diff options
| author | Edwin Groothuis <edwin@FreeBSD.org> | 2008-06-13 03:43:51 +0000 |
|---|---|---|
| committer | Edwin Groothuis <edwin@FreeBSD.org> | 2008-06-13 03:43:51 +0000 |
| commit | be29a34732f3bda4f52b0ee512fede198e9f03f3 (patch) | |
| tree | cb77dd6875c552a9b643d1f7df6754bc6e83bc3a /security/fwknop | |
| parent | a643038b42ef282cf2c0b7751a5e1419919094ee (diff) | |
| download | ports-be29a34732f3bda4f52b0ee512fede198e9f03f3.tar.gz ports-be29a34732f3bda4f52b0ee512fede198e9f03f3.zip | |
New port: security/fwknop fwknop,"FireWall KNock OPerator", implements
Single Packet Authorization (SPA).
fwknop stands for the "FireWall KNock OPerator", and
implements an authorization scheme called Single Packet
Authorization (SPA). This method of authorization is based
around a default-drop packet filter (fwknop supports both
iptables on Linux systems and ipfw on FreeBSD and Mac OS X
systems) and libpcap.
SPA requires only a single encrypted packet in order to
communicate various pieces of information including desired
access through an iptables policy and/or complete commands
to execute on the target system. By using iptables to
maintain a "default drop" stance, the main application of
this program is to protect services such as OpenSSH with
an additional layer of security in order to make the
exploitation of vulnerabilities (both 0-day and unpatched
code) much more difficult. With fwknop deployed, anyone
using nmap to look for sshd can't even tell that it is
listening; it makes no difference if they have a 0-day
exploit or not. The authorization server passively monitors
authorization packets via libcap and hence there is no
"server" to which to connect in the traditional sense.
Access to a protected service is only granted after a valid
encrypted and non-replayed packet is monitored from an
fwknop client (see the following network diagram; the SSH
session can only take place after the SPA packet is monitored):
PR: ports/118229
Submitted by: Sean Greven <sean.greven@gmail.com>
Notes
Notes:
svn path=/head/; revision=214737
Diffstat (limited to 'security/fwknop')
| -rw-r--r-- | security/fwknop/Makefile | 59 | ||||
| -rw-r--r-- | security/fwknop/distinfo | 3 | ||||
| -rw-r--r-- | security/fwknop/files/patch-access.conf | 20 | ||||
| -rw-r--r-- | security/fwknop/files/patch-fwknop | 20 | ||||
| -rw-r--r-- | security/fwknop/files/patch-fwknop.8 | 65 | ||||
| -rw-r--r-- | security/fwknop/files/patch-fwknop.conf | 45 | ||||
| -rw-r--r-- | security/fwknop/files/patch-fwknop_serv | 11 | ||||
| -rw-r--r-- | security/fwknop/files/patch-fwknopd | 20 | ||||
| -rw-r--r-- | security/fwknop/files/patch-fwknopd.8 | 112 | ||||
| -rw-r--r-- | security/fwknop/files/patch-init-scripts-fwknop-init.freebsd | 18 | ||||
| -rw-r--r-- | security/fwknop/files/patch-install.pl | 60 | ||||
| -rw-r--r-- | security/fwknop/files/patch-knopmd.8 | 11 | ||||
| -rw-r--r-- | security/fwknop/files/patch-knopmd.c | 11 | ||||
| -rw-r--r-- | security/fwknop/files/patch-knopmd.conf | 11 | ||||
| -rw-r--r-- | security/fwknop/files/patch-knopspoof | 11 | ||||
| -rw-r--r-- | security/fwknop/files/patch-knoptm | 20 | ||||
| -rw-r--r-- | security/fwknop/files/patch-knopwatchd.8 | 15 | ||||
| -rw-r--r-- | security/fwknop/files/patch-knopwatchd.c | 11 | ||||
| -rw-r--r-- | security/fwknop/pkg-descr | 2 | ||||
| -rw-r--r-- | security/fwknop/pkg-plist | 44 |
20 files changed, 569 insertions, 0 deletions
