Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 07 Oct 2006 10:27:45 -0700
From:      Noah <>
Subject:   Re: ipfw and temporary port access
Message-ID:  <>
In-Reply-To: <>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Daniel Bye wrote:
> On Sat, Sep 16, 2006 at 03:06:13PM -0700, Noah wrote:
>> Hi there,
>> I am trying to figure out how to open a port temporarily for a specific 
>> IP who is able to provide a proper username and password on the website 
>> of the box.  After authentication is verified then the IP address is 
>> cached and temporarily allowed to access a specific port on the 
>> server.   This temporary firewall changes would be handled by ipfw.
>> Any clues if a system like this is a already coded and out there somewhere?
> Take a look at security/doorman or security/knock, both of which might
> fit the bill.

Hi there,

I have really specific needs and wondering if somebody has written a 
port knocker out there already that fits the criteria of what I am 
looking for.

Portknocker capabilities:

1) User needs to telnet to specific port and/or log into a website.
2) Learns the IP address that the user is coming from in step 1.
3) Opens ssh port to specifically to the IP address grabbed in step 1 
but also keeps ssh port open to statically defined IPs in /etc/rc.firewall .
4) As soon as the user disconnects from the ssh port the IP address in 
step 1 no longer can access the ssh port unless they log back in like 
the procedure in step 1.

I reviewed two programs doorman and knock (found in FreeBSD 

Doorman Review:
I am unable to figure out how to configure the ability to capture the IP 
address of where the UDP packet was sent.   Therefore this program does 
not completely match what I am looking for, or I do not understanding 
how to configure it.

Knock Review:
This is nice but still requires closing the port as a step when done.  
It would be nice to automatically close the ssh port when the user 
disconnects from the ssh port.  Also I am not clear but I don't think 
there is a way to grab the source IP address, right?

Anybody know of other programs I could check out?



> Dan

Want to link to this message? Use this URL: <>