|Tags||spa single-packet-authorization port-knocking c python linux freebsd openbsd macos|
2.6.909 Jun 2016 12:07 major feature: * Added support for the SHA3 "Keccak" algorithm (specifically SHA3_256 and SHA3_512) for SPA HMAC and digest checking. * Added support for libnetfilter_queue so that fwknopd can acquire SPA packets via the NFQ target. This feature is enabled with a new command line switch '--enable-nfq-capture' for the configure script, and libpcap is not required in this mode. * Added support for deriving the source IP from the X-Forwarded For HTTP header when SPA packets are sent over HTTP connections.
2.6.823 Dec 2015 22:05 major feature: Major new feature to allow fwknop to integrate with third-party devices and software. This is done with a new command "open/close" cycle capability. Add include directive to access.conf.
2.6.725 Aug 2015 11:39 major feature: Add support for executing commands via sudo, add --key-gen mode to fwknopd, add QR code generation for encryption and HMAC keys. Fixed a bug to support older versions of iptables on distributions like CentOS 6.5
2.6.624 Apr 2015 04:31 major feature: Add the ability for fwknopd to function as an generic SPA gateway. This allows scenarios such as the fwknopd system providing DHCP addresses to client systems, but those systems would be blocking by default from accessing the broader Internet until a valid SPA packet is sent to the gateway. Bug fix when compiled with --enable-udp-server to not include pcap.h, which is likely not installed whenever libpcap is also not installed.
2.6.517 Dec 2014 13:18 major feature: This release fixes one bug in fwknopd found through AFL fuzzing (a local-only crash in fwknopd upon importing a maliciously constructed digest.cache file which is only writeable by root), and adds a new DESTINATION keyword to the access.conf file (from Grant Pannell).
2.6.417 Nov 2014 13:33 major feature: Added an optional UDP listener mode for fwknopd so that libpcap can be removed as a dependency. Added support for firewalld on recent Fedora, RHEL, and CentOS systems. Replaced all system() and popen() calls with execvpe() with no usage of the environment (a defensive measure). Added support for the 'American Fuzzy Lop' fuzzer from Michal Zalewski.
2.6.330 Jul 2014 11:57 minor feature: SSL support for IP resolution lookups. GPG full fingerprint comparison criteria instead of the abbreviated signature strings. A new SPA packet fuzzer used by the test suite. libfiu fault injection library support (also used by the test suite)
Submitted byMichael Rash
ManageYou can also help out here by:
← Update project
or flagging this entry for moderator attention.