Johan Söderberg <> writes:

> For a client to connect to a service, it need to unlock the port with a code.
> The code is made of predefined blocked ports, that makes pf trigger.

You have just described 'port knocking'.  It's been discussed in PF
contexts before (I forget which lists, could have been openbsd-misc or
here), and the conclusion was roughly that it doesn't add much in
terms of security, certainly not worth the potential added complexity.
The enthusiasts tend to live on Linux, IIRC.

> There are 65536 ports, that gives you 65536^n possible combinations
> where n is the number of ports in your code.
> So you probably won't need more than 2-3 ports in your code.

That's almost like saying, "my password's written with unicode, so 2-3
characters is fine".  To my mind, that's all the added security you
get, roughly equivalent to a password.  It's a well known fact that
industrial-scale password guessing is going on right now, so once the
bad guys figure out the obvious, the machinery to crack your box is
ready to go. Add to that the typical implementation scenario with a
deamon that reads your firewall logs for your secret sequence and all
its possible failure modes (a full disk will brick your box, as will
any exploitable bug that with a potential to kill your daemon, and so

Oh well, that's just a small sample of what the sceptics here will
say.  I've been meaning to get around to a proper treatment of port
knocking in a blog post or article, and that may still happen given
enough round tuits.  In the meantime, the main points have already
been presented.

- Peter
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: disconnected after 42673 seconds.

Reply via email to