On 20.09.2014 17:15, PGNd wrote: > Gerhard, > > On 24.06.2014 19:28, Gerhard Wiesinger wrote: >> Please find attached a "real" stateful Port Knocking Module for shorewall. >> Was quite a challenge to write a >> stateful iptables "program". > Interesting. > > Can you comment on your functional goals for deploying knock as a SW module?
I was running knockd for some time and after moving to shorewall I found some knocking implementations with iptables. But they were not correctly implemented in the sense like a correct state machine (e.g. some fake port would not reset the state machine to the inital state). Therefore I enhanced the existing versions to implement a correct state machine. The challenges were that the iptables rule set is per definition stateless (I'm not talking about the internals e.g. conntrack table). So each normal iptables rule is independent of the previous one. Therefore the current state has to be remembered and queried again. All "wrong" ports in the sequence must reset the state machine to the initial state. Another motivation was enhanced security without any running additional processes and to write also a shorewall module :-) > It's certainly convenient. I'm interested in any functional compare/contrast > to other, long-available, standalone solutions such as 'knockd' > (http://linux.die.net/man/1/knockd). 'knockd', here, under systemd control, > works well ... > Yes, knockd works well. As I wrote above no additional process is necessary and therefore additional security is ensured (e.g. no libpcap necessary). Maybe there is also a performance advantage over libpcap library implementation where all packets must be inspected. With iptables only matching packets are inspected. Maybe someone can tell us other pros and cons of both concepts. BTW: What's pgnd.us? Ciao, Gerhard -- http://www.wiesinger.com/ ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
