fwknop implements an authorization scheme thatrequires only a single encrypted packet tocommunicate various pieces of information,including desired access through a Netfilterpolicy and/or specific commands to execute on thetarget system. The main application of thisprogram is to protect services such as SSH with anadditional layer of security in order to make theexploitation of vulnerabilities much moredifficult. The authorization server works bypassively monitoring authorization packets vialibpcap.License: GNU General Public License (GPL)Changes:
The "Salted__" prefix was removed from Crypt::CBCencrypted SPA messages. More granular source IPand allowed IP tests were added so that access toparticular internal IP addresses can be excludedin --Forward-access mode. A new keyword,INTERNAL_NET_ACCESS, is now parsed from theaccess.conf file in order to implement theserestrictions. BLACKLIST functionality was added toallow source IP addresses to be excluded from theauthentication process easily. Firewall ruleaccess timeouts that are defined by the fwknopclient were added. SHA-256 and SHA-1 digestalgorithms were added for replay attack detection.

More...