 'LOG_DAEMON'
1696. 18. ENABLE_IPT_FORWARDING = 'N'
1697. 19. ENABLE_IPT_LOCAL_NAT = 'Y'
1698. 20. ENABLE_IPT_SNAT = 'N'
1699. 21. SNAT_TRANSLATE_IP = '<not set>'
1700. 22. ENABLE_IPT_OUTPUT = 'N'
1701. 23. FLUSH_IPT_AT_INIT = 'Y'
1702. 24. FLUSH_IPT_AT_EXIT = 'Y'
1703. 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
1704. 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
1705. 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
1706. 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
1707. 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
1708. 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
1709. 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
1710. 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
1711. 33. ACCESS_FILE = 'conf/default_access.conf'
1712. 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
1713. 35. DIGEST_FILE = 'run/digest.cache'
1714. 36. GPG_HOME_DIR = '/root/.gnupg'
1715. 37. FIREWALL_EXE = '/sbin/iptables'
1716.  
1717. Current fwknopd access settings:
1718. SOURCE (1): ANY
1719. ==============================================================
1720. OPEN_PORTS: <not set>
1721. RESTRICT_PORTS: <not set>
1722. KEY: <see the access.conf file>
1723. FW_ACCESS_TIMEOUT: 3
1724. ENABLE_CMD_EXEC: No
1725. CMD_EXEC_USER: <not set>
1726. REQUIRE_USERNAME: <not set>
1727. REQUIRE_SOURCE_ADDRESS: No
1728. ACCESS_EXPIRE: <not set>
1729. GPG_HOME_DIR: <not set>
1730. GPG_DECRYPT_ID: <not set>
1731. GPG_DECRYPT_PW: <see the access.conf file>
1732. GPG_REQUIRE_SIG: No
1733. GPG_IGNORE_SIG_VERIFY_ERROR: No
1734. GPG_REMOTE_ID: <not set>
1735.  
1736.  
1737. Using Digest Cache: 'run/digest.cache' (entry count = 20)
1738. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
1739. iptables: No chain/target/match by that name.
1740. )
1741. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
1742. add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
1743. Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
1744. PCAP filter is: udp port 62201
1745. Starting fwknopd main event loop.
1746. (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
1747. SPA Packet: '+BoUJw//nAJZfEOCxpvGgmWEDw44uu2HFEQ7XUn+I08Y48TQK5oFNHkLJ2r+EGONGNOLAiJyDv2D0JkgZk7UTAoVo1+EmjXgQQIOhrvxCJ0vEsYnJI4ky4584ieV94kuzhVBbWN8+MciFEJ5SIaVaxAZlr5+JMxxA'
1748.  
1749. (stanza #1) SPA Decode (res=0):
1750. SPA Field Values:
1751. =================
1752. Random Value: 1963284536174694
1753. Username: root
1754. Timestamp: 1330587904
1755. FKO Version: 1.9.12
1756. Message Type: 1
1757. Message String: 127.0.0.2,udp/53
1758. Nat Access: <NULL>
1759. Server Auth: <NULL>
1760. Client Timeout: 0
1761. Digest Type: 3
1762. Encoded Data: 1963284536174694:cm9vdA:1330587904:1.9.12:1:MTI3LjAuMC4yLHVkcC81Mw
1763. SPA Data Digest: yBHxhmlsaMHM0BZ+vwdtPSMeFzQs0nZN+fCI/8TnT7Y
1764.  
1765. process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 17 -s 127.0.0.2 --dport 53 -m comment --comment _exp_1330587907 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
1766. )
1767. Added Rule to FWKNOP_INPUT for 127.0.0.2, udp/53 expires at 1330587907
1768. Gracefully leaving the fwknopd event loop.
1769. Got SIGTERM. Exiting...
1770. Shutting Down fwknopd.
1771. delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
1772. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
1773. [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
1774.  
1775. ==== END 68_fwknopd.test ====
1776.  
1777. ==== 69_fwknopd.test ====
1778.  
1779. [+] TEST: [Rijndael SPA] [client+server] -P bpf SPA over port 12345
1780. Thu Mar 1 08:45:07 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose -P "udp port 12345"
1781. [+] Writing my PID (9808) to the lock file: run/fwknopd.pid
1782.  
1783. Starting fwknopd
1784. Current fwknopd config settings:
1785. 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
1786. 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
1787. 2. PCAP_INTF = 'lo'
1788. 3. ENABLE_PCAP_PROMISC = 'N'
1789. 4. PCAP_FILTER = 'udp port 12345'
1790. 5. PCAP_DISPATCH_COUNT = '0'
1791. 6. PCAP_LOOP_SLEEP = '10000'
1792. 7. MAX_SNIFF_BYTES = '1500'
1793. 8. ENABLE_SPA_PACKET_AGING = 'Y'
1794. 9. MAX_SPA_PACKET_AGE = '120'
1795. 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
1796. 11. CMD_EXEC_TIMEOUT = '<not set>'
1797. 12. ENABLE_SPA_OVER_HTTP = 'N'
1798. 13. ENABLE_TCP_SERVER = 'N'
1799. 14. TCPSERV_PORT = '62201'
1800. 15. LOCALE = '<not set>'
1801. 16. SYSLOG_IDENTITY = 'fwknopd'
1802. 17. SYSLOG_FACILITY = 'LOG_DAEMON'
1803. 18. ENABLE_IPT_FORWARDING = 'N'
1804. 19. ENABLE_IPT_LOCAL_NAT = 'Y'
1805. 20. ENABLE_IPT_SNAT = 'N'
1806. 21. SNAT_TRANSLATE_IP = '<not set>'
1807. 22. ENABLE_IPT_OUTPUT = 'N'
1808. 23. FLUSH_IPT_AT_INIT = 'Y'
1809. 24. FLUSH_IPT_AT_EXIT = 'Y'
1810. 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
1811. 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
1812. 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
1813. 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
1814. 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
1815. 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
1816. 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
1817. 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
1818. 33. ACCESS_FILE = 'conf/default_access.conf'
1819. 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
1820. 35. DIGEST_FILE = 'run/digest.cache'
1821. 36. GPG_HOME_DIR = '/root/.gnupg'
1822. 37. FIREWALL_EXE = '/sbin/iptables'
1823.  
1824. Current fwknopd access settings:
1825. SOURCE (1): ANY
1826. ==============================================================
1827. OPEN_PORTS: <not set>
1828. RESTRICT_PORTS: <not set>
1829. KEY: <see the access.conf file>
1830. FW_ACCESS_TIMEOUT: 3
1831. ENABLE_CMD_EXEC: No
1832. CMD_EXEC_USER: <not set>
1833. REQUIRE_USERNAME: <not set>
1834. REQUIRE_SOURCE_ADDRESS: No
1835. ACCESS_EXPIRE: <not set>
1836. GPG_HOME_DIR: <not set>
1837. GPG_DECRYPT_ID: <not set>
1838. GPG_DECRYPT_PW: <see the access.conf file>
1839. GPG_REQUIRE_SIG: No
1840. GPG_IGNORE_SIG_VERIFY_ERROR: No
1841. GPG_REMOTE_ID: <not set>
1842.  
1843.  
1844. Using Digest Cache: 'run/digest.cache' (entry count = 21)
1845. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
1846. iptables: No chain/target/match by that name.
1847. )
1848. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
1849. add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
1850. Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
1851. PCAP filter is: udp port 12345
1852. Starting fwknopd main event loop.
1853. (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
1854. SPA Packet: '9AJutXux/nxGhoAI5ELhLZOHdELCvQP/K4CbR6biBY7yjfueLwfGUHsbEw8EbtI5ssvnSh0XO6Ump3EfepVZKgjQk4J4cvEVQQfWuXEeAnA3DcmUgu1j0rEQvKox6GCmbsbuF66+3VaVMVNxoR1hIqEHHENkvMzsM'
1855.  
