Portknocking with pf
This was tested on FreeBSD 7.2-STABLE:
/etc/pf.conf:
. .. ... # Table for allowed IPs # [gets auto populated via portknocking] table <portknock_ssh> persist . .. ... block #default block policy # Allow everyone to hit 'any' on port '1234' - pf proxies tcp connection # [if not using 'synproxy', the connection is never established to # 'overload' the rule] # 5 attempts in 15 seconds pass in log quick proto tcp from any to any port {1234} synproxy state \ (max-src-conn-rate 5/15, overload <portknock_ssh>) #Allow IPs that have been 'overload'ed into the portknock_ssh table pass in log quick proto tcp from {<portknock_ssh>} to any port {ssh} . .. ...
* * * * * /sbin/pfctl -vt portknock_ssh -T expire 60All established sessions will be kept alive, all new sessions will need to portknock after the IP is cleared from table