Add a port of "knock" - a flexible port-knocking server and client.

PR:		ports/94626
Submitted by:	shaun (me)
Approved by:	ahze (mentor, implicit)

5 files changed, 128 insertions, 0 deletions

diff --git a/security/knock/Makefile b/security/knock/Makefile
new file mode 100644
index 000000000000..58190220cc11
--- /dev/null
+++ b/security/knock/Makefile
@@ -0,0 +1,73 @@
+# New ports collection makefile for:	knock
+# Date Created:				2006-03-17
+# Whom:					Shaun Amott <shaun@inerd.com>
+#
+# $FreeBSD$
+#
+
+PORTNAME=	knock
+PORTVERSION=	0.5.20051124
+CATEGORIES=	security
+MASTER_SITES=	http://mirror.inerd.com/FreeBSD/distfiles/${PORTNAME}/
+
+MAINTAINER=	shaun@FreeBSD.org
+COMMENT=	A flexible port-knocking server and client
+
+GNU_CONFIGURE=	yes
+
+OPTIONS=	SERVER		"Install knockd server"		on \
+		CLIENT		"Install knock client"		on
+
+RUNDIR=		/var/run
+SUB_LIST=	RUNDIR=${RUNDIR}
+
+.include <bsd.port.pre.mk>
+
+.if defined(WITH_SERVER)
+MAN1=		knockd.1
+USE_RC_SUBR=	knockd.sh
+PLIST_FILES+=	bin/knockd
+PLIST_FILES+=	etc/knockd.conf.sample
+.endif
+
+.if defined(WITH_CLIENT)
+MAN1+=		knock.1
+PLIST_FILES+=	bin/knock
+.endif
+
+pre-configure:
+.if defined(WITHOUT_SERVER) && defined(WITHOUT_CLIENT)
+IGNORE=		at least one component must be selected for installation
+.endif
+
+post-patch:
+	@${REINPLACE_CMD} -e "s#%%PREFIX%%#${PREFIX}#g"	\
+			  -e "s#%%RUNDIR%%#${RUNDIR}#g"	\
+			  -e "s#eth0#fxp0#g"		\
+			  ${WRKSRC}/src/knockd.c
+
+	@${REINPLACE_CMD} -e "s/#VERSION#/${PORTVERSION}/g" \
+			  -e "s#eth0#fxp0#g"		    \
+			  ${WRKSRC}/doc/knock.1.in	    \
+			  ${WRKSRC}/doc/knockd.1.in
+
+do-install:
+.if defined(WITH_SERVER)
+	${INSTALL_PROGRAM} ${WRKSRC}/knockd ${PREFIX}/bin
+	${INSTALL_DATA} ${WRKSRC}/knockd.conf ${PREFIX}/etc/knockd.conf.sample
+.endif
+
+.if defined(WITH_CLIENT)
+	${INSTALL_PROGRAM} ${WRKSRC}/knock ${PREFIX}/bin
+.endif
+
+post-install-script:
+.if defined(WITH_SERVER)
+	${INSTALL_MAN} ${WRKSRC}/doc/knockd.1.in ${MAN1PREFIX}/man/man1/knockd.1
+.endif
+
+.if defined(WITH_CLIENT)
+	${INSTALL_MAN} ${WRKSRC}/doc/knock.1.in ${MAN1PREFIX}/man/man1/knock.1
+.endif
+
+.include <bsd.port.post.mk>
diff --git a/security/knock/distinfo b/security/knock/distinfo
new file mode 100644
index 000000000000..314e8471fd1c
--- /dev/null
+++ b/security/knock/distinfo
@@ -0,0 +1,3 @@
+MD5 (knock-0.5.20051124.tar.gz) = 0ab0c51687b1d99ea7141b3a86b8e963
+SHA256 (knock-0.5.20051124.tar.gz) = 15aa6a5d152a7cdb5b52d1e9de9e77d7f52156ce3e5d5c80dd9b76e40f6a84aa
+SIZE (knock-0.5.20051124.tar.gz) = 86607
diff --git a/security/knock/files/knockd.sh.in b/security/knock/files/knockd.sh.in
new file mode 100644
index 000000000000..7bddb6e9decd
--- /dev/null
+++ b/security/knock/files/knockd.sh.in
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# PROVIDE: knockd
+# REQUIRE: DAEMON
+# BEFORE:  LOGIN
+
+. %%RC_SUBR%%
+
+name="knockd"
+rcvar=`set_rcvar`
+load_rc_config $name
+
+knockd_enable=${knockd_enable:-"NO"}
+knockd_flags=${knockd_flags:-"-d"}
+
+command="%%PREFIX%%/bin/knockd"
+pidfile="%%RUNDIR%%/knockd.pid"
+required_files="%%PREFIX%%/etc/knockd.conf"
+
+run_rc_command "$1"
diff --git a/security/knock/files/patch-knockd.conf b/security/knock/files/patch-knockd.conf
new file mode 100644
index 000000000000..d0223778d320
--- /dev/null
+++ b/security/knock/files/patch-knockd.conf
@@ -0,0 +1,21 @@
+--- knockd.conf.orig	Thu May  6 22:56:03 2004
++++ knockd.conf	Fri Mar 17 23:39:01 2006
+@@ -1,15 +1,16 @@
+ [options]
+ 	logfile = /var/log/knockd.log
++	interface = fxp0
+ 
+ [openSSH]
+ 	sequence    = 7000,8000,9000
+ 	seq_timeout = 5
+-	command     = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
++	command     = /sbin/ipfw -q add pass proto tcp src-ip %IP% dst-port 22
+ 	tcpflags    = syn
+ 
+ [closeSSH]
+ 	sequence    = 9000,8000,7000
+ 	seq_timeout = 5
+-	command     = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
++	command     = /sbin/ipfw -q delete pass proto tcp src-ip %IP% dst-port 22
+ 	tcpflags    = syn
+ 
diff --git a/security/knock/pkg-descr b/security/knock/pkg-descr
new file mode 100644
index 000000000000..b5d0765e7211
--- /dev/null
+++ b/security/knock/pkg-descr
@@ -0,0 +1,11 @@
+knockd is a port-knock server. It listens to all traffic on an ethernet
+(or PPP) interface, looking for special "knock" sequences of port-hits.
+
+A client makes these port-hits by sending a TCP (or UDP) packet to a
+port on the server. This port need not be open -- since knockd listens
+at the link-layer level, it sees all traffic even if it's destined for
+a closed port. When the server detects a specific sequence of port-hits
+port-hits, it runs a command defined in its configuration file. This
+can be used to open up holes in a firewall for quick access. 
+
+WWW: http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki/