Alvaro Mantilla Gimenez <[email protected]> writes: > It would be awesome if pf could implement some port knocking features in > next releases...maybe and associate daemon (like spamd with email > attempts delivers...or something like that). Do you think is it > possible?
The first hurdle in getting port knocking functionality into the base system or a port would be to demonstrate that the added complexity is worth it in a very practical sense. Basically it's just one more feature that would need to be implemented in a sane way and be demonstrated to be useful enough to warrant inclusion. I wouldn't want to rate the chance of success, but if you think you can do it, what's stopping you? For the original poster's scenario, the suggestion "write a script that resolves the hostnames and maintains a table" specifically addresses their problem, using existing tools in a very simple way. One could of course argue that a little sshd config would go a long way too, say enabling key based logins only (turning off password authentication) and disallowing root logins so on, but we don't know whether they've done that already. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
