Hi, Le mardi 24 octobre 2006 à 20:21 -0300, Luis Floreani a écrit : > On 10/23/06, Eric Leblond wrote: > > > > Let's say port knocking is 4138 2345 4577 to open port 22 > > > > Then just do > > iptables -A INPUT -p tcp -m multiport --dports 4138,2345,4577,22 -j QUEUE > > > > Your userspace application wait for packets coming from queue, drop them > > when they come from knocking ports (but store the knock) and accept > > packet to port 22 if we just had a correct knocking sequence before. > > > > This is simple, do not use complex algorithms and should fit on all > > small routers. > > > > The idea of having an userspace application receiving the queued > packets from netfilter is much better than scanning firewall logs. > > Actually, I see this issues in the userspace solution: > > 1. (+) Could be safer to run the portknocking logic in userspace, > rather than kernel. > 2. It is not clear from a admin point of view that a portknocking > system is running. > 3. The port 22 traffic is suffering a small penalty because of > travelling kenel->userspace->kernel before arriving to the service. By just queuing the SYN Packets you will introduce a ridiculous delay on this first packet. The rest of the connectio is handled by conntrack and there is thus no differences. > 4. There is not a single point of configuration, if you want to change > the knock sequence for instance, you have to change the app and then > the iptables rule. All can be bundle in a single script. A cleaner way could be to use ipset to specify the ports list and not to change the rules set. > 5. question: Is there a way to set two or more different queues? to > avoid receiving in the userspace, packets from other rules with the > "-j QUEUE" No, you have to use NFQUEUE to do so (which come with 2.6.14+). QUEUE is limited to one queue. BR, -- Eric Leblond INL