freebsd-ports/security/fwknop/Makefile

# Created by: Sean Greven <sean.greven@gmail.com>
# $FreeBSD$

PORTNAME=	fwknop
PORTVERSION=	2.6.9
PORTREVISION=	2
CATEGORIES=	security
MASTER_SITES=	http://www.cipherdyne.org/fwknop/download/

MAINTAINER=	sean.greven@gmail.com
COMMENT=	SPA implementation for Linux and FreeBSD

LICENSE=	GPLv2

BUILD_DEPENDS= wget:ftp/wget
RUN_DEPENDS=   wget:ftp/wget
LIB_DEPENDS+=  libassuan.so:security/libassuan
CONFLICTS_BUILD=	fwknop-2.6.8_*
CPE_VENDOR=	cipherdyne

OPTIONS_DEFINE=	GPGME

OPTIONS_SINGLE=	FW
OPTIONS_SINGLE_FW=	IPFW PF

OPTIONS_DEFAULT=	GPGME IPFW

FW_DESC=	Firewall Backend
IPFW_DESC=	Use the IPFW firewall
PF_DESC=	Use the PF firewall.
GPGME_DESC=	Build support for gpgme

USES=		cpe libtool
USE_LDCONFIG=	yes
USE_RC_SUBR=	fwknopd

GNU_CONFIGURE=	yes

INSTALL_TARGET=	install-strip
INFO=		libfko

IPFW_CONFIGURE_WITH=	ipfw=/sbin/ipfw

PF_CONFIGURE_WITH=	pf=/sbin/pfctl

GPGME_LIB_DEPENDS=	libgpgme.so:security/gpgme
GPGME_LIB_DEPENDS+=	libgpg-error.so:security/libgpg-error
GPGME_CONFIGURE_WITH=	gpgme

post-install:
	(cd ${STAGEDIR}${PREFIX}/etc/fwknop && ${MV} access.conf access.conf.sample)
	(cd ${STAGEDIR}${PREFIX}/etc/fwknop && ${MV} fwknopd.conf fwknopd.conf.sample)

.include <bsd.port.mk>
Update to 2.0.3. This new version includes a migration from Perl to C and support for ipfw and pf. While here, trim the Makefile headers. PR: ports/171951 Submitted by: Sean Greven <sean.greven@gmail.com> (maintainer) Feature safe: yes 2012-11-27 22:41:29 +01:00			`# Created by: Sean Greven <sean.greven@gmail.com>`
New port: security/fwknop fwknop,"FireWall KNock OPerator", implements Single Packet Authorization (SPA). fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filter (fwknop supports both iptables on Linux systems and ipfw on FreeBSD and Mac OS X systems) and libpcap. SPA requires only a single encrypted packet in order to communicate various pieces of information including desired access through an iptables policy and/or complete commands to execute on the target system. By using iptables to maintain a "default drop" stance, the main application of this program is to protect services such as OpenSSH with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more difficult. With fwknop deployed, anyone using nmap to look for sshd can't even tell that it is listening; it makes no difference if they have a 0-day exploit or not. The authorization server passively monitors authorization packets via libcap and hence there is no "server" to which to connect in the traditional sense. Access to a protected service is only granted after a valid encrypted and non-replayed packet is monitored from an fwknop client (see the following network diagram; the SSH session can only take place after the SPA packet is monitored): PR: ports/118229 Submitted by: Sean Greven <sean.greven@gmail.com> 2008-06-13 05:43:51 +02:00			`# $FreeBSD$`

