simplewall
simplewall copied to clipboard
henrypp
Port Knocking?
Any way to implement this feature? This would give this firewall a feature that is very rare and sought after.
A sequence of 3 attempted connections in a row on specific closed ports would open another port for a short period of time.
This is useful in scenarios where you aren't able to use a whitelisted IP and need to connect from anywhere. This is not "Security by Obscurity"
The port knocking sequence acts like a password allowing access to a typically closed port ONLY for the IP that did the special knock. The knock can be done with simple telnet connections.
First of all, this is a neat suggestion - however I would not rely on "random" connections to a port, but rather on shared secrets and / or public keys. This could be done in a way that wouldn't complicate things too much, i.e. your old, trusty telnet client would still be enough to get the firewall to open the port for you, but with better resilience against probing and a near zero chance for unauthorized users to brute-force the knock-sequence.
I used to run Tor nodes and bridges, and obfs4 comes to mind, here's an excerpt from obfs4-spec.txt:
...
obfs4 offers protection against active attackers attempting to probe for
obfs4 servers. Such machines should not be able to verify the existence
of an obfs4 server without obtaining the server's Node ID and identity
public key.
...
This is the prime feature of obfs4 which I would port for your feature request, however obfs4 can actually do a lot more than that:
https://github.com/Yawning/obfs4/blob/master/doc/obfs4-spec.txt
Just my 2 cents.
I think using public and private keys might be too much, but a shared algorithm (secret) would work! The sequence could change based on some user defined algorithm.
You could make it custom with macros so everyone's' is different.
Port 1 = 10234 (First port can be random) Port 2 = Port 1 - X Port 3 = (Port 2 % X) * Y + 30 Secret Port Opens
And the ports would just wrap around back to 1 so no overflows. Doesn't seem too hard. The user could make it as secure or as insecure as they like!
I think using public and private keys might be too much
Sure, it's just one out of many ways to accomplish the goal.. however, Henry seems busy with other things, keep in mind his software is based on funding by people like you and me, I donated $10 a while ago, and so should you (or, perhaps even more 🥇). It really is not that much to ask for in my opinion.
NO PROBLEM
HENRY: I would be happy to send you up to $2100 USD in Bitcoin to add a port knocking feature. That is a state-of-the-art feature which is very hard to find in firewalls, and would definitely increase the value of this software.
I would send half up front and half on completion and also desire that this feature be openly published here for everyone to enjoy!
Ultimately, I would like to see things like dynamic knocking sequences and macroed sequences. For instance, having the knocking pattern change based on the time of day, day of week, year, etc in addition to static sequences (1011, 1000, 3421) and random static sequences ($anyport$, $port1$ + 100, $port2$ + $dayofmonth$) would allow people to customize a highly unique, changing, sequence with unlimited variations that will unlock certain ports, or even better... activate entire RULES or SET of RULES for a selected amount of time. Each RULE/RULESET could have a different activation port knock sequence that supersedes all other rules when configured.
I don't know of any cryptographical method to generate knock sequences, but if there is a way that still allows you to calculate the sequence in your head then that works too.
But I would also be willing to sponsor ANY knocking mechanism even a simple static 3 port knock.
I know it's probably a big feature and lots of work, but I can't think of a more awesome feature to add to a firewall and I am very willing to put up $2100 in btc as motivation - NO STRINGS ATTACHED!
This would be such an amazing feature, even commercial firewalls don't do this!
Henry, if you are reading this please message me if you are interested!
Tagging him like this: @henrypp should get him a notification :-)
I bet he would be happy over the $2100USD but the donation should match the amount of work put in, like the average loan for a software developer for the time he needed. I would estimate around $65-95 👍
If you are rich on the other hand.. donate him the $2100USD.. :-D
Well I just said that was the maximum so he can feel comfortable putting significant time into it and know that he will be compensated appropriately.
@henrypp - I would like to sponsor a port knocking feature. If you are interested, please let me know how much time you would be willing to spend on such a feature and how much you would like! Thanks so much for your fine product.