ports/118229: commit references a PR
dfilter service
dfilter at FreeBSD.ORG
Fri Jun 13 03:50:05 UTC 2008
The following reply was made to PR ports/118229; it has been noted by GNATS.
From: dfilter at FreeBSD.ORG (dfilter service)
To: bug-followup at FreeBSD.org
Cc:
Subject: Re: ports/118229: commit references a PR
Date: Fri, 13 Jun 2008 03:43:56 +0000 (UTC)
edwin 2008-06-13 03:43:51 UTC
FreeBSD ports repository
Modified files:
security Makefile
Added files:
security/fwknop Makefile distinfo pkg-descr pkg-plist
security/fwknop/files patch-access.conf patch-fwknop
patch-fwknop.8 patch-fwknop.conf
patch-fwknop_serv patch-fwknopd
patch-fwknopd.8
patch-init-scripts-fwknop-init.freebsd
patch-install.pl patch-knopmd.8
patch-knopmd.c patch-knopmd.conf
patch-knopspoof patch-knoptm
patch-knopwatchd.8 patch-knopwatchd.c
Log:
New port: security/fwknop fwknop,"FireWall KNock OPerator", implements
Single Packet Authorization (SPA).
fwknop stands for the "FireWall KNock OPerator", and
implements an authorization scheme called Single Packet
Authorization (SPA). This method of authorization is based
around a default-drop packet filter (fwknop supports both
iptables on Linux systems and ipfw on FreeBSD and Mac OS X
systems) and libpcap.
SPA requires only a single encrypted packet in order to
communicate various pieces of information including desired
access through an iptables policy and/or complete commands
to execute on the target system. By using iptables to
maintain a "default drop" stance, the main application of
this program is to protect services such as OpenSSH with
an additional layer of security in order to make the
exploitation of vulnerabilities (both 0-day and unpatched
code) much more difficult. With fwknop deployed, anyone
using nmap to look for sshd can't even tell that it is
listening; it makes no difference if they have a 0-day
exploit or not. The authorization server passively monitors
authorization packets via libcap and hence there is no
"server" to which to connect in the traditional sense.
Access to a protected service is only granted after a valid
encrypted and non-replayed packet is monitored from an
fwknop client (see the following network diagram; the SSH
session can only take place after the SPA packet is monitored):
PR: ports/118229
Submitted by: Sean Greven <sean.greven at gmail.com>
Revision Changes Path
1.972 +1 -0 ports/security/Makefile
1.1 +59 -0 ports/security/fwknop/Makefile (new)
1.1 +3 -0 ports/security/fwknop/distinfo (new)
1.1 +20 -0 ports/security/fwknop/files/patch-access.conf (new)
1.1 +20 -0 ports/security/fwknop/files/patch-fwknop (new)
1.1 +65 -0 ports/security/fwknop/files/patch-fwknop.8 (new)
1.1 +45 -0 ports/security/fwknop/files/patch-fwknop.conf (new)
1.1 +11 -0 ports/security/fwknop/files/patch-fwknop_serv (new)
1.1 +20 -0 ports/security/fwknop/files/patch-fwknopd (new)
1.1 +112 -0 ports/security/fwknop/files/patch-fwknopd.8 (new)
1.1 +18 -0 ports/security/fwknop/files/patch-init-scripts-fwknop-init.freebsd (new)
1.1 +60 -0 ports/security/fwknop/files/patch-install.pl (new)
1.1 +11 -0 ports/security/fwknop/files/patch-knopmd.8 (new)
1.1 +11 -0 ports/security/fwknop/files/patch-knopmd.c (new)
1.1 +11 -0 ports/security/fwknop/files/patch-knopmd.conf (new)
1.1 +11 -0 ports/security/fwknop/files/patch-knopspoof (new)
1.1 +20 -0 ports/security/fwknop/files/patch-knoptm (new)
1.1 +15 -0 ports/security/fwknop/files/patch-knopwatchd.8 (new)
1.1 +11 -0 ports/security/fwknop/files/patch-knopwatchd.c (new)
1.1 +2 -0 ports/security/fwknop/pkg-descr (new)
1.1 +44 -0 ports/security/fwknop/pkg-plist (new)
_______________________________________________
cvs-all at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe at freebsd.org"
More information about the freebsd-ports-bugs
mailing list