Re: Request for review: fwknop package

[Justin B Rye <jbr@xibalba.demon.co.uk>]

Franck Joncourt wrote:

> Description: FireWall KNock OPerator server side
> It implements an authorization scheme called Single Packet Authorization
> (SPA) that is based around Netfilter and libpcap.
> .
> By using Netfilter to maintain a "default drop" stance, the main
> application of this program is to protect services such as OpenSSH with
> an additional layer of security in order to make the exploitation of
> vulnerabilities (both 0-day and unpatched code) much more difficult.
> .
> The authorization server passively monitors authorization packets via
> libcap and hence there is no "server" to which to connect in the
> traditional sense. Access to a protected service is only granted after a
> valid encrypted and non-replayed packet is monitored.

 Description: FireWall KNock OPerator server side
  The FireWall KNock OPerator implements an authorization scheme called
  Single Packet Authorization (SPA), based on Netfilter and libpcap.
  .
  Its main application is to protect services such as OpenSSH with
  an additional layer of security in order to make the exploitation of
  vulnerabilities (both 0-day and unpatched code) much more difficult.
  .
  The authorization server passively listens for authorization packets via
  libcap, so there is no service listening for network connections on the
  traditional port. Access to a protected service is only granted after a
  valid encrypted and non-replayed packet is detected.

You can't really deny there's a server; adding fwknopd increases the
number of installed servers by one!  Even saying there's no service
is stretching things a bit. 

> Description: FireWall KNock OPerator client side
> [...] idem as above
> .
> This is the client program responsible for accepting password input
> from the user; constructing SPA packets that conform to the fwknop
> packet format; encrypting packet data.

Instead of "doing X; doing Y; doing Z", make that "doing X, doing Y,
and doing Z":
  This is the client program responsible for accepting password input
  from the user, constructing SPA packets that conform to the fwknop
  packet format, and encrypting packet data.

(Skipping the debconf part)

> README.Debian
> ----------------------------------------
> 
>                                  Quick setup
> --------------------------------------------------------------------------------
> 
> As the FWKnop OPerator daemon can be configured in many ways, this

Wait, "FWKnop OPerator daemon"?  Shouldn't that be "FireWall KNock
OPerator daemon"?

> package allows the user to turn the SSH protection on by the use of a
> Rjindael password. Although this provides decent security, moving to a
> GnuPG setup is recommended.
> 
> During the installation process, if the daemon has not previously been
> configured, the user will be prompted for a quick setup. In case you
> decline the offer, you can still run it with the following command:

Not "In case".  Make it "If" or "Even if".

("In case" means subtly different things in different parts of the
anglophone world.  For some users, it's "conditionally, if"; for
others it's "unconditionally, lest".  The instruction "unplug your
computer immediately in case it catches fire" is dangerously
ambiguous.) 
 
> [code]
> # dpkg-reconfigure fwknop-server
> [/code]
> 
> You will be asked few questions, then the FWKnop OPerator daemon will be
                   a few                    see above
> started according to your settings. Edit access.conf and fwknop.conf in
> /etc/fwknop/ if you would like to make some other changes and restart
> the daemon.

                                      If you want to make any further
  changes, edit access.conf and fwknop.conf in /etc/fwknop/ and restart
  the daemon.
 
> [code]
> # invoke-rc.d fwknop-server restart
> [/code]
> 
>                           Check your installation
> --------------------------------------------------------------------------------
> 
> To verify that your installation was successful, try connecting to your
> SSH server using the fwknop client.
> 
> [code]
> [...]

?

> [/code]
> 
>           Minimal steps to configure the FWKnop OPerator server
                                               see above
> --------------------------------------------------------------------------------
> 
> In case you would prefer to update both access.conf and fwknop.conf
  If
> files in /etc/fwknop by hand, here is the list of the variables that
> have to be defined:
> 
> in access.conf:
>   -> KEY: myverylongkey

Distracting "->" bulletpoints; is this the syntax of the file or
would it make more sense to quote them like this?

  in access.conf:
  	KEY=myverylongkey

>   or
>   -> GPG_HOME_DIR: /root/.gnupg;
>   -> GPG_DECRYPT_ID: ABCD1234;
>   -> GPG_DECRYPT_PW: myGpgPassword;
>   -> GPG_REMOTE_ID: 1234ABCD;
> 
> in fwknop.conf:
>   -> HOSTNAME: diamond.dthconnex.com
>   -> PCAP_INTF: eth0
> 
> By default, the FWKnop OPerator daemon is not allowed to start at boot
                  see above         say "is not started at boot"
> time through the init scripts in /etc/init.d/. You can change this
> behaviour by updating the START_DAEMON variable from "no" to "yes" in
en_US:behavior
> /etc/default/fwknop-server.
-- 
JBR
Ankh kak! (Ancient Egyptian blessing)