Failed to send centos packets on the MAC. Procedure
Ran-Xing opened this issue · comments
Client : Darwin xrsec.local 21.2.0 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 x86_64
Server : Linux VM-4-6-centos 4.18.0-348.7.1.el8_5.x86_64 #1 SMP Wed Dec 22 13:25:12 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
macos error
# macos
IP=""
KEY1="0sZirx/3/68oIAmyT4OubNm2r="
KEY2="Co2bACGJqQvEIFaOocnE+ozXI2aG5Tc3ZCpq5z1YFpfpVlgoMg=="
fwknop --destination $IP --access tcp/25002,udp/25002 --server-port 25005 --key-base64-rijndael $KEY1 --key-base64-hmac $KEY2 --source-ip $(curl -s cip.cc | grep IP | cut -d " " -f 2)
# centos
tcpdump udp port 25005
ubuntu success
# ubuntu
IP=""
KEY1="0sZirx/3/68oIAmyT4OubNm2r="
KEY2="Co2bACGJqQvEIFaOocnE+ozXI2aG5Tc3ZCpq5z1YFpfpVlgoMg=="
fwknop --destination $IP --access tcp/25002,udp/25002 --server-port 25005 --key-base64-rijndael $KEY1 --key-base64-hmac $KEY2 --source-ip $(curl -s cip.cc | grep IP | cut -d " " -f 2)
# centos
tcpdump udp port 25005
fwknop --destination $IP --access tcp/25002,udp/25002 --server-port 25005 --key-base64-rijndael $KEY1 --key-base64-hmac $KEY2 --source-ip --verbose
[-] WARNING: Should use -a or -R to harden SPA against potential MITM attacks
SPA Field Values:
=================
Random Value: 1116472761702543
Username: xr
Timestamp: 1641613567
FKO Version: 3.0.0
Message Type: 1 (Access msg)
Message String: 0.0.0.0,tcp/25002,udp/25002
Nat Access: <NULL>
Server Auth: <NULL>
Client Timeout: 0
Digest Type: 3 (SHA256)
HMAC Type: 3 (SHA256)
Encryption Type: 1 (Rijndael)
Encryption Mode: 2 (CBC)
Encoded Data: xxxxxxxx
SPA Data Digest: xxxxxxxx
HMAC: xxxxxxxx
Final SPA Data: xxxxxxxx
Generating SPA packet:
protocol: udp
source port: <OS assigned>
destination port: 25005
IP/host: $IP
send_spa_packet: bytes sent: 225
+1
macOS 12.3.1 does not send UDP packets out for me.
In I choose -P tcpraw
or -P icmp
(with sudo), packets get sent out.
No error message from fwknop, tcpdump
shows no packet.
fwknop client 2.6.10, FKO protocol version 3.0.0
@basbebe If yes, check if firewall software is installed
You can use tcpdump to check the packet sending status
I uninstalled Little Snitch and it works fine, including the newer M1
@XRSec sudo nmap -sU -p 62201 [IP]
shows up on the server.
Even after disabling little snitch and the macOS firewall, no udp packet gets sent by fwknop
…
Using tcpdump
on the client and the server.
@basbebe If you install this software, there will be this problem, but it is useless to disable it. You need to uninstall it completely. Please download the installation package and choose to uninstall the kernel module during the installation process.
@XRSec Thanks for pointing this out, I will give it a try.
Though I don't want to do without little snitch so I might have to forego fwknop
for now if there is no way to have them coexist…
hi, is there any new tool to replace this tool?
hi, is there any new tool to replace this tool?
Honestly, Wireguard in UDP mode with a preshared key essentially provides the same protections.
@jp-bennett tks
ervery one, this message is latest
Hello,
I have talked again to our developers about this and we did some testing.
We assume that you're trying to use a port range of like 25000 here. We only prevent DPI for ports above 49152, the default is above 60000. When we do DPI we change the timing and thus prevent fwknop from working. Rules don't help because we haven't a name. On Ventura, once Apple reliably comes up with a name, that shouldn't be a problem.
Kind regards from Vienna,
Benjamin Gangl
--
Objective Development Software GmbH
[https://obdev.at](https://www.obdev.at/)
https://twitter.com/littlesnitch
https://twitter.com/launchbar
https://twitter.com/micro_snitch