			`PORTNAME= fwknop`
security/fwknop: update to 2.6.9 Update to 2.6.9 [0] While here, add missing deps [1] PR: 222287 Submitted by: sean.greven@gmail.com (maintainer) [0][1] Reported by: Jens Grassel <jan0sch@mykolab.com> [1] 2017-09-15 22:49:54 +02:00			`PORTVERSION= 2.6.9`
Resolve conflict PR: 222382 Submitted by: Jens Grassel <jan0sch@mykolab.com> Approved by: maintainer 2017-10-05 21:27:45 +02:00			`PORTREVISION= 2`
New port: security/fwknop fwknop,"FireWall KNock OPerator", implements Single Packet Authorization (SPA). fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filter (fwknop supports both iptables on Linux systems and ipfw on FreeBSD and Mac OS X systems) and libpcap. SPA requires only a single encrypted packet in order to communicate various pieces of information including desired access through an iptables policy and/or complete commands to execute on the target system. By using iptables to maintain a "default drop" stance, the main application of this program is to protect services such as OpenSSH with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more difficult. With fwknop deployed, anyone using nmap to look for sshd can't even tell that it is listening; it makes no difference if they have a 0-day exploit or not. The authorization server passively monitors authorization packets via libcap and hence there is no "server" to which to connect in the traditional sense. Access to a protected service is only granted after a valid encrypted and non-replayed packet is monitored from an fwknop client (see the following network diagram; the SSH session can only take place after the SPA packet is monitored): PR: ports/118229 Submitted by: Sean Greven <sean.greven@gmail.com> 2008-06-13 05:43:51 +02:00			`CATEGORIES= security`
			`MASTER_SITES= http://www.cipherdyne.org/fwknop/download/`

			`MAINTAINER= sean.greven@gmail.com`
Fix typos in COMMENT 2012-07-25 13:24:09 +02:00			`COMMENT= SPA implementation for Linux and FreeBSD`
New port: security/fwknop fwknop,"FireWall KNock OPerator", implements Single Packet Authorization (SPA). fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filter (fwknop supports both iptables on Linux systems and ipfw on FreeBSD and Mac OS X systems) and libpcap. SPA requires only a single encrypted packet in order to communicate various pieces of information including desired access through an iptables policy and/or complete commands to execute on the target system. By using iptables to maintain a "default drop" stance, the main application of this program is to protect services such as OpenSSH with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more difficult. With fwknop deployed, anyone using nmap to look for sshd can't even tell that it is listening; it makes no difference if they have a 0-day exploit or not. The authorization server passively monitors authorization packets via libcap and hence there is no "server" to which to connect in the traditional sense. Access to a protected service is only granted after a valid encrypted and non-replayed packet is monitored from an fwknop client (see the following network diagram; the SSH session can only take place after the SPA packet is monitored): PR: ports/118229 Submitted by: Sean Greven <sean.greven@gmail.com> 2008-06-13 05:43:51 +02:00
security/fwknop: update to 2.5.1 - Update to 2.5.1 [1] - Add LICENSE (GPLv2) [1] - Convert lib depends to new format PR: ports/181642 Submitted by: Kozlov Sergey <kozlov.sergey.404 gmail.com> Approved by: maintainer (timeout) 2013-09-13 14:12:49 +02:00			`LICENSE= GPLv2`

security/fwknop: update to 2.6.9 Update to 2.6.9 [0] While here, add missing deps [1] PR: 222287 Submitted by: sean.greven@gmail.com (maintainer) [0][1] Reported by: Jens Grassel <jan0sch@mykolab.com> [1] 2017-09-15 22:49:54 +02:00			`BUILD_DEPENDS= wget:ftp/wget`
			`RUN_DEPENDS= wget:ftp/wget`
			`LIB_DEPENDS+= libassuan.so:security/libassuan`
Resolve conflict PR: 222382 Submitted by: Jens Grassel <jan0sch@mykolab.com> Approved by: maintainer 2017-10-05 21:27:45 +02:00			`CONFLICTS_BUILD= fwknop-2.6.8_*`
security/fwknop: Update to 2.6.7 * Update to 2.6.7 * Update and sort pkg-plist * Group/sort sections * Convert to OPTIONS helpers * Use install-strip target so binaries/libraries are stripped PR: 203168 Submitted by: Sean Greven <sean.greven gmail com> (maintainer) 2015-10-16 14:25:21 +02:00			`CPE_VENDOR= cipherdyne`

