Feature #8547
openfwknop Port Knocking Package
0%
Description
fwknop is a quite well established "next generation" advance on simple port knocking, to conceal and safeguard external-facing services and open (or semi-open) ports, and avoid known limitations/issues of port knocking. Main advantages - single encrypted packet used for knocking, not vulnerable to replay attacks or DoS, faster, and seems a lot more flexible.
These capabilities would be useful firewall enhancements. fwknop is compatible with pf on OpenBSD and can run on FreeBSD, but it would be necessary to confirm if it's also compatible with pf on FreeBSD - I've opened an issue on their tracker to that effect (#269). So it's probably a "for future" request.
For crossref purposes, note that there's an old request for a pfSense tie-in on the fwknop issues tracker (issue #130).
Updated by Jim Pingle over 3 years ago
- Project changed from pfSense to pfSense Packages
- Subject changed from Can capabilities from fwknop be added to the build? to fwknop Port Knocking Package
- Category set to New Package Request
If you want secure remote access, use a VPN. If someone wants to make a package for this, we could review a PR for it, but I don't see it being generally useful.
Updated by William Evans over 3 years ago
Just started using pfSense recently and I'm really surprised fwknop is not available. I can install fwknop on OpenWrt and have it setup in minutes! With it I can open a port for ssh or a VPN connection for specific public IP address for 10 seconds and complete the 3 way hand shake. The android client setup is painless using the camera on your phone with a QR code. Very slick !
Does anyone remember Heart Bleed ?
Stilez y wrote:
fwknop is a quite well established "next generation" advance on simple port knocking, to conceal and safeguard external-facing services and open (or semi-open) ports, and avoid known limitations/issues of port knocking. Main advantages - single encrypted packet used for knocking, not vulnerable to replay attacks or DoS, faster, and seems a lot more flexible.
These capabilities would be useful firewall enhancements. fwknop is compatible with pf on OpenBSD and can run on FreeBSD, but it would be necessary to confirm if it's also compatible with pf on FreeBSD - I've opened an issue on their tracker to that effect (#269). So it's probably a "for future" request.
For crossref purposes, note that there's an old request for a pfSense tie-in on the fwknop issues tracker (issue #130).
Updated by Kurt Yoder about 3 years ago
Jim Pingle wrote:
If you want secure remote access, use a VPN. If someone wants to make a package for this, we could review a PR for it, but I don't see it being generally useful.
I just created an account to upvote this package request, and respond to the above statement by Jim Pingle. The usefulness is in section 1.3 of the FAQ "why are you releasing this?" (https://www.cipherdyne.org/fwknop/docs/faq.html#release)
Because security bugs are frequently discovered in all sorts of software, including security software such as VPN and encrypted shell services, and so providing an additional layer of security can mean the difference between being compromised or not
Emphasis mine.
Pulse VPN recently had a pretty bad vulnerability, and they're not the only one (https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF). Better for us as VPN users to assume our VPN software is also vulnerable and protect it with an extra layer of security.
Updated by David Yon about 2 years ago
Kurt Yoder wrote:
Because security bugs are frequently discovered in all sorts of software, including security software such as VPN and encrypted shell services, and so providing an additional layer of security can mean the difference between being compromised or not
Emphasis mine.
I would like to upvote this as well, and contribute another reason for why port-knocking is useful. About a year ago I had to shut down a VPN server for one of the networks I operate here. The reason? Once the botnets discovered the VPN, it was bombarded with password-cracking attempts. I have a 300/30 connection and there were times it was flooding the uplink so bad that connectivity ground to a halt. I was essentially being DOS'd by the swarm of break-in attempts.
This problem would instantly go away with port-knocking. Port-knocking would also make me more comfortable with exposing things like SSH, the HTTPS configuration pages, etc on the WAN port because I'd have a high degree of confidence that malicious actors would not be pummeling them 24/7.
With the VPN, I was fortunate enough that is was so rarely needed that I could just turn it up on demand. Had that not been the case I would have had to resort to source-IP pinholes and the headaches of adjusting them as the users roamed or had their IP change on them.
Updated by Geoff Hilton 7 months ago
I'm adding my vote here as well, I'd like port knocking to be possible within pfSense either natively or as a separate package for the same reasons as those above.
Updated by Kristian Kirilov 5 months ago
I'm adding my vote here as well. The point is that we all know that we should not open any management services to the wide internet and that is what we do. Although I'm able to access my networks and the router itself only via OpenVPN (configured with 2FA enabled and static key) I continue to have some concerns about the bugs in the software. You know that, wherever have software, anywhere have bugs in it, which is normal. The software is written by people, and people are error prone.
I know that security with obscurity is not the best security at all, but if possible to hide services from the wide internet, behind a security logic it will benefit at all in my opinion.
That's all by me, wish you all the best, and thanks for the effort you do to develop this great software.
Updated by Liquid Thex 4 days ago
I'd like to add a vote here, too. This would be incredibly useful.
Port knocking is not an alternative to a VPN it is an additional layer of security.
There are also situations where a VPN connection is not possible, so it provides an additional layer of security for those services as well as the VPN service itself.