Port knocking Feature Sugestion
-
Hi guys!
Im running a 1.2.3 Pfsense like a charm.
And I thought that with packet filter possibilities and your experience on this, a feature like Port Knocking probably could not be very difficuld and could be a unique feature that similar software does not have.A client software to make the knock for Linux or Windows is easy to do but the firewall side need integration experience from people like you.
This could be a great solution to protect tipical connections that are ciphered but may be attacked. For example for a Terminal Services, PFsense could keep TCP 3389 port closed until someone knock the correct ports combination, and then pfsense opens the TCP3389 port to that IP address (behind that redirects it to the server or desktop).
By using this a lot of services could be protected without eating resources using a lot of VPN connections, or terminals with poor resources or bandwidht for VPN (PocketPCs, WindowsCE, Windows Mobile, perhaps an android integration?) could access more secured services, even they are legacy services or devices.
This is just an idea.
And of course thanks for this wonderfull software, its my swiss army knife to rule my network.
-
There used to be a port knocking package (doorman), but from what I have heard, at some point it became broken and nobody stepped up to fix it and so it was removed.
The code is still in the package repo, just disabled.
-
I didn't bother to read through all of this, but as I recall there was a lot of discussion as to the technical limitations that were keeping this from being completed.
http://forum.pfsense.org/index.php/topic,4168.0.html -
Wondering if Scott ever continued to port knockd. I recently acquired an android phone that cannot be rooted. Otherwise I'd just get openvpn working. There is a port knocking app for android though (several.) I'd feel better about port knocking if I can't have vpn (and then ssh.) Unfortunately, I do not have the skills to help out on this. I appreciate all you guys have done. Just curious on the status (if that will be a feature someday.)
Thanks!
-
Port knocking is considered 'security by obscurity' - which is no real protection. Just looks like it. The discussions about this have been lenghty here on the forum.
As for SSH, better disallow logon by name/password and hit the 'by certificate only' checkbox.
Personally I use RDC only through an OpenVPN tunnel. This way I avoid exposing my Windows server ports to the internet. This can be considered secure.