Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port knocking Feature Sugestion

    Scheduled Pinned Locked Moved Forum Feedback
    5 Posts 5 Posters 15.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kaneda
      last edited by

      Hi guys!

      Im running a 1.2.3 Pfsense like a charm.
      And I thought that with packet filter possibilities and your experience on this, a feature like Port Knocking probably could not be very difficuld and could be a unique feature that similar software does not have.

      A client software to make the knock for Linux or Windows is easy to do but the firewall side need integration experience from people like you.

      This could be a great solution to protect tipical connections that are ciphered but may be attacked. For example for a Terminal Services,  PFsense could keep TCP 3389 port closed until someone knock the correct ports combination, and then pfsense opens the TCP3389 port to that IP address (behind that redirects it to the server or desktop).

      By using this a lot of services could be protected without eating resources using a lot of VPN connections, or terminals with poor resources or bandwidht for VPN (PocketPCs, WindowsCE, Windows Mobile, perhaps an android integration?) could access more secured services, even they are legacy services or devices.

      This is just an idea.

      And of course thanks for this wonderfull software, its my swiss army knife to rule my network.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        There used to be a port knocking package (doorman), but from what I have heard, at some point it became broken and nobody stepped up to fix it and so it was removed.

        The code is still in the package repo, just disabled.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          mhab12
          last edited by

          I didn't bother to read through all of this, but as I recall there was a lot of discussion as to the technical limitations that were keeping this from being completed.
          http://forum.pfsense.org/index.php/topic,4168.0.html

          1 Reply Last reply Reply Quote 0
          • B
            bretticus
            last edited by

            Wondering if Scott ever continued to port knockd. I recently acquired an android phone that cannot be rooted. Otherwise I'd just get openvpn working. There is a port knocking app for android though (several.) I'd feel better about port knocking if I can't have vpn (and then ssh.) Unfortunately, I do not have the skills to help out on this. I appreciate all you guys have done. Just curious on the status (if that will be a feature someday.)

            Thanks!

            1 Reply Last reply Reply Quote 0
            • jahonixJ
              jahonix
              last edited by

              Port knocking is considered 'security by obscurity' - which is no real protection. Just looks like it. The discussions about this have been lenghty here on the forum.
              As for SSH, better disallow logon by name/password and hit the 'by certificate only' checkbox.
              Personally I use RDC only through an OpenVPN tunnel. This way I avoid exposing my Windows server ports to the internet. This can be considered secure.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.