1856. (stanza #1) SPA Decode (res=0):
1857. SPA Field Values:
1858. =================
1859. Random Value: 8249035391736953
1860. Username: root
1861. Timestamp: 1330587909
1862. FKO Version: 1.9.12
1863. Message Type: 1
1864. Message String: 127.0.0.2,tcp/22
1865. Nat Access: <NULL>
1866. Server Auth: <NULL>
1867. Client Timeout: 0
1868. Digest Type: 3
1869. Encoded Data: 8249035391736953:cm9vdA:1330587909:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
1870. SPA Data Digest: NtIrp+lIlv+wHdVAxvKqnAA0lN1xDykgPgZ4Jrq5oyE
1871.  
1872. process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587912 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
1873. )
1874. Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587912
1875. Gracefully leaving the fwknopd event loop.
1876. Got SIGTERM. Exiting...
1877. Shutting Down fwknopd.
1878. delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
1879. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
1880. [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
1881. [.] file_find_regex() Matched '(?-xism:PCAP\sfilter.*\s12345)' with line: PCAP filter is: udp port 12345
1882.  
1883. ==== END 69_fwknopd.test ====
1884.  
1885. ==== 70_fwknopd.test ====
1886.  
1887. [+] TEST: [Rijndael SPA] [client+server] random SPA port (tcp/22 ssh)
1888. Thu Mar 1 08:45:12 2012 CMD: LD_LIBRARY_PATH=../lib/.libs ../server/.libs/fwknopd -c conf/default_fwknopd.conf -a conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo --foreground --verbose --verbose -P "udp"
1889. [+] Writing my PID (9858) to the lock file: run/fwknopd.pid
1890.  
1891. Starting fwknopd
1892. Current fwknopd config settings:
1893. 0. CONFIG_FILE = 'conf/default_fwknopd.conf'
1894. 1. OVERRIDE_CONFIG = 'conf/default_fwknopd.conf'
1895. 2. PCAP_INTF = 'lo'
1896. 3. ENABLE_PCAP_PROMISC = 'N'
1897. 4. PCAP_FILTER = 'udp'
1898. 5. PCAP_DISPATCH_COUNT = '0'
1899. 6. PCAP_LOOP_SLEEP = '10000'
1900. 7. MAX_SNIFF_BYTES = '1500'
1901. 8. ENABLE_SPA_PACKET_AGING = 'Y'
1902. 9. MAX_SPA_PACKET_AGE = '120'
1903. 10. ENABLE_DIGEST_PERSISTENCE = 'Y'
1904. 11. CMD_EXEC_TIMEOUT = '<not set>'
1905. 12. ENABLE_SPA_OVER_HTTP = 'N'
1906. 13. ENABLE_TCP_SERVER = 'N'
1907. 14. TCPSERV_PORT = '62201'
1908. 15. LOCALE = '<not set>'
1909. 16. SYSLOG_IDENTITY = 'fwknopd'
1910. 17. SYSLOG_FACILITY = 'LOG_DAEMON'
1911. 18. ENABLE_IPT_FORWARDING = 'N'
1912. 19. ENABLE_IPT_LOCAL_NAT = 'Y'
1913. 20. ENABLE_IPT_SNAT = 'N'
1914. 21. SNAT_TRANSLATE_IP = '<not set>'
1915. 22. ENABLE_IPT_OUTPUT = 'N'
1916. 23. FLUSH_IPT_AT_INIT = 'Y'
1917. 24. FLUSH_IPT_AT_EXIT = 'Y'
1918. 25. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
1919. 26. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
1920. 27. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
1921. 28. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
1922. 29. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
1923. 30. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
1924. 31. FWKNOP_RUN_DIR = '/usr/local/var/run/fwknop'
1925. 32. FWKNOP_CONF_DIR = '/usr/local/etc/fwknop'
1926. 33. ACCESS_FILE = 'conf/default_access.conf'
1927. 34. FWKNOP_PID_FILE = 'run/fwknopd.pid'
1928. 35. DIGEST_FILE = 'run/digest.cache'
1929. 36. GPG_HOME_DIR = '/root/.gnupg'
1930. 37. FIREWALL_EXE = '/sbin/iptables'
1931.  
