[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Request for review: fwknop package

Hi -

Christian Perrier wrote:

Sorry for the delay, I have written the README.Debian file.

> I will probably not suggest better thigns than Justin, but I could 
> make an overall check of the general debconf use, etc.
> I also suggest that you'll send a call for translations *before* 
> uploading the package introducing debconf templates....and, if you 
> translate them to French yourself, that you request for a review in 
> debian-l10n-french.



> I also suggest you send the package description from debian/control 
> for review, while you're at it.

So, below you will find:
  - part of the debian/control
  - fwknop-server.templates
  - README.Debian - if you like


and inline :)

Lines are wrapped at 72 characters, so I made some changes to make it
clean. I hope this is not too bad with your MUA.

Part of debian control

Description: FireWall KNock OPerator server side
It implements an authorization scheme called Single Packet Authorization
(SPA) that is based around Netfilter and libpcap.
By using Netfilter to maintain a "default drop" stance, the main
application of this program is to protect services such as OpenSSH with
an additional layer of security in order to make the exploitation of
vulnerabilities (both 0-day and unpatched code) much more difficult.
The authorization server passively monitors authorization packets via
libcap and hence there is no "server" to which to connect in the
traditional sense. Access to a protected service is only granted after a
valid encrypted and non-replayed packet is monitored.

Description: FireWall KNock OPerator client side
[...] idem as above
This is the client program responsible for accepting password input
from the user; constructing SPA packets that conform to the fwknop
packet format; encrypting packet data.

Part of fwknop-server.templates
I have removed the hostname question.

_Description: Configure fwknop to protect the SSH port?
The FireWall KNock OPerator daemon has not been set up yet. This install
process can configure fwknopd to protect the SSH port with a simple
Rijndael shared key, but moving to a GnuPG setup is recommended. Setting
up GnuPG for SPA communications involves a few manual steps that are
described in the fwknop documentation. In the meantime, using Rjindael
for SPA encryption and decryption provides decent security.

_Description: Sniffing interface:
By default, fwknop-server uses libpcap, and needs to know which Ethernet
interface should be put in promiscuous mode.

_Description: Encryption key to use:
By default, SPA packets are encrypted with the Rijndael block cipher,
which requires an encryption key. This password must be at least eight
characters in length.


                                 Quick setup

As the FWKnop OPerator daemon can be configured in many ways, this
package allows the user to turn the SSH protection on by the use of a
Rjindael password. Although this provides decent security, moving to a
GnuPG setup is recommended.

During the installation process, if the daemon has not previously been
configured, the user will be prompted for a quick setup. In case you
decline the offer, you can still run it with the following command:

# dpkg-reconfigure fwknop-server

You will be asked few questions, then the FWKnop OPerator daemon will be
started according to your settings. Edit access.conf and fwknop.conf in
/etc/fwknop/ if you would like to make some other changes and restart
the daemon.

# invoke-rc.d fwknop-server restart

                          Check your installation

To verify that your installation was successful, try connecting to your
SSH server using the fwknop client.


          Minimal steps to configure the FWKnop OPerator server

In case you would prefer to update both access.conf and fwknop.conf
files in /etc/fwknop by hand, here is the list of the variables that
have to be defined:

in access.conf:
  -> KEY: myverylongkey
  -> GPG_HOME_DIR: /root/.gnupg;
  -> GPG_DECRYPT_PW: myGpgPassword;

in fwknop.conf:
  -> HOSTNAME: diamond.dthconnex.com
  -> PCAP_INTF: eth0

By default, the FWKnop OPerator daemon is not allowed to start at boot
time through the init scripts in /etc/init.d/. You can change this
behaviour by updating the START_DAEMON variable from "no" to "yes" in


Franck Joncourt
http://debian.org - http://smhteam.info/wiki/
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: