Download
fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filter (fwknop supports iptables and firewalld on Linux, ipfw on FreeBSD and Mac OS X, and PF on OpenBSD) and libpcap. SPA is essentially next-generation port knocking (more on this below). The design decisions that guide the development of fwknop can be found in the blog post "Single Packet Authorization: The fwknop Approach".
Features
- Implements Single Packet Authorization around iptables and firewalld firewalls on Linux, ipfw firewalls on *BSD and Mac OS X, and PF on OpenBSD
- The fwknop client runs on Linux, Mac OS X, *BSD, and Windows (under Cygwin). There is also a separate Windows UI with source code available here. In addition, there is a port of the client to both the iPhone and Android phones
- Supports both Rijndael and GnuPG methods for the encryption/decryption of SPA packets
- Supports HMAC authenticated encryption for both Rijndael and GnuPG. The order of operation is encrypt-then-authenticate to avoid various cryptanalytic problems
- Replay attacks are detected and thwarted by SHA-256 digest comparison of valid incoming SPA packets. SHA-1 and MD5 are also supported, but SHA-256 is the default
- SPA packets are passively sniffed from the wire via libpcap. The fwknop server can also acquire packet data from a file that is written to by a separate Ethernet sniffer (such as with "tcpdump -w <file>"), or from the iptables ULOG pcap writer
Project Samples
Categories
SecurityLicense
GNU General Public License version 3.0 (GPLv3)Follow fwknop
Other Useful Business Software
8 Monitoring Tools in One APM. Install in 5 Minutes.
AppSignal works out of the box for Ruby, Elixir, Node.js, Python, and more. 30-day free trial, no credit card required.
Rate This Project
Login To Rate This Project
User Reviews
Be the first to post a review of fwknop!
