[Bug 105763] [needs-packaging] fwknop

Launchpad Bug Tracker 105763 at bugs.launchpad.net
Fri Aug 31 06:15:57 UTC 2007

You have been subscribed to a public bug:


fwknop stands for the "FireWall KNock OPerator", and implements an
authorization scheme called Single Packet Authorization (SPA) that is
based around iptables and libpcap. SPA requires only a single encrypted
packet in order to communicate various pieces of information including
desired access through an iptables policy and/or complete commands to
execute on the target system. By using iptables to maintain a "default
drop" stance, the main application of this program is to protect
services such as OpenSSH with an additional layer of security in order
to make the exploitation of vulnerabilities (both 0-day and unpatched
code) much more difficult. With fwknop deployed, anyone using nmap to
look for sshd can't even tell that it is listening; it makes no
difference if they have a 0-day exploit or not. The authorization server
passively monitors authorization packets via libcap and hence there is
no "server" to which to connect in the traditional sense. Access to a
protected service is only granted after a valid encrypted and non-
replayed packet is monitored from an fwknop client.

** Affects: ubuntu
     Importance: Wishlist
     Assignee: MOTU
         Status: Confirmed

** Tags: needs-packaging
[needs-packaging] fwknop
You received this bug notification because you are a member of MOTU, which is a bug assignee.

More information about the universe-bugs mailing list