diff --git a/security/fwknop/Makefile b/security/fwknop/Makefile new file mode 100644 index 000000000000..9f41b2d6c97e --- /dev/null +++ b/security/fwknop/Makefile @@ -0,0 +1,59 @@ +# New ports collection makefile for: fwknop +# +# Date created: 23 Nov 2007 +# Whom: Sean Greven<sean.greven@gmail.com> +# +# $FreeBSD$ +# + +PORTNAME= fwknop +PORTVERSION= 1.8.3 +CATEGORIES= security +MASTER_SITES= http://www.cipherdyne.org/fwknop/download/ + +MAINTAINER= sean.greven@gmail.com +COMMENT= An SPA implimentation for Linux and FreeBSD + +BUILD_DEPENDS= ${SITE_PERL}/Net/IPv4Addr.pm:${PORTSDIR}/net-mgmt/p5-Net-IPv4Addr \ + ${SITE_PERL}/${PERL_ARCH}/Unix/Syslog.pm:${PORTSDIR}/sysutils/p5-Unix-Syslog \ + ${SITE_PERL}/${PERL_ARCH}/Term/ReadKey.pm:${PORTSDIR}/devel/p5-Term-ReadKey \ + ${SITE_PERL}/${PERL_ARCH}/Net/Pcap.pm:${PORTSDIR}/net/p5-Net-Pcap \ + ${SITE_PERL}/${PERL_ARCH}/List/MoreUtils.pm:${PORTSDIR}/lang/p5-List-MoreUtils \ + ${SITE_PERL}/${PERL_ARCH}/Crypt/Rijndael.pm:${PORTSDIR}/security/p5-Crypt-Rijndael \ + ${SITE_PERL}/${PERL_ARCH}/Class/MethodMaker.pm:${PORTSDIR}/devel/p5-Class-MethodMaker \ + ${SITE_PERL}/${PERL_ARCH}/Net/RawIP.pm:${PORTSDIR}/net/p5-Net-RawIP \ + ${SITE_PERL}/GnuPG/Key.pm:${PORTSDIR}/security/p5-GnuPG-Interface \ + ${SITE_PERL}/Crypt/CBC.pm:${PORTSDIR}/security/p5-Crypt-CBC \ + ${SITE_PERL}/NetPacket.pm:${PORTSDIR}/net/p5-NetPacket \ + ${SITE_PERL}/Net/Ping/External.pm:${PORTSDIR}/net/p5-Net-Ping-External +RUN_DEPENDS= ${BUILD_DEPENDS} + +MAN8= fwknop.8 fwknopd.8 knopmd.8 knopwatchd.8 +MANCOMPRESSED= yes + +NO_BUILD= yes +USE_PERL5_BUILD=yes + +post-patch: + @${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' ${WRKSRC}/access.conf + @${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' ${WRKSRC}/fwknop + @${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' ${WRKSRC}/fwknop.8 + @${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' ${WRKSRC}/fwknop.conf + @${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' ${WRKSRC}/fwknop_serv + @${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' ${WRKSRC}/fwknopd + @${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' ${WRKSRC}/fwknopd.8 + @${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' ${WRKSRC}/install.pl + @${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' ${WRKSRC}/knopmd.8 + @${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' ${WRKSRC}/knopmd.c + @${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' ${WRKSRC}/knopmd.conf + @${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' ${WRKSRC}/knopspoof + @${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' ${WRKSRC}/knoptm + @${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' ${WRKSRC}/knopwatchd.8 + @${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' ${WRKSRC}/knopwatchd.c + @${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' ${WRKSRC}/init-scripts/fwknop-init.freebsd + +do-install: + cd ${WRKSRC} && ./install.pl + @${ECHO_MSG} "Configuration files in ${LOCALBASE}/etc/fwknop"; + +.include <bsd.port.mk> diff --git a/security/fwknop/distinfo b/security/fwknop/distinfo new file mode 100644 index 000000000000..f3a1efdbceb3 --- /dev/null +++ b/security/fwknop/distinfo @@ -0,0 +1,3 @@ +MD5 (fwknop-1.8.3.tar.gz) = 9ee3ff46a01911a095f4cec9a3ca2e3b +SHA256 (fwknop-1.8.3.tar.gz) = 366dbb0c9ae38973cee960408eb1a76ed6ff544f15855affaed93331face9491 +SIZE (fwknop-1.8.3.tar.gz) = 471949 diff --git a/security/fwknop/files/patch-access.conf b/security/fwknop/files/patch-access.conf new file mode 100644 index 000000000000..6c5249bdff18 --- /dev/null +++ b/security/fwknop/files/patch-access.conf @@ -0,0 +1,20 @@ +--- access.conf.orig 2007-11-21 20:59:13.000000000 +0200 ++++ access.conf 2007-11-21 21:00:47.000000000 +0200 +@@ -5,7 +5,7 @@ + # + # Purpose: This file defines how fwknop