On Apr 01 14:09:36, Marcus M|lb|sch wrote: > Hello all, > > it occured to me that with a combination of some pass rules and > adding the address via overload to a sort of "whitelist" tables you can > implement a simple portknocking; using nothing but pf.
With a combination of opening doors, you can gain access to my home safe; using nothing but doors. > The rules would look like this: > > pass in on $ext_if inet proto tcp from any to any port $knock1 synproxy > state (max-src-conn 1 overload <knock1>) I will let anyone into my kitchen. > pass in on $ext_if inet proto tcp from <knock1> to any port $knock2 > synproxy state (max-src-conn 1 overload <knock2>) Those in the kitchen can enter my living room. > pass in on $ext_if inet proto tcp from <knock2> to any port $knock3 > synproxy state (max-src-conn 1 overload <knock3>) Those in the living room can enter my bedroom. > pass in on $ext_if inet proto tcp from <knock2> to any port $knock3 > synproxy state (max-src-conn 1 overload <knock3>) (Yes, really.) > pass in on $ext_if inet proto tcp from <knock3> to any port ssh And those in my bedroom are allowed to open my safe. > No port knocking daemeon is needed, and with an appropriate blocking > rule the ssh port is closed to all. You mean, all except those who just knock on those ports, right? > This works; all you have to do is to try to connect to each port > $knock<n> in order twice (since the max-src-conn is set to 1). Exactly. > I have two questions: > > 1) Is there any problem with that setup? Yes. > I don't see any, but then > again, it seems so simple and I didn't find any howtos on the web. > Either nobody else did think of it before, or there is something wrong > with my reasoning. If so, I'm happy if you tell me :-) Be happy then. Don't worry. > 2) I would like to knock on each port only once. pass in on $ext_if inet proto tcp from any to any port ssh
