On 12/19/2009 06:06:30 AM, Peter N. M. Hansteen wrote:
> Alvaro Mantilla Gimenez <alv...@dydnetworks.com> writes:
> > It would be awesome if pf could implement some port knocking
> features in
> > next releases...maybe and associate daemon (like spamd with email
> > attempts delivers...or something like that). Do you think is it
> > possible?
> The first hurdle in getting port knocking functionality into the base
> system or a port would be to demonstrate that the added complexity is
> worth it in a very practical sense.  
> Basically it's just one more feature that would need to be 
> implemented
> in a sane way and be demonstrated to be useful enough to warrant
> inclusion.  I wouldn't want to rate the chance of success, but if you
> think you can do it, what's stopping you?

There is, for that matter, no particular reason to incorporate
the functionality into pf.  You could as easily write a
script/daemon that listens for port knocking and uses
pfctl to add allowed IPs to a table.

But the problem you face with port knocking is that it
is just another way of delivering authentication
information.  Anyone who's
sniffing the wire can sniff your port knocking as well.
You may as well be using telnet and sending passwords
in the clear.  Of course you could knock in a
pattern known by both sides that does not repeat,
in which case you may as well be using skey.  Or
you could cryptographically secure the knocking
pattern, in which case you may as well be using
public keys (or shared, depending) keys. 

Given this analysis it seems a difficult task
to come up with an advantage port knocking has
over existing authentication methods.  Even if
you're looking for security through obscurity
there are much more obscure methods, and ones
that defeat casual sniffing:  E.g.
uploading a picture to flicker containing
stegonography reveling from where, when
and on what port you plan to ssh in, with 
a daemon on the server that randomly browses
flicker while occasionally polling for
pictures containing hidden information.

Karl <k...@meme.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein

Reply via email to