Johan Söderberg <johan.s.u...@gmail.com> writes: > For a client to connect to a service, it need to unlock the port with a code. > The code is made of predefined blocked ports, that makes pf trigger.
You have just described 'port knocking'. It's been discussed in PF contexts before (I forget which lists, could have been openbsd-misc or here), and the conclusion was roughly that it doesn't add much in terms of security, certainly not worth the potential added complexity. The enthusiasts tend to live on Linux, IIRC. > There are 65536 ports, that gives you 65536^n possible combinations > where n is the number of ports in your code. > So you probably won't need more than 2-3 ports in your code. That's almost like saying, "my password's written with unicode, so 2-3 characters is fine". To my mind, that's all the added security you get, roughly equivalent to a password. It's a well known fact that industrial-scale password guessing is going on right now, so once the bad guys figure out the obvious, the machinery to crack your box is ready to go. Add to that the typical implementation scenario with a deamon that reads your firewall logs for your secret sequence and all its possible failure modes (a full disk will brick your box, as will any exploitable bug that with a potential to kill your daemon, and so forth). Oh well, that's just a small sample of what the sceptics here will say. I've been meaning to get around to a proper treatment of port knocking in a blog post or article, and that may still happen given enough round tuits. In the meantime, the main points have already been presented. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd: 22.214.171.124: disconnected after 42673 seconds.