Download
fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filter (fwknop supports iptables and firewalld on Linux, ipfw on FreeBSD and Mac OS X, and PF on OpenBSD) and libpcap. SPA is essentially next-generation port knocking (more on this below). The design decisions that guide the development of fwknop can be found in the blog post "Single Packet Authorization: The fwknop Approach".
Features
- Implements Single Packet Authorization around iptables and firewalld firewalls on Linux, ipfw firewalls on *BSD and Mac OS X, and PF on OpenBSD
- The fwknop client runs on Linux, Mac OS X, *BSD, and Windows (under Cygwin). There is also a separate Windows UI with source code available here. In addition, there is a port of the client to both the iPhone and Android phones
- Supports both Rijndael and GnuPG methods for the encryption/decryption of SPA packets
- Supports HMAC authenticated encryption for both Rijndael and GnuPG. The order of operation is encrypt-then-authenticate to avoid various cryptanalytic problems
- Replay attacks are detected and thwarted by SHA-256 digest comparison of valid incoming SPA packets. SHA-1 and MD5 are also supported, but SHA-256 is the default
- SPA packets are passively sniffed from the wire via libpcap. The fwknop server can also acquire packet data from a file that is written to by a separate Ethernet sniffer (such as with "tcpdump -w <file>"), or from the iptables ULOG pcap writer
Project Samples
Categories
SecurityLicense
GNU General Public License version 3.0 (GPLv3)Follow fwknop
Other Useful Business Software
Auth0 for AI Agents now in GA
Connect your AI agents to apps and data more securely, give users control over the actions AI agents can perform and the data they can access, and enable human confirmation for critical agent actions.
Rate This Project
Login To Rate This Project
User Reviews
Be the first to post a review of fwknop!
