Portknocking-Daemon-GUI or Package –> {CANCELED}
-
Heiko,
Are you going to replace Nokia Checkpoint firewall with Pfsense ?Nokia Checkpoint firewall is one the most advance firewall that corporate use these days.
Scott, you must be very proud now, aren't you ? :-)
-
Yes i do, on our own hardware, not nokia, we change checkpoint to pfsense…..checkpoint ist really good, but you need for each loacation a truck of money for support, upgrade etc. ......
i can map all my feature requests with pfsense, and i don´t know about portknocking on Checkpoint ;D
Greetings from germany
heiko--> i would rather speak about this bounty and portknocking.
--> Anybody interest?? really?? Not minor points! Excuse me........
-
Hello,
the bounty is now set to 500 €. We can arrange anything of this bounty up to the due state " 01.05.2007". Thereafter i will kill this bounty.
Greetings
heiko -
Outside the US most people do day/month/year if that makes more sense to people reading this post, not that it is my place, but I thought it needed to be clarified. So if I'm reading it right, it won't be over for a month and a half
-
Excuse me, the german date translation is for other people abnormal, i think..
The offer will be dropped at Year = 2007 ; Month = Mai, Day = 01
I hope, this is undestandable.
Greetings
heiko -
I will be taking this one on as soon as you declare time based rules a success.
-
OK, i am await for finished time based ruled system.Then we could arrange "portknocking"
greetings
heiko -
Hello Scott,
one Extension: I want to blocking countries and i know from another thread, that this is implemented in HEAD. Can you backported this to a productive PFSENSE-RELENG-SNAPSHOT Version?Portknocking = 500 €
Blocking-Countries= 250 €Do you disposed to this extension. It would be very nice?
I know, i am a nag…. :)
Greetings from Germany
heiko -
No, I am affraid not. We are about to enter beta status as soon as the final Time Based Rules bugs are fixed.
Sorry! Maybe on next version.
-
OK, thanks, then we can arrange the port knocking when the timebased rules are finished
-
Don't want to disturb the thread but I'm curious for what you (or people generally) want to use portknocking for and (if that's generally possible doing with pfsense/freebsd/pf) if authpf wouldn't be a better/other approach to the desired result. Coming from the OpenBSD side I used authpf for quite a few thingies, people want portknocking for, so I thought I should maybe throw this in here.
Greets Grey
-
Yes it is possible: http://doorman.sourceforge.net/
-
Looks like doorman will not be a suitable package as it requires a client to do the knocking…. Need to find a package that works with PF and does not require a client.
-
i agree with that. The project is on sourceforge not really active, i think?
-
Every port knocking daemon is going to require a client. It could be something as simple as a batch file/shell script that telnets to several ports, but they all need a client of some sort. It's no different from OpenVPN, in that it requires a client that we don't provide.
I say start with doorman, if it doesn't work for some technical or compatibility reason, move on to something else.
-
Doorman requires a specific client in that it transmits the knock in one UDP packet on one port and doesn't knock on several ports in certain order (the way most "normal" portknocking setups work).
My point being that Joe Blow just can't grab any old portknocking client…it would need to do the following:
This particular implementation deviates a bit from his original proposal, in that the doorman watches for only a single UDP packet. To get the doorman to open up, the packet must contain an MD5 hash which correctly hashes a shared secret, salted with a 32-bit random number, the identifying user or group-name, and the requested service port-number.
I guess if you enable this package in your pfSense box, you better be prepared to use a specific client.
-
Hmm, would it be better if i cancel this bounty and we say "no solution is safe and required a specific client"??
If Portknocking under BSD/pf is not possible or the solution is not safety so i´m doubtful to create a solution for pfsense?!A portknocking package is nice but not by hook or by crook!!
What do you think Scott? I don´t know? :'(
Greetings
heiko -
Don't cancel it on account of what I said. :(
-
I think you should not listen to the back seat drivers. Let me keep digging around for a solution. I have been trying to get knockd ported from Linux and am about 60% done.
If you have a 3-4 knock key, ie:
telnet ip 945
telnet ip 5678
telnet ip 1234
telnet ip 4756Then I don't see how much this will hurt. Besides, what exactly are you planning on exposing once you knock? The webConfigurator or possibly SSH?
-
I set the Bounty for the portknocking feature to
1000 €
Greetings
Heiko