will modify iptables access controls + # for specific IPs/networks. It gets installed by default at +-# /etc/fwknop/access.conf and is consulted by fwknop when run in ++# %%PREFIX%%/etc/fwknop/access.conf and is consulted by fwknop when run in + # "access control mode", which is the default (i.e. when fwknop is + # run from the command line without any command line arguments). + # The corresponding file ~/.fwknoprc defines how fwknop will +@@ -96,7 +96,7 @@ + # fwknopd to read packets from a file that is written to by a sniffer + # process or by something like the ulogd pcap writer (use ULOG_PCAP for + # this). The specific file path is defined by the PCAP_FILE keyword in +-# /etc/fwknop/fwknop.conf). We also require that the username on the ++# %%PREFIX%%/etc/fwknop/fwknop.conf). We also require that the username on the + # system that generates the authorization packet is "mbr": + # + # SOURCE: ANY; diff --git a/security/fwknop/files/patch-fwknop b/security/fwknop/files/patch-fwknop new file mode 100644 index 000000000000..46555550e603 --- /dev/null +++ b/security/fwknop/files/patch-fwknop @@ -0,0 +1,20 @@ +--- fwknop.orig 2007-11-21 20:59:13.000000000 +0200 ++++ fwknop 2007-11-21 21:01:29.000000000 +0200 +@@ -37,7 +37,7 @@ + # $Id: fwknop 586 2006-11-04 20:45:49Z mbr $ + # + +-use lib '/usr/lib/fwknop'; ++use lib '%%PREFIX%%/lib/fwknop'; + use Crypt::CBC; + use Net::IPv4Addr qw(ipv4_in_network); + use Net::Ping::External qw(ping); +@@ -975,7 +975,7 @@ + } else { + print + "[+] Enter an encryption key. This key must match a key in the file\n", +-" /etc/fwknop/access.conf on the remote system.\n\n" unless $quiet; ++" %%PREFIX%%/etc/fwknop/access.conf on the remote system.\n\n" unless $quiet; + } + my $try = 0; + my $max_tries = 20; diff --git a/security/fwknop/files/patch-fwknop.8 b/security/fwknop/files/patch-fwknop.8 new file mode 100644 index 000000000000..0caefd89cadd --- /dev/null +++ b/security/fwknop/files/patch-fwknop.8 @@ -0,0 +1,65 @@ +--- fwknop.8.orig 2007-11-21 20:59:13.000000000 +0200 ++++ fwknop.8 2007-11-21 21:01:07.000000000 +0200 +@@ -43,7 +43,7 @@ + or via GnuPG and associated asymmetric ciphers. If the symmetric encryption + method is chosen, then the encryption key is shared between between the + client and server (see the +-.I /etc/fwknop/access.conf ++.I %%PREFIX%%/etc/fwknop/access.conf + file). If the GnuPG + method is chosen, then the encryption keys are derived from GnuPG key + rings. SPA packets generated by fwknop running as a client adhere +@@ -76,7 +76,7 @@ + this can be tuned via the + .B ALERTING_METHODS + variable in the +-.I /etc/fwknop/fwknop.conf ++.I %%PREFIX%%/etc/fwknop/fwknop.conf + file). By default, the + .B fwknop + client sends authorization packets over UDP +@@ -310,7 +310,7 @@ + .B REQUIRE_USERNAME + keyword that might + be specified in +-.I /etc/fwknop/access.conf. ++.I %%PREFIX%%/etc/fwknop/access.conf. + .TP + .BR \-\^\-Spoof-user\ \<user> + Specify the username that is included within SPA packet. This allows +@@ -352,7 +352,7 @@ + and have it execute the command). This option is not needed when trying to + gain access to a service via the SPA mechanism. To use this feature, please + ensure that ENABLE_CMD_EXEC; is set in the file +-.I /etc/fwknop/access.conf ++.I %%PREFIX%%/etc/fwknop/access.conf + on the + .B fwknopd + server you are sending the command to. +@@ -363,7 +363,7 @@ + server, which will execute the command as root. Command execution is enabled only + if the + .B ENABLE_CMD_EXEC keyword is given in +-.I /etc/fwknop/access.conf ++.I %%PREFIX%%/etc/fwknop/access.conf + (note that commands can easily be restricted with the + .B CMD_REGEX + keyword as well). +@@ -502,7 +502,7 @@ + .RS + .B NOTE: + Please ensure that ENABLE_CMD_EXEC; is set in the file +-.I /etc/fwknop/access.conf ++.I %%PREFIX%%/etc/fwknop/access.conf + on the + .B fwknopd + server you are attempting to connect to. +@@ -563,7 +563,7 @@ + will read the sequence out of the file + .B ~/.fwknoprc + and the server will read the sequence out of +-.B /etc/fwknop/access.conf: ++.B %%PREFIX%%/etc/fwknop/access.conf: + .PP + .B $ fwknop --Server-mode 'knock' -D 10.11.11.123 + .RE diff --git a/security/fwknop/files/patch-fwknop.conf b/security/fwknop/files/patch-fwknop.conf new file mode 100644 index 000000000000..ba8ec4b07230 --- /dev/null +++ b/security/fwknop/files/patch-fwknop.conf @@ -0,0 +1,45 @@ +--- fwknop.conf.orig 2007-11-23 22:37:27.000000000 +0200 ++++ fwknop.conf 2007-11-23 22:40:56.000000000 +0200 +@@ -10,7 +10,7 @@ + # + # Note there are no access control directives in this file. All access + # control directives are located in the file +-# /etc/fwknop/access.conf. You will need to edit the access.conf file in ++# %%PREFIX%%/etc/fwknop/access.conf. You will need to edit the access.conf file in + # order for fwknop to function correctly. + # + ############################################################################# +@@ -90,7 +90,7 @@ + + ### If GPG keys are used instead of a Rijndael symmetric key, this is + ### the default GPG keys directory. Note that each access block in +-### /etc/fwknop/access.conf can specify its own GPG directory to override ++### %%PREFIX%%/etc/fwknop/access.conf can specify its own GPG directory to override + ### this default. + GPG_DEFAULT_HOME_DIR /root/.gnupg; + +@@ -184,8 +184,8 @@ + FWKNOP_DIR /var/log/fwknop; + FWKNOP_RUN_DIR /var/run/fwknop; + FWKNOP_LIB_DIR /var/lib/fwknop; # for legacy port knocking mode +-FWKNOP_MOD_DIR /usr/lib/fwknop; +-FWKNOP_CONF_DIR /etc/fwknop; ++FWKNOP_MOD_DIR %%PREFIX%%/lib/fwknop; ++FWKNOP_CONF_DIR %%PREFIX%%/etc/fwknop; + FWKNOP_ERR_DIR $FWKNOP_DIR/errs; + + ### Files +@@ -216,8 +216,8 @@ + mknodCmd /bin/mknod; + iptablesCmd /sbin/iptables; + ipfwCmd /sbin/ipfw; ### BSD and Mac OS X only +-fwknopdCmd /usr/sbin/fwknopd; +-fwknop_servCmd /usr/sbin/fwknop_serv; +-knopmdCmd /usr/sbin/knopmd; +-knoptmCmd /usr/sbin/knoptm; +-knopwatchdCmd /usr/sbin/knopwatchd; ++fwknopdCmd %%PREFIX%%/sbin/fwknopd; ++fwknop_servCmd %%PREFIX%%/sbin/fwknop_serv; ++knopmdCmd %%PREFIX%%/sbin/knopmd; ++knoptmCmd %%PREFIX%%/sbin/knoptm; ++knopwatchdCmd %%PREFIX%%/sbin/knopwatchd; diff --git a/security/fwknop/files/patch-fwknop_serv b/security/fwknop/files/patch-fwknop_serv new file mode 100644 index 000000000000..d8a4f83fba7c --- /dev/null +++ b/security/fwknop/files/patch-fwknop_serv @@ -0,0 +1,11 @@ +--- fwknop_serv.orig 2007-11-21 20:59:13.000000000 +0200 ++++ fwknop_serv 2007-11-21 21:02:08.000000000 +0200 +@@ -22,7 +22,7 @@ + use POSIX; + use strict; + +-my $config_file = '/etc/fwknop/fwknop.conf'; ++my $config_file = '%%PREFIX%%/etc/fwknop/fwknop.conf'; + my %config = (); + + my @required_vars = qw( diff --git a/security/fwknop/files/patch-fwknopd b/security/fwknop/files/patch-fwknopd new file mode 100644 index 000000000000..49dcf270273a --- /dev/null +++ b/security/fwknop/files/patch-fwknopd @@ -0,0 +1,20 @@ +--- fwknopd.orig 2007-11-21 20:59:13.000000000 +0200 ++++ fwknopd 2007-11-21 21:02:31.000000000 +0200 +@@ -40,7 +40,7 @@ + # $Id: fwknopd 583 2006-11-04 20:43:01Z mbr $ + # + +-use lib '/usr/lib/fwknop'; ++use lib '%%PREFIX%%/lib/fwknop'; + use Crypt::CBC; + use Unix::Syslog qw(:subs :macros); + use Net::IPv4Addr qw(ipv4_in_network); +@@ -59,7 +59,7 @@ + use Getopt::Long; + use strict; + +-my $config_file = '/etc/fwknop/fwknop.conf'; ++my $config_file = '%%PREFIX%%/etc/fwknop/fwknop.conf'; + + my $version = '1.8.3'; + my $revision_svn = '$Revision: 809 $'; diff --git a/security/fwknop/files/patch-fwknopd.8 b/security/fwknop/files/patch-fwknopd.8 new file mode 100644 index 000000000000..e8c4a485e7cc --- /dev/null +++ b/security/fwknop/files/patch-fwknopd.8 @@ -0,0 +1,112 @@ +--- fwknopd.8.orig 2007-11-21 20:59:13.000000000 +0200 ++++ fwknopd.8 2007-11-21 21:02:20.000000000 +0200 +@@ -26,7 +26,7 @@ + and + .B access.conf + within the +-.B /etc/fwknop ++.B %%PREFIX%%/etc/fwknop + directory, and configuration variables within these files are desribed below. + .SH OPTIONS + .TP +@@ -34,7 +34,7 @@ + When run in server mode + .B fwknop + references the file +-.B /etc/fwknop/fwknop.conf ++.B %%PREFIX%%/etc/fwknop/fwknop.conf + for various run-time configuration + variables. The path to this file can be changed through the use of the + .B --config +@@ -42,7 +42,7 @@ + .TP + .BR \-i "\fR,\fP " \-\^\-intf\ \<interface> + Manually specify interface on which to sniff, e.g. "-i eth0". This option +-is not usually needed because the PCAP_INTF keyword in /etc/fwknop/fwknop.conf ++is not usually needed because the PCAP_INTF keyword in %%PREFIX%%/etc/fwknop/fwknop.conf + file defines the sniffing interface. + .TP + .BR \-\^\-fw-list +@@ -80,32 +80,32 @@ + .BR \-V "\fR,\fP " \-\^\-Version + Display version information and exit. + .SH FILES +-.B /etc/fwknop/fwknop.conf ++.B %%PREFIX%%/etc/fwknop/fwknop.conf + .RS + The main configuration file for + .B fwknop. + .RE + +-.B /etc/fwknop/access.conf ++.B %%PREFIX%%/etc/fwknop/access.conf + .RS + Defines all knock sequences and access control directives. + .RE + +-.B /etc/fwknop/pf.os ++.B %%PREFIX%%/etc/fwknop/pf.os + .RS + Defines p0f signatures used by fwknop. + .RE + .SH FWKNOP CONFIG AND ACCESS VARIABLES + .B fwknop + references the file +-.B /etc/fwknop/fwknop.conf ++.B %%PREFIX%%/etc/fwknop/fwknop.conf + for configuration variables such as the path to the firewall logfile, + the sleep interval fwknop uses to check for new log messages, and + paths to system binaries, etc. The + .B fwknop + config file does not define any access control directives; they are + located in the file +-.B /etc/fwknop/access.conf. ++.B %%PREFIX%%/etc/fwknop/access.conf. + Access control directives define encryption keys and level of access that + is granted to an fwknop client that has generated the appropriate encrypted + message. This file is referenced for this information when run in either +@@ -116,7 +116,7 @@ + legacy knock sequence) will be accepted. The string "ANY" is also + accepted if a valid authorization packet should be honored from any source + IP. Every authorization stanza in +-.B /etc/fwknop/access.conf ++.B %%PREFIX%%/etc/fwknop/access.conf + definition must start with the SOURCE keyword. Networks can be + specified in either CIDR (e.g. "192.168.10.0/24") or regular (e.g. + "192.168.10.0/255.255.255.0") notation, and individual IP addresses +@@ -178,7 +178,7 @@ + on the client, but each fwknopd server should have its own gpg key that is + generated specifically for fwknop communications. The reason for this is + that the decryption password for the server key must be placed within the +-.B /etc/fwknop/access.conf ++.B %%PREFIX%%/etc/fwknop/access.conf + file for fwknopd to function (it has to be able to decrypt SPA messages that + have been encrypted with the server's public key). For more information on + using fwknop with GnuPG keys, see the following link: +@@ -204,7 +204,7 @@ + Define the path to the GnuPG directory to be used by the + .B fwknopd + server. If this keyword is not specified within +-.B /etc/fwknop/access.conf ++.B %%PREFIX%%/etc/fwknop/access.conf + then fwknopd will default to using the /root/.gnupg directory for the server key(s). + .TP + .B FW_ACCESS_TIMEOUT: <seconds> +@@ -235,7 +235,7 @@ + "Linux:2.4::Linux 2.4/2.6" or "OpenBSD:3.0-3.5::OpenBSD 3.0-3.5" + before a knock sequence will be accepted. The fingerprints are listed + in +-.B /etc/fwknop/pf.os. ++.B %%PREFIX%%/etc/fwknop/pf.os. + Note that the corresponding knock sequence must utilize the tcp protocol + (this is only be an issue for shared sequences since encrypted sequences + use tcp by default) since OS fingerprinting requires tcp syn packets. +@@ -281,7 +281,7 @@ + starting at a default port of 61000. This value can be changed + through the use of the PORT_OFFSET variable. The PORT_OFFSET + is optional and will be set to 61000 by fwknop if it is not specified +-in /etc/fwknop/access.conf. ++in %%PREFIX%%/etc/fwknop/access.conf. + .TP + .B MIN_TIME_DIFF: <seconds> + Set the minimum number of seconds that must pass between successive diff --git a/security/fwknop/files/patch-init-scripts-fwknop-init.freebsd b/security/fwknop/files/patch-init-scripts-fwknop-init.freebsd new file mode 100644 index 000000000000..b4638c6db6e3 --- /dev/null +++ b/security/fwknop/files/patch-init-scripts-fwknop-init.freebsd @@ -0,0 +1,18 @@ +--- init-scripts/fwknop-init.freebsd.orig 2007-06-01 02:55:08.000000000 +0000 ++++ init-scripts/fwknop-init.freebsd 2008-06-13 02:47:25.000000000 +0000 +@@ -14,13 +14,13 @@ + fwknop_start() + { + echo "Starting fwknop." +- /usr/sbin/fwknopd ++ %%PREFIX%%/sbin/fwknopd + } + + fwknop_stop() + { + echo "Stopping fwknop." +- /usr/sbin/fwknopd --Kill ++ %%PREFIX%%/sbin/fwknopd --Kill + } + + load_rc_config $name diff --git a/security/fwknop/files/patch-install.pl b/security/fwknop/files/patch-install.pl new file mode 100644 index 000000000000..10bd6d33dec8 --- /dev/null +++ b/security/fwknop/files/patch-install.pl @@ -0,0 +1,60 @@ +--- install.pl 2007-10-24 00:32:29.000000000 +0000 ++++ install.pl 2008-06-13 02:52:36.000000000 +0000 +@@ -38,8 +38,8 @@ + + #========================== config =========================== + my $INIT_DIR = '/etc/init.d'; +-my $USRBIN_DIR = '/usr/bin'; +-my $URRSBIN_DIR = '/usr/sbin'; ++my $USRBIN_DIR = '%%PREFIX%%/bin'; ++my $URRSBIN_DIR = '%%PREFIX%%/sbin'; + + my $RUNLEVEL; ### This should only be set if install.pl + ### cannot determine the correct runlevel +@@ -302,7 +302,7 @@ + &stop_fwknop(); + } + +- for my $dir qw| /usr/lib /var/run /var/log /var/lib | { ++ for my $dir qw| %%PREFIX%%/lib /usr/lib /var/run /var/log /var/lib | { + unless (-d $dir) { + mkdir $dir or die "[*] Could not mkdir $dir: $!"; + } +@@ -463,7 +463,7 @@ + "$USRBIN_DIR/fwknop.tmp: $!"; + for my $line (@lines) { + ### change the lib dir to new homedir path +- if ($line =~ m|^\s*use\s+lib\s+\'/usr/lib/fwknop\';|) { ++ if ($line =~ m|^\s*use\s+lib\s+\'%%PREFIX%%/lib/fwknop\';|) { + print P "use lib '", $config{'FWKNOP_MOD_DIR'}, "';\n"; + } else { + print P $line; +@@ -725,8 +725,8 @@ + unless (-d $INIT_DIR) { + if (-d '/etc/rc.d/init.d') { + $INIT_DIR = '/etc/rc.d/init.d'; +- } elsif (-d '/etc/rc.d') { +- $INIT_DIR = '/etc/rc.d'; ++ } elsif (-d '%%PREFIX%%/etc/rc.d') { ++ $INIT_DIR = '%%PREFIX%%/etc/rc.d'; + } elsif (-d '/etc/init.d') { + $INIT_DIR = '/etc/init.d'; + } else { +@@ -1010,7 +1010,7 @@ + + ### default location to put man pages, but check with + ### /etc/man.config +- my $mpath = '/usr/share/man/man8'; ++ my $mpath = '%%PREFIX%%/man/man8'; + if (-e '/etc/man.config') { + ### prefer to install $manpage in /usr/local/man/man8 if + ### this directory is configured in /etc/man.config +@@ -1202,7 +1202,7 @@ + print "[+] Module $mod_name is already installed in the ", + "system perl tree, skipping.