Allow to select pf instead of default ipfw for firewall backend PR: 204334 Submitted by: jan0sch@mykolab.com Reviewed by: sean.greven@gmail.com (maintainer) 2015-11-23 07:20:46 +01:00			`OPTIONS_DEFINE= GPGME`
security/fwknop: Update to 2.6.7 * Update to 2.6.7 * Update and sort pkg-plist * Group/sort sections * Convert to OPTIONS helpers * Use install-strip target so binaries/libraries are stripped PR: 203168 Submitted by: Sean Greven <sean.greven gmail com> (maintainer) 2015-10-16 14:25:21 +02:00
Allow to select pf instead of default ipfw for firewall backend PR: 204334 Submitted by: jan0sch@mykolab.com Reviewed by: sean.greven@gmail.com (maintainer) 2015-11-23 07:20:46 +01:00			`OPTIONS_SINGLE= FW`
			`OPTIONS_SINGLE_FW= IPFW PF`

			`OPTIONS_DEFAULT= GPGME IPFW`

			`FW_DESC= Firewall Backend`
			`IPFW_DESC= Use the IPFW firewall`
			`PF_DESC= Use the PF firewall.`
Update to 2.0.3. This new version includes a migration from Perl to C and support for ipfw and pf. While here, trim the Makefile headers. PR: ports/171951 Submitted by: Sean Greven <sean.greven@gmail.com> (maintainer) Feature safe: yes 2012-11-27 22:41:29 +01:00			`GPGME_DESC= Build support for gpgme`
security/fwknop: Update to 2.6.7 * Update to 2.6.7 * Update and sort pkg-plist * Group/sort sections * Convert to OPTIONS helpers * Use install-strip target so binaries/libraries are stripped PR: 203168 Submitted by: Sean Greven <sean.greven gmail com> (maintainer) 2015-10-16 14:25:21 +02:00
- Add CPE info Approved by: portmgr blanket 2015-04-24 02:55:50 +02:00			`USES= cpe libtool`
Update to 2.0.3. This new version includes a migration from Perl to C and support for ipfw and pf. While here, trim the Makefile headers. PR: ports/171951 Submitted by: Sean Greven <sean.greven@gmail.com> (maintainer) Feature safe: yes 2012-11-27 22:41:29 +01:00			`USE_LDCONFIG= yes`
security/fwknop: Update to 2.6.7 * Update to 2.6.7 * Update and sort pkg-plist * Group/sort sections * Convert to OPTIONS helpers * Use install-strip target so binaries/libraries are stripped PR: 203168 Submitted by: Sean Greven <sean.greven gmail com> (maintainer) 2015-10-16 14:25:21 +02:00			`USE_RC_SUBR= fwknopd`
Update to 2.0.3. This new version includes a migration from Perl to C and support for ipfw and pf. While here, trim the Makefile headers. PR: ports/171951 Submitted by: Sean Greven <sean.greven@gmail.com> (maintainer) Feature safe: yes 2012-11-27 22:41:29 +01:00
security/fwknop: Update to 2.6.7 * Update to 2.6.7 * Update and sort pkg-plist * Group/sort sections * Convert to OPTIONS helpers * Use install-strip target so binaries/libraries are stripped PR: 203168 Submitted by: Sean Greven <sean.greven gmail com> (maintainer) 2015-10-16 14:25:21 +02:00			`GNU_CONFIGURE= yes`

			`INSTALL_TARGET= install-strip`
			`INFO= libfko`
Update to 2.0.3. This new version includes a migration from Perl to C and support for ipfw and pf. While here, trim the Makefile headers. PR: ports/171951 Submitted by: Sean Greven <sean.greven@gmail.com> (maintainer) Feature safe: yes 2012-11-27 22:41:29 +01:00
Allow to select pf instead of default ipfw for firewall backend PR: 204334 Submitted by: jan0sch@mykolab.com Reviewed by: sean.greven@gmail.com (maintainer) 2015-11-23 07:20:46 +01:00			`IPFW_CONFIGURE_WITH= ipfw=/sbin/ipfw`

