
The purpose of this directory is to provide an automated testing
infrastructure for fwknop. This includes the ability to test the SPA mode of
fwknop operations as well as more basic things such as program compilation.

The fwknop_test.pl program should be run as root so that the local firewall
policy can be altered to temporarily test SPA access (this is done over the
loopback interface and does not alter the existing firewall policy).

Because fwknop requires various perl modules to be installed in
/usr/lib/fwknop/, this test suite can really only function correctly after
fwknop has been installed. If there appears to be a problem with fwknop, this
test suite may find it.

***************************                        ***************************
IMPORTANT NOTE: If your local firewall restricts communications over UDP/62201
over the loopback interface, then you will need to add a rule to accept such
communications in order for this test suite to work.
***************************                        ***************************

Under normal circumstances, the output of this program should look like the
following (under Linux; some tests are not yet enabled on systems running
ipfw):

# ./fwknop_test.pl

[+] ==> Running fwknop test suite; firewall: iptables <==

perl program compilation............................................pass (0)
C program compilation...............................................pass (1)
List iptables rules.................................................pass (2)
System information and fwknop installation specifics................pass (3)
Stopping any running fwknopd processes..............................pass (4)
Flushing all fwknop iptables rules..................................pass (5)
Rijndael key validity...............................................pass (6)
Generating SPA access packet with fwknop client.....................pass (7)
Sniffing SPA access packet to acquire access........................pass (8)
Verifying sniffed SPA access packet format..........................pass (9)
Firewall access rules exist.........................................pass (10)
    (Sleeping for 5 (+3) seconds for firewall rule timeout)
    8 7 6 5 4 3 2 1 0
Firewall access rules removed.......................................pass (11)
Stopping all running fwknopd processes..............................pass (12)
Replay attack detection.............................................pass (13)
SPA packet randomness across 100 packets............................pass (14)
Generating SPA packet with 0.0.0.0 src addr.........................pass (15)
Sniffing packet source address with 0.0.0.0 src addr................pass (16)
Generating SPA packet with unauthorized user........................pass (17)
Unauthorized user detection.........................................pass (18)
Generating SPA packet with unauthorized port access request.........pass (19)
Unauthorized port access detection..................................pass (20)
Making sure firewall rules do not exist.............................pass (21)
Generating SPA command packet.......................................pass (22)
Sniffing SPA command packet and executing...........................pass (23)
Verifying SPA command packet format.................................pass (24)
Making sure firewall rules do not exist.............................pass (25)
Generating SPA command packet with non-matching regex...............pass (26)
SPA command packet filtered.........................................pass (27)
Making sure firewall rules do not exist.............................pass (28)
Stopping all running fwknopd processes..............................pass (29)
Generating FORWARD chain access packet..............................pass (30)
FORWARD request detection...........................................pass (31)
FORWARD and DNAT access rules.......................................pass (32)
Verifying sniffed SPA FORWARD access packet format..................pass (33)
    (Sleeping for 5 (+3) seconds for firewall rule timeout)
    8 7 6 5 4 3 2 1 0
Making sure firewall rules have been removed........................pass (34)
Stopping all running fwknopd processes..............................pass (35)
Generating OUTPUT chain access packet...............................pass (36)
OUTPUT access rules.................................................pass (37)
Verifying sniffed SPA OUTPUT access packet format...................pass (38)
    (Sleeping for 5 (+3) seconds for firewall rule timeout)
    8 7 6 5 4 3 2 1 0
Making sure firewall rules have been removed........................pass (39)
tcpdump sniffing over loopback interface lo.........................pass (40)
Stopping all running fwknopd processes..............................pass (41)
Generating SPA access packet with fwknop client.....................pass (42)
SPA communications via tcpdump capture file.........................pass (43)
Firewall access rules exist.........................................pass (44)
    (Sleeping for 5 (+3) seconds for firewall rule timeout)
    8 7 6 5 4 3 2 1 0
Firewall access rules removed.......................................pass (45)
Stopping all running fwknopd processes..............................pass (46)
Deleting all fwknopd iptables chains................................pass (47)

[+] ==> Passed 48/48 tests against fwknop. <==
[+] This console output has been stored in: test.log
