# trigger to open port in firewall



## eyebone (Jun 21, 2010)

hej folks,

i am looking for a method in pf or ipfw to allow for a certain ip access to port, lets say ssh in this case. in basic this should work like knockd for instance, just wondering if i can build something like this with pf or ipfw as well. 
i do not need a sequence of different ports and protocols as a trigger some tcp syn or whatsoever would be enough.

any clue?

cheers,


----------



## SirDice (Jun 21, 2010)

How about just restricting access to that specific IP address? 

For PF something like this:

```
block in on $ext_if proto tcp from any to any port 22
pass in on $ext_if proto tcp from 1.2.3.4 to any port 22 keep state
```


----------



## eyebone (Jun 21, 2010)

SirDice said:
			
		

> How about just restricting access to that specific IP address?



well, i have to take into account that the originating ip address may change as we talk about in some cases of a dialup connection. filtering on the base of dns would not be a solution as well.


----------



## SirDice (Jun 21, 2010)

Right. Mine is just open to the world. I keep bruteforce attacks somewhat in check by using security/sshguard-pf. Of course I also make sure I don't have easily guessed usernames and passwords.


----------



## eyebone (Jun 21, 2010)

SirDice said:
			
		

> Right. Mine is just open to the world. I keep bruteforce attacks somewhat in check by using security/sshguard-pf. Of course I also make sure I don't have easily guessed usernames and passwords.



yeah. ssh would be one of the major interests for a remote device, but i can imagine to do this with other services as well. in the end it is the basic assumption, what nobody can see is not there  
it would be possible to hack a special kld for this, on the other hand using something already tested would spare some days of crashing 

iirc you can do some tricks like this with iptables already, maybe i just have to dig through the pf papers.

cheers,


----------



## DutchDaemon (Jun 21, 2010)

authpf(8) is quite nice. Just run a second sshd on a random high port, connect to it, authenticate, and your IP address is added to a table. Disconnect from sshd, and your IP address is dropped again.


----------



## eyebone (Jun 22, 2010)

interesting. it is not what i am looking for, but still quite interesting. thanks.


----------



## kdemidofff (Jun 24, 2010)

what about ipfw solution anyone?


----------



## phoenix (Jun 24, 2010)

Sounds like you want port knocking, where you send a series of TCP packets to specific ports on a server, in a specific order, after which, a TCP port is opened and connections are allowed.  Usually used to enable SSH on a system without actually having SSH running/listening on a specific port.

A super-quick ports search found security/knock.  No idea how well it works, as I've never used port knocking.

Google may be able to find more info on the technique.


----------



## anomie (Jun 24, 2010)

@eyebone: If knocking is what you're interested in, you might check this out too: http://forums.freebsd.org/showthread.php?t=7267

It uses a different approach than most port knocking applications. It's certainly not as well vetted as the others. (TBH, I am not sure whether anyone has used it other than me.) 

But, there it is.


----------

