Bug 457888 - Review Request: fwknop - A Single Packet Authorization (SPA) implementation
Review Request: fwknop - A Single Packet Authorization (SPA) implementation
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
:
Depends On: 457543 457544 457545 457546
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-05 04:29 EDT by Miloslav Trmač
Modified: 2013-04-30 19:40 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-10 11:47:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
atkac: fedora‑review+
kevin: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Miloslav Trmač 2008-08-05 04:29:33 EDT
Spec URL: http://mitr.fedorapeople.org/packaging/fwknop.spec
SRPM URL: http://mitr.fedorapeople.org/packaging/fwknop-1.9.6-1.fc9.src.rpm
Description:
fwknop implements an authorization scheme known as Single Packet
Authorization (SPA) that requires only a single encrypted packet to
communicate various pieces of information including desired access through an
iptables policy and/or specific commands to execute on the target system.
The main application of this program is to protect services such as SSH with
an additional layer of security in order to make the exploitation of
vulnerabilities (both 0-day and unpatched code) much more difficult.  The
authorization server passively monitors authorization packets via libpcap and
hence there is no "server" to which to connect in the traditional sense.  Any
service protected by fwknop is inaccessible (by using iptables to
intercept packets within the kernel) before authenticating; anyone scanning for
the service will not be able to detect that it is even listening.  This
authorization scheme offers many advantages over port knocking, include being
non-replayable, much more data can be communicated, and the scheme cannot be
broken by simply connecting to extraneous ports on the server in an effort to
break knock sequences.  The authorization packets can easily be spoofed as
well, and this makes it possible to make it appear as though, say,
www.yahoo.com is trying to authenticate to a target system but in reality the
actual connection will come from a seemingly unrelated IP. Although the
default data collection method is to use libpcap to sniff packets off the
wire, fwknop can also read packets out of a file that is written by the
iptables ulogd pcap writer or by a separate sniffer process.
Comment 1 Adam Tkac 2008-08-12 06:40:34 EDT
I will take care about this review.

Specfile
---
- I think that daemons should be compiled with -fpie/-fPIE, shouldn't them? (especially security related daemons)
- if you are going to put package only into rawhide please remove BuildRoot definition (see http://wiki.rpm.org/Releases/4.5.90 - it is ignored)

----------------------------
rpmlint
---
src.rpm -> OK

binary rpm:
fwknop.x86_64: W: log-files-without-logrotate /var/log/fwknop
- would it be possible add logrotate script? It will prevent endless grow of log file.

fwknop.x86_64: W: dangerous-command-in-%post perl
- this doesn't look right for me. I think that part of configuration file should be changed by administrator, not by script (or simply put there "localhost" in %install section of spec)

It would be nice to have SELinux policy for this package but if it not exists yet I'm not going to block this review. Otherwise package seems fine for me.
Comment 2 Peter Vrabec 2008-08-12 14:18:53 EDT
SRPM: http://people.redhat.com/pvrabec/rpms/fwknop-1.9.6-2.fc9.src.rpm
SPEC: http://people.redhat.com/pvrabec/rpms/fwknop.spec

PIE:
see http://fedoraproject.org/wiki/Security/Features
I don't think we need to compile it with -fpie/-fPIE

I left BuildRoot in spec file, it doesn't hurt and you can create the packege even on older systems.

Everything else was fixed.
Comment 3 Adam Tkac 2008-08-13 05:42:29 EDT
Package looks fine, reviewed
Comment 4 Peter Vrabec 2008-08-13 08:13:44 EDT
New Package CVS Request
=======================
Package Name: fwknop
Short Description: A Single Packet Authorization (SPA) implementation
Owners: pvrabec,mitr
Branches:
InitialCC:
Cvsextras Commits: yes
Comment 5 Kevin Fenzi 2008-08-13 13:21:56 EDT
cvs done. 

Please make sure to assign the bug to reviewer.
Comment 6 Miloslav Trmač 2008-09-11 15:05:25 EDT
Package Change Request
======================
Package Name: fwknop
New Branches: F-9

Thanks in advance.
Comment 7 Kevin Fenzi 2008-09-11 15:32:26 EDT
cvs done.
Comment 8 Miloslav Trmač 2008-09-17 21:42:21 EDT
Package Change Request
======================
Package Name: fwknop
New Branches: F-9

I'm afraid I can't see the F-9 branch in a fresh checkout.
Comment 9 Kevin Fenzi 2008-09-18 13:12:30 EDT
I see it fine here... 

Are you sure you are using 'cvs update -d' to get new directories?
Comment 10 Miloslav Trmač 2008-09-18 13:20:49 EDT
Right, it's there now - but using exactly the same command, I didn't get a F-9 branch yesterday.
Comment 11 Kevin Fenzi 2008-09-18 13:33:10 EDT
Weird. It might have been that something was messed up and the branches were not created, but if so I didn't fix it. Perhaps some other cvsadmin noticed it and fixed it? 

In any case, sorry for the troubles...

Note You need to log in before you can comment on or make changes to this bug.