			`PF_CONFIGURE_WITH= pf=/sbin/pfctl`

Remove ${PORTSDIR}/ from dependencies, categories r, s, t, and u. With hat: portmgr Sponsored by: Absolight 2016-04-01 16:25:16 +02:00			`GPGME_LIB_DEPENDS= libgpgme.so:security/gpgme`
security/fwknop: update to 2.6.9 Update to 2.6.9 [0] While here, add missing deps [1] PR: 222287 Submitted by: sean.greven@gmail.com (maintainer) [0][1] Reported by: Jens Grassel <jan0sch@mykolab.com> [1] 2017-09-15 22:49:54 +02:00			`GPGME_LIB_DEPENDS+= libgpg-error.so:security/libgpg-error`
security/fwknop: Update to 2.6.7 * Update to 2.6.7 * Update and sort pkg-plist * Group/sort sections * Convert to OPTIONS helpers * Use install-strip target so binaries/libraries are stripped PR: 203168 Submitted by: Sean Greven <sean.greven gmail com> (maintainer) 2015-10-16 14:25:21 +02:00			`GPGME_CONFIGURE_WITH= gpgme`
New port: security/fwknop fwknop,"FireWall KNock OPerator", implements Single Packet Authorization (SPA). fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filter (fwknop supports both iptables on Linux systems and ipfw on FreeBSD and Mac OS X systems) and libpcap. SPA requires only a single encrypted packet in order to communicate various pieces of information including desired access through an iptables policy and/or complete commands to execute on the target system. By using iptables to maintain a "default drop" stance, the main application of this program is to protect services such as OpenSSH with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more difficult. With fwknop deployed, anyone using nmap to look for sshd can't even tell that it is listening; it makes no difference if they have a 0-day exploit or not. The authorization server passively monitors authorization packets via libcap and hence there is no "server" to which to connect in the traditional sense. Access to a protected service is only granted after a valid encrypted and non-replayed packet is monitored from an fwknop client (see the following network diagram; the SSH session can only take place after the SPA packet is monitored): PR: ports/118229 Submitted by: Sean Greven <sean.greven@gmail.com> 2008-06-13 05:43:51 +02:00
Do not use post-stage. Use post-install instead. The only reason to use post-stage is because the port needs to do "things" at a later time, like some plist manipulation. While there, fold post-install in do-install targets when they are defined. PR: 214780 Submitted by: mat Exp-run by: antoine Sponsored by: Absolight 2016-12-02 12:58:21 +01:00			`post-install:`
Update to 2.6.8 PR: 209026 Submitted by: Jens Grassel Approved by: maintainer 2016-05-02 18:02:26 +02:00			`(cd ${STAGEDIR}${PREFIX}/etc/fwknop && ${MV} access.conf access.conf.sample)`
			`(cd ${STAGEDIR}${PREFIX}/etc/fwknop && ${MV} fwknopd.conf fwknopd.conf.sample)`

New port: security/fwknop fwknop,"FireWall KNock OPerator", implements Single Packet Authorization (SPA). fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filter (fwknop supports both iptables on Linux systems and ipfw on FreeBSD and Mac OS X systems) and libpcap. SPA requires only a single encrypted packet in order to communicate various pieces of information including desired access through an iptables policy and/or complete commands to execute on the target system. By using iptables to maintain a "default drop" stance, the main application of this program is to protect services such as OpenSSH with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more difficult. With fwknop deployed, anyone using nmap to look for sshd can't even tell that it is listening; it makes no difference if they have a 0-day exploit or not. The authorization server passively monitors authorization packets via libcap and hence there is no "server" to which to connect in the traditional sense. Access to a protected service is only granted after a valid encrypted and non-replayed packet is monitored from an fwknop client (see the following network diagram; the SSH session can only take place after the SPA packet is monitored): PR: ports/118229 Submitted by: Sean Greven <sean.greven@gmail.com> 2008-06-13 05:43:51 +02:00			`.include <bsd.port.mk>`