trigger to open port in firewall

[eyebone]

hej folks,

i am looking for a method in pf or ipfw to allow for a certain ip access to port, lets say ssh in this case. in basic this should work like knockd for instance, just wondering if i can build something like this with pf or ipfw as well.
i do not need a sequence of different ports and protocols as a trigger some tcp syn or whatsoever would be enough.

any clue?

cheers,

 

[SirDice]

How about just restricting access to that specific IP address?

For PF something like this:

block in on $ext_if proto tcp from any to any port 22
pass in on $ext_if proto tcp from 1.2.3.4 to any port 22 keep state

 

[eyebone]

How about just restricting access to that specific IP address?

well, i have to take into account that the originating ip address may change as we talk about in some cases of a dialup connection. filtering on the base of dns would not be a solution as well.

 

[SirDice]

Right. Mine is just open to the world. I keep bruteforce attacks somewhat in check by using security/sshguard-pf. Of course I also make sure I don't have easily guessed usernames and passwords.

 

[eyebone]

Right. Mine is just open to the world. I keep bruteforce attacks somewhat in check by using security/sshguard-pf. Of course I also make sure I don't have easily guessed usernames and passwords.

yeah. ssh would be one of the major interests for a remote device, but i can imagine to do this with other services as well. in the end it is the basic assumption, what nobody can see is not there
it would be possible to hack a special kld for this, on the other hand using something already tested would spare some days of crashing

iirc you can do some tricks like this with iptables already, maybe i just have to dig through the pf papers.

cheers,

 

[DutchDaemon]

authpf(8) is quite nice. Just run a second sshd on a random high port, connect to it, authenticate, and your IP address is added to a table. Disconnect from sshd, and your IP address is dropped again.

 

[eyebone]

interesting. it is not what i am looking for, but still quite interesting. thanks.

 

[kdemidofff]

what about ipfw solution anyone?

 

[phoenix]

Sounds like you want port knocking, where you send a series of TCP packets to specific ports on a server, in a specific order, after which, a TCP port is opened and connections are allowed. Usually used to enable SSH on a system without actually having SSH running/listening on a specific port.

A super-quick ports search found security/knock. No idea how well it works, as I've never used port knocking.

Google may be able to find more info on the technique.

 

[anomie]

@eyebone: If knocking is what you're interested in, you might check this out too: http://forums.freebsd.org/showthread.php?t=7267

It uses a different approach than most port knocking applications. It's certainly not as well vetted as the others. (TBH, I am not sure whether anyone has used it other than me.)

But, there it is.