Project

General

Profile

Feature #8547

fwknop Port Knocking Package

Added by Stilez y almost 2 years ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
New Package Request
Target version:
-
Start date:
06/01/2018
Due date:
% Done:

0%

Estimated time:

Description

fwknop is a quite well established "next generation" advance on simple port knocking, to conceal and safeguard external-facing services and open (or semi-open) ports, and avoid known limitations/issues of port knocking. Main advantages - single encrypted packet used for knocking, not vulnerable to replay attacks or DoS, faster, and seems a lot more flexible.

These capabilities would be useful firewall enhancements. fwknop is compatible with pf on OpenBSD and can run on FreeBSD, but it would be necessary to confirm if it's also compatible with pf on FreeBSD - I've opened an issue on their tracker to that effect (#269). So it's probably a "for future" request.

For crossref purposes, note that there's an old request for a pfSense tie-in on the fwknop issues tracker (issue #130).

History

#1 Updated by Jim Pingle 8 months ago

  • Project changed from pfSense to pfSense Packages
  • Subject changed from Can capabilities from fwknop be added to the build? to fwknop Port Knocking Package
  • Category set to New Package Request

If you want secure remote access, use a VPN. If someone wants to make a package for this, we could review a PR for it, but I don't see it being generally useful.

#2 Updated by William Evans 7 months ago

Just started using pfSense recently and I'm really surprised fwknop is not available. I can install fwknop on OpenWrt and have it setup in minutes! With it I can open a port for ssh or a VPN connection for specific public IP address for 10 seconds and complete the 3 way hand shake. The android client setup is painless using the camera on your phone with a QR code. Very slick !
Does anyone remember Heart Bleed ?

Stilez y wrote:

fwknop is a quite well established "next generation" advance on simple port knocking, to conceal and safeguard external-facing services and open (or semi-open) ports, and avoid known limitations/issues of port knocking. Main advantages - single encrypted packet used for knocking, not vulnerable to replay attacks or DoS, faster, and seems a lot more flexible.

These capabilities would be useful firewall enhancements. fwknop is compatible with pf on OpenBSD and can run on FreeBSD, but it would be necessary to confirm if it's also compatible with pf on FreeBSD - I've opened an issue on their tracker to that effect (#269). So it's probably a "for future" request.

For crossref purposes, note that there's an old request for a pfSense tie-in on the fwknop issues tracker (issue #130).

#3 Updated by Kurt Yoder about 2 months ago

Jim Pingle wrote:

If you want secure remote access, use a VPN. If someone wants to make a package for this, we could review a PR for it, but I don't see it being generally useful.

I just created an account to upvote this package request, and respond to the above statement by Jim Pingle. The usefulness is in section 1.3 of the FAQ "why are you releasing this?" (https://www.cipherdyne.org/fwknop/docs/faq.html#release)

Because security bugs are frequently discovered in all sorts of software, including security software such as VPN and encrypted shell services, and so providing an additional layer of security can mean the difference between being compromised or not

Emphasis mine.

Pulse VPN recently had a pretty bad vulnerability, and they're not the only one (https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF). Better for us as VPN users to assume our VPN software is also vulnerable and protect it with an extra layer of security.

Also available in: Atom PDF