Summary: A Single Packet Authorization (SPA) implementation
Name: fwknop
Version: 1.9.6
Release: 2%{?dist}
License: GPL+
Group: System Environment/Daemons
Url: http://www.cipherdyne.org/fwknop/
Source0: http://www.cipherdyne.org/fwknop/download/fwknop-%{version}.tar.bz2
Source1: fwknop.logrotate
Patch0: fwknop-1.9.6-initscript.patch
Patch1: fwknop-1.9.6-optflags.patch
Patch2: fwknop-1.9.6-no-NetPacket.patch
Patch3: fwknop-1.9.6-serv-config.patch
Patch4: fwknop-1.9.6-pcap-api.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
# The automatic dependency generator doesn't find this
Requires: perl(Digest::SHA)
Requires(post): chkconfig
Requires(preun): chkconfig, initscripts
Requires(postun): initscripts

%description
fwknop implements an authorization scheme known as Single Packet
Authorization (SPA) that requires only a single encrypted packet to
communicate various pieces of information including desired access through an
iptables policy and/or specific commands to execute on the target system.
The main application of this program is to protect services such as SSH with
an additional layer of security in order to make the exploitation of
vulnerabilities (both 0-day and unpatched code) much more difficult.  The
authorization server passively monitors authorization packets via libpcap and
hence there is no "server" to which to connect in the traditional sense.  Any
service protected by fwknop is inaccessible (by using iptables to
intercept packets within the kernel) before authenticating; anyone scanning for
the service will not be able to detect that it is even listening.  This
authorization scheme offers many advantages over port knocking, include being
non-replayable, much more data can be communicated, and the scheme cannot be
broken by simply connecting to extraneous ports on the server in an effort to
break knock sequences.  The authorization packets can easily be spoofed as
well, and this makes it possible to make it appear as though, say,
www.yahoo.com is trying to authenticate to a target system but in reality the
actual connection will come from a seemingly unrelated IP. Although the
default data collection method is to use libpcap to sniff packets off the
wire, fwknop can also read packets out of a file that is written by the
iptables ulogd pcap writer or by a separate sniffer process.

%prep
%setup -q
%patch0 -p1 -b .initscript
%patch1 -p1 -b .optflags
%patch2 -p1 -b .no-NetPacket
%patch3 -p1 -b .serv-config
%patch4 -p1 -b .pcap-api
sed -i 's,_?CHANGE.?ME_?,localhost,' fwknop.conf

%build
make %{?_smp_mflags} OPTS="$RPM_OPT_FLAGS"

%install
rm -rf $RPM_BUILD_ROOT

mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/fwknop \
      $RPM_BUILD_ROOT%{_initrddir} \
      $RPM_BUILD_ROOT%{_bindir} \
      $RPM_BUILD_ROOT%{_mandir}/man8 \
      $RPM_BUILD_ROOT%{_sbindir} \
      $RPM_BUILD_ROOT%{_localstatedir}/lib/fwknop \
      $RPM_BUILD_ROOT%{_localstatedir}/log/fwknop \
      $RPM_BUILD_ROOT%{_localstatedir}/run/fwknop

install -p -m 644 access.conf fwknop.conf pf.os $RPM_BUILD_ROOT%_sysconfdir/fwknop
install -p -m 755 init-scripts/fwknop-init.redhat \
        $RPM_BUILD_ROOT%{_initrddir}/fwknop
install -p -m 755 fwknop $RPM_BUILD_ROOT%{_bindir}
install -p -m 644 *.8 $RPM_BUILD_ROOT%{_mandir}/man8/
install -p -m 755 fwknopd fwknop_serv knopmd knoptm knopwatchd \
        $RPM_BUILD_ROOT%{_sbindir}
#install logrotate stuff
mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d
install -p -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/fwknop

%clean
rm -rf $RPM_BUILD_ROOT

%post
/sbin/chkconfig --add fwknop

%preun
if [ $1 = 0 ]; then
   /sbin/service fwknop stop >/dev/null 2>&1
   /sbin/chkconfig --del fwknop
fi

%postun
if [ $1 -ge 1 ]; then
   /sbin/service fwknop condrestart >/dev/null 2>&1 || :
fi

%files
%defattr(-,root,root)
%doc CREDITS ChangeLog ChangeLog.svn LICENSE README README.ACCESS README.GPG
%doc README.PK TODO
%dir %{_sysconfdir}/fwknop
%config(noreplace) %{_sysconfdir}/fwknop/*.conf
%config(noreplace) %{_sysconfdir}/fwknop/pf.os
%config(noreplace) %{_sysconfdir}/logrotate.d/fwknop
%{_initrddir}/fwknop
%{_bindir}/fwknop
%{_sbindir}/*kno*
%{_mandir}/man8/*
%dir %{_localstatedir}/lib/fwknop
%dir %{_localstatedir}/log/fwknop
%dir %{_localstatedir}/run/fwknop

%changelog
* Mon Aug 12 2008 Peter Vrabec <pvrabec@redhat.com> - 1.9.6-2
- add logrotate file
- do not set hostname during install

* Wed Jul 30 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.6-1
- Initial Fedora package, based on Michael Rash's spec file (heavily modified
  since).

* Fri Jul 18 2008 Michael Rash <mbr@cipherdyne.org>
- Release of fwknop-1.9.6