\n"; + } else { +- ### install the module in the /usr/lib/fwknop directory because ++ ### install the module in the %%PREFIX%%/lib/fwknop directory because + ### it is not already installed. + $install_module = 1; + } diff --git a/security/fwknop/files/patch-knopmd.8 b/security/fwknop/files/patch-knopmd.8 new file mode 100644 index 000000000000..5ed896df4407 --- /dev/null +++ b/security/fwknop/files/patch-knopmd.8 @@ -0,0 +1,11 @@ +--- knopmd.8.orig 2007-11-21 20:59:13.000000000 +0200 ++++ knopmd.8 2007-11-21 21:03:11.000000000 +0200 +@@ -13,7 +13,7 @@ + cannot detect port knocking sequences without knopmd running on the machine. + .B knopmd + uses the knopmd.conf configuration file which by default is +-located at /etc/fwknop/knopmd.conf, but a different path can be specified ++located at %%PREFIX%%/etc/fwknop/knopmd.conf, but a different path can be specified + on the command line. + + .SH SEE ALSO diff --git a/security/fwknop/files/patch-knopmd.c b/security/fwknop/files/patch-knopmd.c new file mode 100644 index 000000000000..52ed151adb17 --- /dev/null +++ b/security/fwknop/files/patch-knopmd.c @@ -0,0 +1,11 @@ +--- knopmd.c.orig 2007-11-21 20:59:13.000000000 +0200 ++++ knopmd.c 2007-11-21 21:03:20.000000000 +0200 +@@ -39,7 +39,7 @@ + #include <getopt.h> + + /* defines */ +-#define FWKNOP_CONF "/etc/fwknop/fwknop.conf" ++#define FWKNOP_CONF "%%PREFIX%%/etc/fwknop/fwknop.conf" + + /* globals */ + static volatile sig_atomic_t received_sighup = 0; diff --git a/security/fwknop/files/patch-knopmd.conf b/security/fwknop/files/patch-knopmd.conf new file mode 100644 index 000000000000..3c8b5b2ce0a2 --- /dev/null +++ b/security/fwknop/files/patch-knopmd.conf @@ -0,0 +1,11 @@ +--- knopmd.conf.orig 2007-11-21 20:59:13.000000000 +0200 ++++ knopmd.conf 2007-11-21 21:03:26.000000000 +0200 +@@ -3,7 +3,7 @@ + # + # This is the configuration file for fwknop knopmd daemon (for more + # information, read the knopmd man page). Normally this file gets +-# installed at /etc/fwknop/knopmd.conf, but can be put anywhere in the ++# installed at %%PREFIX%%/etc/fwknop/knopmd.conf, but can be put anywhere in the + # filesystem and then the path can be specified on the command line + # argument "-c <file>" to knopmd. The syntax of this file is as follows: + # diff --git a/security/fwknop/files/patch-knopspoof b/security/fwknop/files/patch-knopspoof new file mode 100644 index 000000000000..d3a3d9b5cfc4 --- /dev/null +++ b/security/fwknop/files/patch-knopspoof @@ -0,0 +1,11 @@ +--- knopspoof.orig 2007-11-21 20:59:13.000000000 +0200 ++++ knopspoof 2007-11-21 21:03:35.000000000 +0200 +@@ -36,7 +36,7 @@ + # $Id: knopspoof 346 2005-09-13 02:23:08Z mbr $ + # + +-use lib '/usr/lib/fwknop'; ++use lib '%%PREFIX%%/lib/fwknop'; + use Net::RawIP; + use strict; + diff --git a/security/fwknop/files/patch-knoptm b/security/fwknop/files/patch-knoptm new file mode 100644 index 000000000000..a4f9ecbbd441 --- /dev/null +++ b/security/fwknop/files/patch-knoptm @@ -0,0 +1,20 @@ +--- knoptm.orig 2007-11-21 20:59:13.000000000 +0200 ++++ knoptm 2007-11-21 21:03:43.000000000 +0200 +@@ -35,7 +35,7 @@ + # $Id: knoptm 771 2007-09-15 13:52:22Z mbr $ + # + +-use lib '/usr/lib/fwknop'; ++use lib '%%PREFIX%%/lib/fwknop'; + use Unix::Syslog qw(:subs :macros); + use Net::IPv4Addr qw(ipv4_in_network); + use