From owner-freebsd-questions@FreeBSD.ORG Sat Oct 7 17:27:59 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41DBF16A47C for ; Sat, 7 Oct 2006 17:27:59 +0000 (UTC) (envelope-from admin2@enabled.com) Received: from typhoon.enabled.com (typhoon.enabled.com [216.218.220.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8AF1E43D64 for ; Sat, 7 Oct 2006 17:27:58 +0000 (GMT) (envelope-from admin2@enabled.com) Received: from [172.24.241.10] (natint3.juniper.net [66.129.224.36]) (authenticated bits=0) by typhoon.enabled.com (8.13.8/8.13.8) with ESMTP id k97HRuXl098072 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 7 Oct 2006 10:27:56 -0700 (PDT) (envelope-from admin2@enabled.com) Message-ID: <4527E391.2000205@enabled.com> Date: Sat, 07 Oct 2006 10:27:45 -0700 From: Noah User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <450C7555.6050502@enabled.com> <20060917232852.GA2390@catflap.slightlystrange.org> In-Reply-To: <20060917232852.GA2390@catflap.slightlystrange.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: ipfw and temporary port access X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Oct 2006 17:27:59 -0000 Daniel Bye wrote: > On Sat, Sep 16, 2006 at 03:06:13PM -0700, Noah wrote: > >> Hi there, >> >> I am trying to figure out how to open a port temporarily for a specific >> IP who is able to provide a proper username and password on the website >> of the box. After authentication is verified then the IP address is >> cached and temporarily allowed to access a specific port on the >> server. This temporary firewall changes would be handled by ipfw. >> >> Any clues if a system like this is a already coded and out there somewhere? >> > > Take a look at security/doorman or security/knock, both of which might > fit the bill. > > Hi there, I have really specific needs and wondering if somebody has written a port knocker out there already that fits the criteria of what I am looking for. Portknocker capabilities: 1) User needs to telnet to specific port and/or log into a website. 2) Learns the IP address that the user is coming from in step 1. 3) Opens ssh port to specifically to the IP address grabbed in step 1 but also keeps ssh port open to statically defined IPs in /etc/rc.firewall . 4) As soon as the user disconnects from the ssh port the IP address in step 1 no longer can access the ssh port unless they log back in like the procedure in step 1. I reviewed two programs doorman and knock (found in FreeBSD /usr/ports/security) Doorman Review: I am unable to figure out how to configure the ability to capture the IP address of where the UDP packet was sent. Therefore this program does not completely match what I am looking for, or I do not understanding how to configure it. Knock Review: This is nice but still requires closing the port as a step when done. It would be nice to automatically close the ssh port when the user disconnects from the ssh port. Also I am not clear but I don't think there is a way to grab the source IP address, right? Anybody know of other programs I could check out? Cheers, Noah > Dan > >