Hello,
On 10/25/06, Eric Leblond <eric@???> wrote:
> Hi,
>
> Le mardi 24 octobre 2006 à 20:21 -0300, Luis Floreani a écrit :
> > On 10/23/06, Eric Leblond <eric@???> wrote:
> > >
> > > Let's say port knocking is 4138 2345 4577 to open port 22
> > >
> > > Then just do
> > > iptables -A INPUT -p tcp -m multiport --dports 4138,2345,4577,22 -j QUEUE
> > >
> > > Your userspace application wait for packets coming from queue, drop them
> > > when they come from knocking ports (but store the knock) and accept
> > > packet to port 22 if we just had a correct knocking sequence before.
> > >
> > > This is simple, do not use complex algorithms and should fit on all
> > > small routers.
> >
> > The idea of having an userspace application receiving the queued
> > packets from netfilter is much better than scanning firewall logs.
> >
> > Actually, I see this issues in the userspace solution:
> >
> > 1. (+) Could be safer to run the portknocking logic in userspace,
> > rather than kernel.
> > 2. It is not clear from a admin point of view that a portknocking
> > system is running.
> > 3. The port 22 traffic is suffering a small penalty because of
> > travelling kenel->userspace->kernel before arriving to the service.
>
> By just queuing the SYN Packets you will introduce a ridiculous delay on
> this first packet. The rest of the connectio is handled by conntrack and
> there is thus no differences.
That design is very good. We think that it is the best among all the
"hybrid" port knocking applications that we know.
> > 4. There is not a single point of configuration, if you want to change
> > the knock sequence for instance, you have to change the app and then
> > the iptables rule.
>
> All can be bundle in a single script. A cleaner way could be to use
> ipset to specify the ports list and not to change the rules set.
This is debatable. A cleaner way for who? Someone might want to
configure the firewall only through iptables, without depending on
other applications or daemons.
> > 5. question: Is there a way to set two or more different queues? to
> > avoid receiving in the userspace, packets from other rules with the
> > "-j QUEUE"
>
> No, you have to use NFQUEUE to do so (which come with 2.6.14+). QUEUE is
> limited to one queue.
We didn't know the NFQUEUE target extension. We thought it was very good.
Finally, we don't want to say that other port knocking applications
aren't useful. We just offer an alternative, than in our opinion has
more advantages than other solutions.
We would like know any suggestions about our pknock extension match.
If you have some, they will be welcome.
Regards,
--
Federico
