cipherdyne.org

Michael Rash, Security Researcher



Running the fwknop Test Suite

fwknop is distributed with a test suite that is designed to automate the verification of proper SPA communications on the system where it is installed. The test suite is the fwknop_test.pl program in the test/ directory within the fwknop sources, and tests everything from basic program compilation to the generation of properly formatted SPA packets, the transmission and receipt of SPA packets, and the addition and deletion of firewall rules. The test suite performs all tests over the loopback interface and does not interfere with the local firewall policy.

IMPORTANT NOTE: On FreeBSD, if your local firewall restricts communications over UDP/62201 over the loopback interface, then you will need to add a rule to accept such communications in order for this test suite to work.

All output from each test is stored within the test/output directory, and the console output from the test suite is stored within the file test/test.log. If the test suite turns up a problem on the system where fwknop is installed, then one of the most important usages is the --Prepare-results argument: # ./fwknop_test.pl --Prepare-results
[+] Anonymized test results file: fwknop_test.tar.gz
This usage anonymizes the test data within the output directory (all IP addresses are set to "N.N.N.N" and hostnames that are reported by the collection of uname information are removed) so that it may be sent to a third party developer or posted to the fwknop mailing list for analysis.

The test suite runs slightly different tests on Linux systems (where iptables is available) vs. FreeBSD or Mac OS X systems (where ipfw runs). On Linux systems, the output is as follows: # ./fwknop_test.pl

