On 12/19/2009 06:06:30 AM, Peter N. M. Hansteen wrote: > Alvaro Mantilla Gimenez <alv...@dydnetworks.com> writes: > > > It would be awesome if pf could implement some port knocking > features in > > next releases...maybe and associate daemon (like spamd with email > > attempts delivers...or something like that). Do you think is it > > possible? > > The first hurdle in getting port knocking functionality into the base > system or a port would be to demonstrate that the added complexity is > worth it in a very practical sense. > > Basically it's just one more feature that would need to be > implemented > in a sane way and be demonstrated to be useful enough to warrant > inclusion. I wouldn't want to rate the chance of success, but if you > think you can do it, what's stopping you?
There is, for that matter, no particular reason to incorporate the functionality into pf. You could as easily write a script/daemon that listens for port knocking and uses pfctl to add allowed IPs to a table. But the problem you face with port knocking is that it is just another way of delivering authentication information. Anyone who's sniffing the wire can sniff your port knocking as well. You may as well be using telnet and sending passwords in the clear. Of course you could knock in a pattern known by both sides that does not repeat, in which case you may as well be using skey. Or you could cryptographically secure the knocking pattern, in which case you may as well be using public keys (or shared, depending) keys. Given this analysis it seems a difficult task to come up with an advantage port knocking has over existing authentication methods. Even if you're looking for security through obscurity there are much more obscure methods, and ones that defeat casual sniffing: E.g. uploading a picture to flicker containing stegonography reveling from where, when and on what port you plan to ssh in, with a daemon on the server that randomly browses flicker while occasionally polling for pictures containing hidden information. Karl <k...@meme.com> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein