Summary: A Single Packet Authorization (SPA) implementation

Name: fwknop

Version: 1.9.9

Release: 3

License: GPLv2

Group: System Environment/Daemons

Url: http://www.cipherdyne.org/fwknop/

Source0: http://www.cipherdyne.org/fwknop/download/fwknop-nodeps-%{version}.tar.gz

Source1: http://www.cipherdyne.org/fwknop/download/fwknop-nodeps-%{version}.tar_gz.asc

Source2: fwknop.logrotate

Patch0: fwknop-1.9.9-hostname.patch

BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

Requires: logrotate

# The automatic dependency generator doesn't find the Perl dependencies

Requires: perl(Crypt::CBC), perl(Crypt::Rijndael), perl(Digest::SHA)

Requires: perl(GnuPG::Interface), perl(IPTables::ChainMgr)

Requires: perl(IPTables::Parse), perl(Net::IPv4Addr), perl(Net::Pcap)

Requires: perl(Net::Ping::External), perl(Net::RawIP), perl(Term::ReadKey)

Requires: perl(Unix::Syslog)

Requires(post): chkconfig

Requires(preun): chkconfig, initscripts

Requires(postun): initscripts

%description

fwknop implements an authorization scheme known as Single Packet

Authorization (SPA) that requires only a single encrypted packet to

communicate various pieces of information including desired access through an

iptables policy and/or specific commands to execute on the target system.

The main application of this program is to protect services such as SSH with

an additional layer of security in order to make the exploitation of

vulnerabilities (both 0-day and unpatched code) much more difficult.  The

authorization server passively monitors authorization packets via libpcap and

hence there is no "server" to which to connect in the traditional sense.  Any

service protected by fwknop is inaccessible (by using iptables to

intercept packets within the kernel) before authenticating; anyone scanning for

the service will not be able to detect that it is even listening.  This

authorization scheme offers many advantages over port knocking, include being

non-replayable, much more data can be communicated, and the scheme cannot be

broken by simply connecting to extraneous ports on the server in an effort to

break knock sequences.  The authorization packets can easily be spoofed as

well, and this makes it possible to make it appear as though, say,

www.yahoo.com is trying to authenticate to a target system but in reality the

actual connection will come from a seemingly unrelated IP. Although the

default data collection method is to use libpcap to sniff packets off the

wire, fwknop can also read packets out of a file that is written by the

iptables ulogd pcap writer or by a separate sniffer process.

%prep

%setup -q

%patch0 -p1 -b .hostname

%build

make %{?_smp_mflags} OPTS="$RPM_OPT_FLAGS"

%install

rm -rf $RPM_BUILD_ROOT

mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/fwknop \

      $RPM_BUILD_ROOT%{_initrddir} \

      $RPM_BUILD_ROOT%{_bindir} \

      $RPM_BUILD_ROOT%{_mandir}/man8 \

      $RPM_BUILD_ROOT%{_sbindir} \

      $RPM_BUILD_ROOT%{_localstatedir}/lib/fwknop \

      $RPM_BUILD_ROOT%{_localstatedir}/log/fwknop \

      $RPM_BUILD_ROOT%{_localstatedir}/log/fwknop/errs \

      $RPM_BUILD_ROOT%{_localstatedir}/run/fwknop

install -p -m 644 access.conf fwknop.conf pf.os $RPM_BUILD_ROOT%_sysconfdir/fwknop

install -p -m 755 init-scripts/fwknop-init.redhat \

        $RPM_BUILD_ROOT%{_initrddir}/fwknop

install -p -m 755 fwknop $RPM_BUILD_ROOT%{_bindir}

install -p -m 644 *.8 $RPM_BUILD_ROOT%{_mandir}/man8/

install -p -m 755 fwknopd fwknop_serv knopmd knoptm knopwatchd \

        $RPM_BUILD_ROOT%{_sbindir}

#install logrotate stuff

mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d

install -p -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/fwknop

%clean

rm -rf $RPM_BUILD_ROOT

%post

/sbin/chkconfig --add fwknop

%preun

if [ $1 = 0 ]; then

   /sbin/service fwknop stop >/dev/null 2>&1

   /sbin/chkconfig --del fwknop

fi

%postun

if [ $1 -ge 1 ]; then

   /sbin/service fwknop condrestart >/dev/null 2>&1 || :

fi

%files

%defattr(-,root,root)

%doc CREDITS ChangeLog ChangeLog.svn LICENSE README README.ACCESS README.GPG

%doc README.PK TODO

%dir %{_sysconfdir}/fwknop

%config(noreplace) %{_sysconfdir}/fwknop/*.conf

%config(noreplace) %{_sysconfdir}/fwknop/pf.os

%config(noreplace) %{_sysconfdir}/logrotate.d/fwknop

%{_initrddir}/fwknop

%{_bindir}/fwknop

%{_sbindir}/*kno*

%{_mandir}/man8/*

%dir %{_localstatedir}/lib/fwknop

%dir %{_localstatedir}/log/fwknop

%dir %{_localstatedir}/log/fwknop/errs

%dir %{_localstatedir}/run/fwknop

%changelog

* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.9.9-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild

* Mon Jan 05 2009 Peter Vrabec <pvrabec@redhat.com> 1.9.9-2

- add /var/log/fwknop/errs directory (#469395)

* Mon Nov 17 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.9-1

- Update to fwknop-1.9.9

* Sat Oct  4 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.8-1

- Update to fwknop-1.9.8

- Add missing Requires:

- Use the "nodeps" tarball

* Sun Aug 24 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.7-1

- Update to fwknop-1.9.7

- License specified to be GPLv2

* Sun Aug 24 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.6-4

- Don't change SNAT_TRANSLATE_IP to "localhost" in the default config.

- Add Requires: logrotate.

* Wed Aug 13 2008 Peter Vrabec <pvrabec@redhat.com> - 1.9.6-3

- fix sed cmd in spec file

* Mon Aug 11 2008 Peter Vrabec <pvrabec@redhat.com> - 1.9.6-2

- add logrotate file

- do not set hostname during install

* Wed Jul 30 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.6-1

- Initial Fedora package, based on Michael Rash's spec file (heavily modified

  since).

* Fri Jul 18 2008 Michael Rash <mbr@cipherdyne.org>

- Release of fwknop-1.9.6