Hello all,
it occured to me that with a combination of some pass rules and
adding the address via overload to a sort of "whitelist" tables you can
implement a simple portknocking; using nothing but pf.
The rules would look like this:
pass in on $ext_if inet proto tcp from any to any port $knock1 synproxy
state (max-src-conn 1 overload <knock1>)
pass in on $ext_if inet proto tcp from <knock1> to any port $knock2
synproxy state (max-src-conn 1 overload <knock2>)
pass in on $ext_if inet proto tcp from <knock2> to any port $knock3
synproxy state (max-src-conn 1 overload <knock3>)
pass in on $ext_if inet proto tcp from <knock2> to any port $knock3
synproxy state (max-src-conn 1 overload <knock3>)
pass in on $ext_if inet proto tcp from <knock3> to any port ssh
No port knocking daemeon is needed, and with an appropriate blocking
rule the ssh port is closed to all.
This works; all you have to do is to try to connect to each port
$knock<n> in order twice (since the max-src-conn is set to 1).
I have two questions:
1) Is there any problem with that setup? I don't see any, but then
again, it seems so simple and I didn't find any howtos on the web.
Either nobody else did think of it before, or there is something wrong
with my reasoning. If so, I'm happy if you tell me :-)
2) I would like to knock on each port only once. However, setting
"max-src-conn 0" does not change anything. I would expect that the first
connect will fill the appropriate table, but it doesn't. Is there
something I do not understand, or must the <number> that is allowed be
equal or greater to one?
Thanks for any pointers,
Marcus