[+] ==> Running fwknop test suite; firewall: iptables <==

(Setup) perl program compilation....................................pass (0)
(Setup) C program compilation.......................................pass (1)
(Setup) Command line argument processing............................pass (2)
(Setup) Last command line execution.................................pass (3)
(Setup) Expected code version.......................................pass (4)
(Setup) List iptables rules.........................................pass (5)
(Setup) System information and fwknop installation specifics........pass (6)
(Setup) Stopping any running fwknopd processes......................pass (7)
(Setup) Flushing all fwknopd iptables rules.........................pass (8)
(Setup) Deleting all fwknopd iptables chains........................pass (9)
(Basic communications) Generating SPA access packet.................pass (10)
(Basic communications) Sniffing SPA access packet...................pass (11)
(Basic communications) Verifying SPA access packet format...........pass (12)
(Basic communications) Firewall access rules exist..................pass (13)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Basic communications) Firewall access rules removed................pass (14)
(Basic communications) Stopping all running fwknopd processes.......pass (15)
(Replay attacks, broken data) Rijndael key validity.................pass (16)
(Replay attacks, broken data) Replay detection - all digests........pass (17)
(Replay attacks, broken data) Replay detection - SHA256.............pass (18)
(Replay attacks, broken data) Replay detection - SHA1...............pass (19)
(Replay attacks, broken data) Replay detection - MD5................pass (20)
(Replay attacks, broken data) 100 random packets....................pass (21)
(Replay attacks, broken data) Truncated SPA packet..................pass (22)
(Replay attacks, broken data) Sniffing truncated SPA packet.........pass (23)
(Replay attacks, broken data) Firewall rules do not exist...........pass (24)
(Replay attacks, broken data) SPA packet with bogus key.............pass (25)
(Replay attacks, broken data) Sniffing broken SPA packet............pass (26)
(Replay attacks, broken data) Firewall rules do not exist...........pass (27)
(Replay attacks, broken data) non-base64 SPA packet.................pass (28)
(Replay attacks, broken data) Sniffing non-base64 SPA packet........pass (29)
(Replay attacks, broken data) Firewall rules do not exist...........pass (30)
(Internal digest alg mis-match) Generating SPA packet...............pass (31)
(Internal digest alg mis-match) Sniffing SPA packet.................pass (32)
(Internal digest alg mis-match) Verifying SPA packet format.........pass (33)
(Internal digest alg mis-match) Firewall access rules exist.........pass (34)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Internal digest alg mis-match) Firewall access rules removed.......pass (35)
(Internal digest alg mis-match) Stopping all fwknopd processes......pass (36)
(pcap filter) SPA packet with --Server-port 62203...................pass (37)
(pcap filter) Sniffing SPA access packet............................pass (38)
(pcap filter) Verifying SPA access packet format....................pass (39)
(pcap filter) Firewall access rules exist...........................pass (40)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(pcap filter) Firewall access rules removed.........................pass (41)
(Client timeout) Generating SPA access packet.......................pass (42)
(Client timeout) Sniffing SPA access packet.........................pass (43)
(Client timeout) Verifying SPA access packet format.................pass (44)
(Client timeout) Firewall access rules exist........................pass (45)
(Sleeping for 10 seconds for firewall rule timeout)
10 9 8 7 6 5 4 3 2 1 0
(Client timeout) Firewall access rules removed......................pass (46)
(Client timeout) Stopping all running fwknopd processes.............pass (47)
(Append data) Data appended to SPA packet...........................pass (48)
(Append data) Sniffing appended SPA packet..........................pass (49)
(Append data) Firewall rules exist..................................pass (50)
(Rijndael Salted__ compatibility) Generating SPA packet.............pass (51)
(Rijndael Salted__ compatibility) Sniffing SPA packet...............pass (52)
(Rijndael Salted__ compatibility) Verifying SPA format..............pass (53)
(Rijndael Salted__ compatibility) Rules exist.......................pass (54)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Rijndael Salted__ compatibility) Rules removed.....................pass (55)
(Rijndael Salted__ compatibility) Stopping fwknopd..................pass (56)
(Destination port randomness) Generating SPA packet.................pass (57)
(Destination port randomness) Sniffing SPA packet...................pass (58)
(Destination port randomness) Verifying SPA format..................pass (59)
(Destination port randomness) Rules exist...........................pass (60)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Destination port randomness) Rules removed.........................pass (61)
(Destination port randomness) Stopping fwknopd......................pass (62)
(Non-promisc capture) Generating SPA access packet..................pass (63)
(Non-promisc capture) Sniffing SPA access packet....................pass (64)
(Non-promisc capture) Verifying sniffed SPA access packet...........pass (65)
(Non-promisc capture) Firewall access rules exist...................pass (66)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Non-promisc capture) Firewall access rules removed.................pass (67)
(Non-promisc capture) Stopping all fwknopd processes................pass (68)
(SPA aging) Generating SPA access packet............................pass (69)
(SPA aging) Expired SPA packet detection............................pass (70)
(SPA aging) Making sure firewall rules do not exist.................pass (71)
(SPA aging) SPA packet --time-offset-plus 60min.....................pass (72)
(SPA aging) Expired SPA packet detection............................pass (73)
(SPA aging) Making sure firewall rules do not exist.................pass (74)
(SPA aging) SPA packet --time-offset-minus 60min....................pass (75)
(SPA aging) Expired SPA packet detection............................pass (76)
(SPA aging) Making sure firewall rules do not exist.................pass (77)
(Require SRC) Generating SPA packet with 0.0.0.0 src addr...........pass (78)
(Require SRC) Sniffing packet with 0.0.0.0 src addr.................pass (79)
(Require SRC) Making sure firewall rules do not exist...............pass (80)
(Require user) Generating SPA packet with unauthorized user.........pass (81)
(Require user) Unauthorized user detection..........................pass (82)
(Require user) Making sure firewall rules do not exist..............pass (83)
(Permit ports) Generating unauthorized port access request..........pass (84)
(Permit ports) Unauthorized port access detection...................pass (85)
(Permit ports) Making sure firewall rules do not exist..............pass (86)
(Bogus src) Generating SPA packet from non-matching src.............pass (87)
(Bogus src) Non-matching SOURCE block...............................pass (88)
(Bogus src) Making sure firewall rules do not exist.................pass (89)
(Excluded src) Generating SPA packet from non-matching src..........pass (90)
(Excluded src) Non-matching SOURCE block............................pass (91)
(Excluded src) Making sure firewall rules do not exist..............pass (92)
(Blacklist src) Generating blacklisted SPA packet...................pass (93)
(Blacklist src) Sniffing SPA packet.................................pass (94)
(Blacklist src) Making sure firewall rules do not exist.............pass (95)
(Multi-SOURCE) Generating SPA access packet.........................pass (96)
(Multi-SOURCE) Sniffing SPA access packet...........................pass (97)
(Multi-SOURCE) Verifying SPA access packet format...................pass (98)
(Multi-SOURCE) Firewall access rules exist..........................pass (99)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Multi-SOURCE) Firewall access rules removed........................pass (100)
(Multi-SOURCE) Stopping running fwknopd processes...................pass (101)
(GnuPG) Generating SPA access packet................................pass (102)
(GnuPG) Sniffing SPA access packet to acquire access................pass (103)
(GnuPG) Verifying sniffed SPA access packet format..................pass (104)
(GnuPG) Firewall access rules exist.................................pass (105)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(GnuPG) Firewall access rules removed...............................pass (106)
(GnuPG) Stopping all running fwknopd processes......................pass (107)
(Command execution) Generating SPA command packet...................pass (108)
(Command execution) Sniffing SPA command packet and executing.......pass (109)
(Command execution) Verifying SPA command packet format.............pass (110)
(Command execution) Making sure firewall rules do not exist.........pass (111)
(Command execution) Non-matching regex command packet...............pass (112)
(Command execution) SPA command packet filtered.....................pass (113)
(Command execution) Making sure firewall rules do not exist.........pass (114)
(Legacy Port Knocking Mode) Single port shared sequence.............pass (115)
(Legacy Port Knocking Mode) Firewall rules exist....................pass (116)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Legacy Port Knocking Mode) Firewall rules removed..................pass (117)
(Legacy Port Knocking Mode) Multi-port shared sequence..............pass (118)
(Legacy Port Knocking Mode) Firewall rules exist....................pass (119)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Legacy Port Knocking Mode) Firewall rules removed..................pass (120)
(Legacy Port Knocking Mode) Multi-protocol sequence.................pass (121)
(Legacy Port Knocking Mode) Firewall rules exist....................pass (122)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Legacy Port Knocking Mode) Firewall rules removed..................pass (123)
(Legacy Port Knocking Mode) Building encrypted sequence.............pass (124)
(Legacy Port Knocking Mode) Sending encrypted sequence..............pass (125)
(Legacy Port Knocking Mode) Firewall rules exist....................pass (126)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Legacy Port Knocking Mode) Firewall rules removed..................pass (127)
(FORWARD chain) Stopping all running fwknopd processes..............pass (128)
(FORWARD chain) Generating FORWARD chain access packet..............pass (129)
(FORWARD chain) FORWARD request detection...........................pass (130)
(FORWARD chain) FORWARD and DNAT access rules.......................pass (131)
(FORWARD chain) Verifying SPA FORWARD access packet format..........pass (132)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(FORWARD chain) Making sure firewall rules are removed..............pass (133)
(FORWARD chain) Generating FORWARD access SPA packet................pass (134)
(FORWARD chain) FORWARD access to restricted IP.....................pass (135)
(FORWARD chain) Firewall rules do not exist.........................pass (136)
(Local NAT) Stopping all running fwknopd processes..................pass (137)
(Local NAT) Generating local NAT access packet......................pass (138)
(Local NAT) Local access rules exist................................pass (139)
(Local NAT) Verifying local NAT access packet format................pass (140)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Local NAT) Making sure firewall rules are removed..................pass (141)
(Disabled local NAT) Generating local NAT access packet.............pass (142)
(Disabled local NAT) Restricted local NAT access....................pass (143)
(Disabled local NAT) Making sure rules do not exist.................pass (144)
(Local NAT rand port) Generating local NAT access packet............pass (145)
(Local NAT rand port) Local access rules exist......................pass (146)
(Local NAT rand port) Verifying local NAT packet format.............pass (147)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Local NAT rand port) Making sure firewall rules are removed........pass (148)
(Local NAT rand NAT/dst port) Generating local NAT packet...........pass (149)
(Local NAT rand NAT/dst port) Local access rules exist..............pass (150)
(Local NAT rand NAT/dst port) Verifying packet format...............pass (151)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Local NAT rand NAT/dst port) Firewall rules removed................pass (152)
(OUTPUT chain) Stopping all running fwknopd processes...............pass (153)
(OUTPUT chain) Generating OUTPUT chain access packet................pass (154)
(OUTPUT chain) OUTPUT access rules..................................pass (155)
(OUTPUT chain) Verifying OUTPUT access packet format................pass (156)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(OUTPUT chain) Making sure firewall rules are removed...............pass (157)
(Filesystem tcpdump capture) Sniffing over lo.......................pass (158)
(Filesystem tcpdump capture) Stopping fwknopd processes.............pass (159)
(Filesystem tcpdump capture) Generating SPA packet..................pass (160)
(Filesystem tcpdump capture) SPA communications via file............pass (161)
(Filesystem tcpdump capture) Firewall access rules exist............pass (162)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
(Filesystem tcpdump capture) Rules removed..........................pass (163)
Stopping all running fwknopd processes..............................pass (164)
Deleting all fwknopd iptables chains................................pass (165)
Verifying SPA digest file format....................................pass (166)
Collecting fwknop syslog messages...................................pass (167)

