[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

low-cost pf port-knocking idea



Dear [email protected],
$ext   - stands for server listening interface,
($ext) - stands for server listening interface's address.
server side:
pass in quick on $ext inet proto udp \
from any port 333 to ($ext) port 333 keep state \
tag knock333
pass in quick on $ext inet proto udp \
from any port 444 to ($ext) port 444 keep state tagexist knock333 \
tag knock444
pass in quick on $ext inet proto udp \
from any port 555 to ($ext) port 555 keep state tagexist knock444 \
tag knock555
pass in quick on $ext inet proto tcp \
from any to ($ext) port 22 flags S/SA keep state tagexist knock555
client side:
# perl -e 'print split /\./, rand()' | nc -u -p 333 ($ext) 333
# perl -e 'print split /\./, rand()' | nc -u -p 444 ($ext) 444
# perl -e 'print split /\./, rand()' | nc -u -p 555 ($ext) 555
# ssh [email protected]($ext)
constructive criticism are welcomed.
Truly yours
 Alexey E. Suslikov