From: Pablo Neira Ayuso <pablo@netfilter.org>
To: "J. Federico Hernandez" <fede.hernandez@gmail.com>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: new match extension to implement port knocking in one
Date: Tue, 17 Oct 2006 03:23:43 +0200 [thread overview]
Message-ID: <4534309F.8000200@netfilter.org> (raw)
In-Reply-To: <c0db55360610160810s164cbf26lf58390b818cdf443@mail.gmail.com>
J. Federico Hernandez wrote:
>> On Oct 14, 2006, Michael Rash wrote:
>>
>> Well, I agree that having an implementation that builds some port
>> knocking capabilities directly into iptables is a good thing for the
>> reasons you mention. However, I would say that there are some design
>> considerations that warrant userspace implementations as well. Users
>> should be able to select the system that offers the best security
>> properties, and putting both the authentication and authorization
>> verification code in the kernel is not always going to meet everyone's
>> needs.
>
> We think that recognizing a port knocking sequence is an issue of the
> firewall (netfilter in this case), and if you want to open a port
> after a correct seq, the firewall is also the place. But sometimes you
> want to trigger a more complex action from this correct knock seq
> (e.g. start a webserver), so we allow to send a netlink msg from
> kernel to a listening userspace application that could decide what
> action to take. This userspace app is not scanning logs nor sniffing
> your iface, it's just waiting to receive an important message from
> kernel.
Perhaps I'm just influenced by my first impression but I think that this
thing should be in userspace. We are providing the appropiate netfilter
netlink subsystems (nfqueue, nflog...) to implement this as a userland
daemon.
--
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris
next prev parent reply other threads:[~2006-10-17 1:23 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-16 15:10 new match extension to implement port knocking in one J. Federico Hernandez
2006-10-17 1:23 ` Pablo Neira Ayuso [this message]
2006-10-17 12:19 ` J. Federico Hernandez
2006-10-17 14:05 ` Eric Leblond
2006-10-18 0:32 ` J. Federico Hernandez
2006-10-18 14:46 ` Pablo Neira Ayuso
2006-10-23 13:31 ` J. Federico Hernandez
2006-10-23 19:46 ` Eric Leblond
2006-10-24 23:21 ` Luis Floreani
2006-10-25 6:31 ` Eric Leblond
2006-10-26 3:59 ` J. Federico Hernandez
2006-10-25 15:41 ` Luis Floreani
2006-10-17 15:12 ` Michael Rash
2006-10-18 1:01 ` J. Federico Hernandez
-- strict thread matches above, loose matches on Subject: below --
2006-10-13 13:35 J. Federico Hernandez
2006-10-14 17:19 ` Michael Rash
2006-10-11 20:33 Luis Floreani
2006-10-12 20:41 ` Alexey Toptygin
2006-10-12 21:30 ` Alexey Toptygin
2006-10-13 2:50 ` Michael Rash
2006-10-13 2:50 ` Luis Floreani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4534309F.8000200@netfilter.org \
--to=pablo@netfilter.org \
--cc=fede.hernandez@gmail.com \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.