Hi,
Le mardi 24 octobre 2006 à 20:21 -0300, Luis Floreani a écrit :
> On 10/23/06, Eric Leblond <eric@???> wrote:
> >
> > Let's say port knocking is 4138 2345 4577 to open port 22
> >
> > Then just do
> > iptables -A INPUT -p tcp -m multiport --dports 4138,2345,4577,22 -j QUEUE
> >
> > Your userspace application wait for packets coming from queue, drop them
> > when they come from knocking ports (but store the knock) and accept
> > packet to port 22 if we just had a correct knocking sequence before.
> >
> > This is simple, do not use complex algorithms and should fit on all
> > small routers.
> >
>
> The idea of having an userspace application receiving the queued
> packets from netfilter is much better than scanning firewall logs.
>
> Actually, I see this issues in the userspace solution:
>
> 1. (+) Could be safer to run the portknocking logic in userspace,
> rather than kernel.
> 2. It is not clear from a admin point of view that a portknocking
> system is running.
> 3. The port 22 traffic is suffering a small penalty because of
> travelling kenel->userspace->kernel before arriving to the service.
By just queuing the SYN Packets you will introduce a ridiculous delay on
this first packet. The rest of the connectio is handled by conntrack and
there is thus no differences.
> 4. There is not a single point of configuration, if you want to change
> the knock sequence for instance, you have to change the app and then
> the iptables rule.
All can be bundle in a single script. A cleaner way could be to use
ipset to specify the ports list and not to change the rules set.
> 5. question: Is there a way to set two or more different queues? to
> avoid receiving in the userspace, packets from other rules with the
> "-j QUEUE"
No, you have to use NFQUEUE to do so (which come with 2.6.14+). QUEUE is
limited to one queue.
BR,
--
Eric Leblond <eric@???>
INL
