I've started writing "Butler", an agent which reads /dev/ipl to answer "secret knocks". When it receives one of the secret knocks, it creates an ipf rule which allows the knocking IP address access to specified port(s), and re-runs /sbin/ipf to activate the rule.
The secret knock is just a series of TCP SYN packets on specified ports, which must all be received (in any order) within a certain time period for the knock to be recognised. The packets themselves are dropped with a "connection reset", and logged so Butler can see them. I plan to also implement a timeout feature, which will remove the "pass" rule after some time. Possibly I can allow the pass to be kept alive by putting the "pass" rule temporarily into a "block but log" state, so that if the hole is still being used, Butler can notice and re-open the hole transparently. The background is that I'm using ipf with OpenBSD on a home firewall machine, with an ISP service that officially doesn't allow servers. Obviously some servers are implicit in home ISP services, like Kazaa, etc, so they don't just block inbound SYN packets. I've run an SSH server on it for years with no problems also, but now I want to run a personal web server (Apache). I assume that the ISP scans port 80, and will notice the web server. Using Butler however, the web server port is black-holed (invisible) until the secret knock is given. All I have to do is post a single start page on a free webserver, which contains several <IMG> requests from my secret ports, and a two-second auto-forward to the newly-opened hole. I could even automatically update the secret knock by uploading a new page to the free server. In order to activate the new rules, I plan on processing "/etc/ipf.rules.in" to insert the appropriate rules. In fact I already do this when I get a new DHCP-assigned external IP address, which I register with dyndns.org. It seems remarkable to me that there's no standard facility for including extra rules files, and substituting variables (like OUTSIDE and INSIDE for the interface names, OUTSIDE_IP for the current ip address assigned by DHCP to OUTSIDE, etc). Ok, to the questions: Have I missed something, and there is already a standard way to do this? Am I re-inventing the wheel? Can more than one process (ipmon and butler) read the same data from /dev/ipl at the same time? Does anyone else want this program? I may be slow to answer email over the next two weeks. Clifford Heath.