1932. Current fwknopd access settings:
1933. SOURCE (1): ANY
1934. ==============================================================
1935. OPEN_PORTS: <not set>
1936. RESTRICT_PORTS: <not set>
1937. KEY: <see the access.conf file>
1938. FW_ACCESS_TIMEOUT: 3
1939. ENABLE_CMD_EXEC: No
1940. CMD_EXEC_USER: <not set>
1941. REQUIRE_USERNAME: <not set>
1942. REQUIRE_SOURCE_ADDRESS: No
1943. ACCESS_EXPIRE: <not set>
1944. GPG_HOME_DIR: <not set>
1945. GPG_DECRYPT_ID: <not set>
1946. GPG_DECRYPT_PW: <see the access.conf file>
1947. GPG_REQUIRE_SIG: No
1948. GPG_IGNORE_SIG_VERIFY_ERROR: No
1949. GPG_REMOTE_ID: <not set>
1950.  
1951.  
1952. Using Digest Cache: 'run/digest.cache' (entry count = 22)
1953. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: iptables: No chain/target/match by that name.
1954. iptables: No chain/target/match by that name.
1955. )
1956. create_fw_chains() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: )
1957. add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: )
1958. Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
1959. PCAP filter is: udp
1960. Starting fwknopd main event loop.
1961. (stanza #1) SPA Packet from IP: 127.0.0.1 received with access source match
1962. SPA Packet: '+qyu//aHXeUk1OdDyZFkRBMLonqlrL1dJeN/0SFY+w4aHykIyN/m1hleVLFSsDK00KJHnPSswlGR/K9vfhF89fkl0u5/ahhRew5VDiFMmh8akPcK/o+GqtzSwTAjp3XZANuU5D0G+Z0+Rbrt9TG9Q9HfpkdA6KHYg'
1963.  
1964. (stanza #1) SPA Decode (res=0):
1965. SPA Field Values:
1966. =================
1967. Random Value: 8771632541106221
1968. Username: root
1969. Timestamp: 1330587914
1970. FKO Version: 1.9.12
1971. Message Type: 1
1972. Message String: 127.0.0.2,tcp/22
1973. Nat Access: <NULL>
1974. Server Auth: <NULL>
1975. Client Timeout: 0
1976. Digest Type: 3
1977. Encoded Data: 8771632541106221:cm9vdA:1330587914:1.9.12:1:MTI3LjAuMC4yLHRjcC8yMg
1978. SPA Data Digest: fdfz3f9VlwVpuHTLR3SHNxgxeRecjMO/5NEbLVPegqE
1979.  
1980. process_spa_request() CMD: '/sbin/iptables -t filter -A FWKNOP_INPUT -p 6 -s 127.0.0.2 --dport 22 -m comment --comment _exp_1330587917 -j ACCEPT 2>&1' (res: 0, err: iptables: No chain/target/match by that name.
1981. )
1982. Added Rule to FWKNOP_INPUT for 127.0.0.2, tcp/22 expires at 1330587917
1983. Gracefully leaving the fwknopd event loop.
1984. Got SIGTERM. Exiting...
1985. Shutting Down fwknopd.
1986. delete_all_chains() CMD: '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: )
1987. delete_all_chains() CMD: '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: )
1988. [.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM. Exiting...
1989.  
1990. ==== END 70_fwknopd.test ====