[+] ==> Passed 168/168 tests against fwknop. <==
[+] This console output has been stored in: test.log
On FreeBSD with the ipfw firewall, the output of the test suite looks like this: [+] ==> Running fwknop test suite; firewall: ipfw <==

perl program compilation............................................pass (0)
C program compilation...............................................pass (1)
List ipfw rules.....................................................pass (2)
System information and fwknop installation specifics................pass (3)
Stopping any running fwknopd processes..............................pass (4)
Rijndael key validity...............................................pass (5)
Generating SPA access packet with fwknop client.....................pass (6)
Sniffing SPA access packet to acquire access........................pass (7)
Verifying sniffed SPA access packet format..........................pass (8)
Firewall access rules exist.........................................pass (9)
(Sleeping for 5 (+3) seconds for firewall rule timeout)
8 7 6 5 4 3 2 1 0
Firewall access rules removed.......................................pass (10)
Stopping all running fwknopd processes..............................pass (11)
Replay attack detection.............................................pass (12)
SPA packet randomness across 100 packets............................pass (13)
Generating SPA packet with 0.0.0.0 src addr.........................pass (14)
Sniffing packet source address with 0.0.0.0 src addr................pass (15)
Generating SPA packet with unauthorized user........................pass (16)
Unauthorized user detection.........................................pass (17)
Generating SPA packet with unauthorized port access request.........pass (18)
Unauthorized port access detection..................................pass (19)
Making sure firewall rules do not exist.............................pass (20)
Generating SPA command packet.......................................pass (21)
Sniffing SPA command packet and executing...........................pass (22)
Verifying SPA command packet format.................................pass (23)
Making sure firewall rules do not exist.............................pass (24)
Generating SPA command packet with non-matching regex...............pass (25)
SPA command packet filtered.........................................pass (26)
Making sure firewall rules do not exist.............................pass (27)
tcpdump sniffing over loopback interface lo0........................pass (28)
Stopping all running fwknopd processes..............................pass (29)

[+] ==> Passed 30/30 tests against fwknop. <==
[+] This console output has been stored in: test.log