Re: new match extension to implement port knocking in one

[Eric Leblond <eric@inl.fr>]

[-- Attachment #1: Type: text/plain, Size: 2206 bytes --]

Le lundi 23 octobre 2006 à 10:31 -0300, J. Federico Hernandez a écrit :
> On 10/18/06, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > J. Federico Hernandez wrote:
> > > On 10/17/06, Eric Leblond <eric@inl.fr> wrote:
> > >> >
> > >> > When all you want is to open a port after a correct sequence of
> > >> > knocks, instead of sending from the kernel all the knocks to the
> > >> > userspace, and then setting a new iptables rule so the kernel firewall
> > >> > takes an action, it would be better to leave the whole work to the
> > >> > kernel and avoid the transition kernel->userspace->kernel.
> > >>
> > >> kernel->userspace->kernel is really not a problem for nowadays computer.
> > >> Simply think about snort-inline which is able to handle a great amount
> > >> of traffic.
> > >
> > > the fact that nowadays computers have much more power, doesn't mean
> > > that you can forget about a simple, less complex and correct design.
> >
> > I'm unsure that putting things in kernel implies less complexity and
> > correct design, it depends on the case.
> >
> 
> Putting things in kernel doesn't mean less complexity, but on port
> knocking case means a correct design and better performance.
> 
> WIth traditional port knocking applications you have to switch
> kernelspace ->userspase->kernelspace several times. Furthermore, you
> have to load the regex engine for parsing the firewall logs and you
> have to access the hard disk each minute for parsing logs files. In
> our opinion, this is not a correct design.

We do not understand each other about the way I (and pablo I think)
propose you to do because the solution I thought off do not use log
analysis...

Let's say port knocking is 4138 2345 4577 to open port 22

Then just do 
iptables -A INPUT -p tcp -m multiport --dports 4138,2345,4577,22 -j QUEUE

Your userspace application wait for packets coming from queue, drop them
when they come from knocking ports (but store the knock) and accept
packet to port 22 if we just had a correct knocking sequence before.

This is simple, do not use complex algorithms and should fit on all
small routers.

BR,
-- 
Eric Leblond <eric@inl.fr>
INL

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 191 bytes --]