Home
IT Services
Scripts
Tutorials / Notes
Best OS Pics
Best OS ASCII Pic
ScriptKiddieOS Pics
KiddieOS ASCII Pic
Fortune
Annoying Stuff
European Style Custom Cabinetry | Denver
TheVault
Nul Site
FreeBSD
Slashdot
Kuro5hin
usrx11
site@peterk.org
2010.09.06.... 1901.19.... 38.107.191.111....
Portknocking with pf
 This was tested on FreeBSD 7.2-STABLE:

/etc/pf.conf:
.
..
...
# Table for allowed IPs
#  [gets auto populated via portknocking]
table <portknock_ssh> persist
.
..
...
block #default block policy
# Allow everyone to hit 'any' on port '1234' - pf proxies tcp connection
#  [if not using 'synproxy', the connection is never established to
#    'overload' the rule]
#  5 attempts in 15 seconds
pass in log quick proto tcp from any to any port {1234} synproxy state \
  (max-src-conn-rate 5/15, overload <portknock_ssh>)

#Allow IPs that have been 'overload'ed into the portknock_ssh table
pass in log quick proto tcp from {<portknock_ssh>} to any port {ssh}
.
..
...

Then put a crontab on a per needed basis to expire all IPs in that table that have not been referenced in 60 seconds:
*     *    *    *     * /sbin/pfctl -vt portknock_ssh -T expire 60
All established sessions will be kept alive, all new sessions will need to portknock after the IP is cleared from table












This whole site is made with vi and is powered by Apache, on the best OS: