[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf port knocking

> For those unfamiliar with the technique, it is like
> knocking a certain pattern/code on a door to open it.
  anyone unfamiliar with the technique hasn't read the archives
  whatsoever and thus is not going to garner favour from anyone
  here at all.
> Has anyone heard of anyone working on a portknocking daemon for
> OBSD/pf? There are a couple of basic setups over at
> www.portknocking.org but thought I would check here before attempting a
> port. 
  i would venture to guess, probably not.  portknocking topic shows
  up in [email protected] or [email protected] once every three months it seems, and someone comes
  in all full of stars and hope, but the blinding majority of 
  code-contributing members, as well as at least the regular majority
  of list members don't really seem to want anything to do with it...
  some people seem to think it's "cool" and "hip" and "stealthy" while
  others think it is "cumbersome", "increases liability", and is
  essentially energy better spent elsewhere.
> they have at portknocking.org and see what I can do for pf. I would
> imagine I will have to setup anchors in pf which I haven't done yet but
> am sure I will get my head around it. Any pointers would be
> appreciated! :)
  anchors are cake.  spend some time with authpf(8) and you can get
  to know anchors very quickly.
  instead of motioning to start a discussion about something that will
  probably want to make people jump down your throat, perhaps just
  use LogLevel QUIET or FATAL for sshd?  if you think that sshd is a
  "loose end" that needs to be tied up, why not just do something 
  far simpler and clearer like setup isakmpd or whatever vpn setup
  you need and only let sshd listen on the internal iface or otherwise
  filter the rest out?  far less crappy voodoo to break or setup wrong.
> I will also need to write a windows util to do the knocking for the
> contractors - can Perl run on a Windows machine or will I have to dust
> off my C compiler? :)
  i think there are perl interpreters for windows.
[ openbsd 3.6 GENERIC ( nov 4 ) // i386 ]