Single Packet Authorization (SPA).
fwknop stands for the "FireWall KNock OPerator", and
implements an authorization scheme called Single Packet
Authorization (SPA). This method of authorization is based
around a default-drop packet filter (fwknop supports both
iptables on Linux systems and ipfw on FreeBSD and Mac OS X
systems) and libpcap.
SPA requires only a single encrypted packet in order to
communicate various pieces of information including desired
access through an iptables policy and/or complete commands
to execute on the target system. By using iptables to
maintain a "default drop" stance, the main application of
this program is to protect services such as OpenSSH with
an additional layer of security in order to make the
exploitation of vulnerabilities (both 0-day and unpatched
code) much more difficult. With fwknop deployed, anyone
using nmap to look for sshd can't even tell that it is
listening; it makes no difference if they have a 0-day
exploit or not. The authorization server passively monitors
authorization packets via libcap and hence there is no
"server" to which to connect in the traditional sense.
Access to a protected service is only granted after a valid
encrypted and non-replayed packet is monitored from an
fwknop client (see the following network diagram; the SSH
session can only take place after the SPA packet is monitored):
PR: ports/118229
Submitted by: Sean Greven <sean.greven@gmail.com>
- Add distfile mirror.
- Also includes a bugfix for ctrlproxy failing to recognize
'learn-nickserv' option. The bug has been submitted to upstream and
it'll be included in next release.
Submitted by: Ashish Shukla <wahjava at gmail.com> via mail
Approved by: maintainer
A feature-rich graphical Telnet 5250 emulator written in Java.
WWW: http://tn5250j.sourceforge.net/
PR: ports/124537
Submitted by: Marcin Cieslak <saper@system.pl>
JTOpen is the open source version of the IBM Toolbox for Java
licensed program product. The IBM Toolbox for Java is a library
of Java classes supporting the client/server and internet
programming models to a system running OS/400 or i5/OS. The
classes can be used by Java applets, servlets, and applications
to easily access OS/400 and i5/OS data and resources.
The Toolbox does not require additional client support over and
above what is provided by the Java Virtual Machine and TCP/IP.
WWW: http://jt400.sourceforge.net/
PR: ports/124534
Submitted by: Marcin Cieslak <saper@system.pl>
Updates for all maintained versions of PostgreSQL are available today:
8.3.3, 8.2.9, 8.1.13, 8.0.17 and 7.4.21. These releases fix more than
two dozen minor issues reported and patched over the last few months.
All PostgreSQL users should plan to update at their earliest
convenience. People in affected time zones, in particular, should
upgrade as soon as possible.
Release Notes:
http://www.postgresql.org/docs/8.3/static/release.html
Also, fix umask error in periodic script [1].
PR: ports/124457 [1]
Submitted by: Alexandre Perrin
=========
1. Fix -a mode by moving the update of CONFIG_SEEN_LIST to after the port
has been checked for available updates. The old way worked as a side
effect to one of the things I fixed in version 2.4. This is probably
how it should have been done all along, but since the old way worked
I was hesitant to change it.
2. Now that we are using a different format for the INSTALLED_LIST,
fix the bit that always displays the list if we are using -a.
the vpopmail support was removed with 0.60.3 (because none felt responsible
for maintaining it in courier-authlib) - this commit adds - togehter with
this update - a patch which patches the vpopmail support back into 0.60.4
(because at least I need the interaction with vpopmail!).
In theory this should build on every architecture so remove the
no-sparc64 bit.
Add a MAINTAINER_MODE option to allow debug (very slow) versions to be built
and a regression-test target. [1]
Submitted by: Pedro Giffuni <pfgshield dash freebsd at yahoo dot com> [1]
PR: ports/124068
- let the s5-blank script evolve into the s5 utility, a bit more powerful,
and having a manual page
- only run the DOS2UNIX command on the text files, do no damage to images
- use COPYTREE_SHARE for the installation
- bump PORTREVISION.
built-in h323 module;
o don't link main binary with h323 library and friends. This creates
issues with ooh323 module, from the asterisk-addons package.
Bump PORTREVISION.