IO::Socket; +@@ -46,7 +46,7 @@ + use Getopt::Long; + use strict; + +-my $config_file = '/etc/fwknop/fwknop.conf'; ++my $config_file = '%%PREFIX%%/etc/fwknop/fwknop.conf'; + my $user_rc_file = ''; + + my $version = '1.8.2'; diff --git a/security/fwknop/files/patch-knopwatchd.8 b/security/fwknop/files/patch-knopwatchd.8 new file mode 100644 index 000000000000..76d7b31a1703 --- /dev/null +++ b/security/fwknop/files/patch-knopwatchd.8 @@ -0,0 +1,15 @@ +--- knopwatchd.8.orig 2007-11-21 20:59:13.000000000 +0200 ++++ knopwatchd.8 2007-11-21 21:03:49.000000000 +0200 +@@ -11,10 +11,10 @@ + and fwknop are running on the box. If any of the three daemons + have died, knopwatchd will restart the daemon and notify each + email address listed in the EMAIL_ADDRESSES variable (see +-/etc/fwknop/knopwatchd.conf) that the daemon has been restarted. ++%%PREFIX%%/fwknop/knopwatchd.conf) that the daemon has been restarted. + .B knopwatchd + uses the knopwatchd.conf configuration file which by default is +-located at /etc/fwknop/knopwatchd.conf, but a different path can be specified ++located at %%PREFIX%%/etc/fwknop/knopwatchd.conf, but a different path can be specified + on the command line. + + .SH SEE ALSO diff --git a/security/fwknop/files/patch-knopwatchd.c b/security/fwknop/files/patch-knopwatchd.c new file mode 100644 index 000000000000..2182d4a3d2ad --- /dev/null +++ b/security/fwknop/files/patch-knopwatchd.c @@ -0,0 +1,11 @@ +--- knopwatchd.c.orig 2007-11-21 20:59:13.000000000 +0200 ++++ knopwatchd.c 2007-11-21 21:03:55.000000000 +0200 +@@ -38,7 +38,7 @@ + #include "fwknop.h" + + /* defines */ +-#define FWKNOP_CONF "/etc/fwknop/fwknop.conf" ++#define FWKNOP_CONF "%%PREFIX%%/etc/fwknop/fwknop.conf" + + /* globals */ + unsigned short int fwknopd_syscalls_ctr = 0; diff --git a/security/fwknop/pkg-descr b/security/fwknop/pkg-descr new file mode 100644 index 000000000000..43e56f687c3b --- /dev/null +++ b/security/fwknop/pkg-descr @@ -0,0 +1,2 @@ +fwknop,"FireWall KNock OPerator", implements Single Packet Authorization (SPA). +WWW: http://www.cipherdyne.org/fwknop/ diff --git a/security/fwknop/pkg-plist b/security/fwknop/pkg-plist new file mode 100644 index 000000000000..349f40427291 --- /dev/null +++ b/security/fwknop/pkg-plist @@ -0,0 +1,44 @@ +bin/fwknop +sbin/fwknop_serv +sbin/fwknopd +sbin/knopmd +sbin/knoptm +sbin/knopwatchd + +etc/fwknop/access.conf +etc/fwknop/fwknop.conf +etc/fwknop/pf.os +etc/rc.d/fwknop + +lib/fwknop/NetPacket.pm +lib/fwknop/NetPacket/ARP.pm +lib/fwknop/NetPacket/Ethernet.pm +lib/fwknop/NetPacket/ICMP.pm +lib/fwknop/NetPacket/IGMP.pm +lib/fwknop/NetPacket/IP.pm +lib/fwknop/NetPacket/TCP.pm +lib/fwknop/NetPacket/UDP.pm +lib/fwknop/i386-freebsd-64int/auto/NetPacket/.packlist +lib/fwknop/i386-freebsd-64int/perllocal.pod +lib/fwknop/lib/perl5/5.8.8/man/man3/NetPacket.3 +lib/fwknop/lib/perl5/5.8.8/man/man3/NetPacket::ARP.3 +lib/fwknop/lib/perl5/5.8.8/man/man3/NetPacket::Ethernet.3 +lib/fwknop/lib/perl5/5.8.8/man/man3/NetPacket::ICMP.3 +lib/fwknop/lib/perl5/5.8.8/man/man3/NetPacket::IGMP.3 +lib/fwknop/lib/perl5/5.8.8/man/man3/NetPacket::IP.3 +lib/fwknop/lib/perl5/5.8.8/man/man3/NetPacket::TCP.3 +lib/fwknop/lib/perl5/5.8.8/man/man3/NetPacket::UDP.3 + +@dirrm lib/fwknop/lib/perl5/5.8.8/man/man3 +@dirrm lib/fwknop/lib/perl5/5.8.8/man +@dirrm lib/fwknop/lib/perl5/5.8.8 +@dirrm lib/fwknop/lib/perl5 +@dirrm lib/fwknop/lib +@dirrm lib/fwknop/i386-freebsd-64int/auto/NetPacket +@dirrm lib/fwknop/i386-freebsd-64int/auto +@dirrm lib/fwknop/i386-freebsd-64int +@dirrm lib/fwknop/NetPacket +@dirrm lib/fwknop +@dirrm etc/fwknop/archive +@dirrm etc/fwknop + |