Project

General

Profile

Actions

Feature #8547

open

fwknop Port Knocking Package

Added by Stilez y over 3 years ago. Updated 10 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
New Package Request
Target version:
-
Start date:
06/01/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

fwknop is a quite well established "next generation" advance on simple port knocking, to conceal and safeguard external-facing services and open (or semi-open) ports, and avoid known limitations/issues of port knocking. Main advantages - single encrypted packet used for knocking, not vulnerable to replay attacks or DoS, faster, and seems a lot more flexible.

These capabilities would be useful firewall enhancements. fwknop is compatible with pf on OpenBSD and can run on FreeBSD, but it would be necessary to confirm if it's also compatible with pf on FreeBSD - I've opened an issue on their tracker to that effect (#269). So it's probably a "for future" request.

For crossref purposes, note that there's an old request for a pfSense tie-in on the fwknop issues tracker (issue #130).

Actions #1

Updated by Jim Pingle over 2 years ago

  • Project changed from pfSense to pfSense Packages
  • Subject changed from Can capabilities from fwknop be added to the build? to fwknop Port Knocking Package
  • Category set to New Package Request

If you want secure remote access, use a VPN. If someone wants to make a package for this, we could review a PR for it, but I don't see it being generally useful.

Actions #2

Updated by William Evans about 2 years ago

Just started using pfSense recently and I'm really surprised fwknop is not available. I can install fwknop on OpenWrt and have it setup in minutes! With it I can open a port for ssh or a VPN connection for specific public IP address for 10 seconds and complete the 3 way hand shake. The android client setup is painless using the camera on your phone with a QR code. Very slick !
Does anyone remember Heart Bleed ?

Stilez y wrote:

fwknop is a quite well established "next generation" advance on simple port knocking, to conceal and safeguard external-facing services and open (or semi-open) ports, and avoid known limitations/issues of port knocking. Main advantages - single encrypted packet used for knocking, not vulnerable to replay attacks or DoS, faster, and seems a lot more flexible.

These capabilities would be useful firewall enhancements. fwknop is compatible with pf on OpenBSD and can run on FreeBSD, but it would be necessary to confirm if it's also compatible with pf on FreeBSD - I've opened an issue on their tracker to that effect (#269). So it's probably a "for future" request.

For crossref purposes, note that there's an old request for a pfSense tie-in on the fwknop issues tracker (issue #130).

Actions #3

Updated by Kurt Yoder almost 2 years ago

Jim Pingle wrote:

If you want secure remote access, use a VPN. If someone wants to make a package for this, we could review a PR for it, but I don't see it being generally useful.

I just created an account to upvote this package request, and respond to the above statement by Jim Pingle. The usefulness is in section 1.3 of the FAQ "why are you releasing this?" (https://www.cipherdyne.org/fwknop/docs/faq.html#release)

Because security bugs are frequently discovered in all sorts of software, including security software such as VPN and encrypted shell services, and so providing an additional layer of security can mean the difference between being compromised or not

Emphasis mine.

Pulse VPN recently had a pretty bad vulnerability, and they're not the only one (https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF). Better for us as VPN users to assume our VPN software is also vulnerable and protect it with an extra layer of security.

Actions #4

Updated by David Yon 10 months ago

Kurt Yoder wrote:

Because security bugs are frequently discovered in all sorts of software, including security software such as VPN and encrypted shell services, and so providing an additional layer of security can mean the difference between being compromised or not

Emphasis mine.

I would like to upvote this as well, and contribute another reason for why port-knocking is useful. About a year ago I had to shut down a VPN server for one of the networks I operate here. The reason? Once the botnets discovered the VPN, it was bombarded with password-cracking attempts. I have a 300/30 connection and there were times it was flooding the uplink so bad that connectivity ground to a halt. I was essentially being DOS'd by the swarm of break-in attempts.

This problem would instantly go away with port-knocking. Port-knocking would also make me more comfortable with exposing things like SSH, the HTTPS configuration pages, etc on the WAN port because I'd have a high degree of confidence that malicious actors would not be pummeling them 24/7.

With the VPN, I was fortunate enough that is was so rarely needed that I could just turn it up on demand. Had that not been the case I would have had to resort to source-IP pinholes and the headaches of adjusting them as the users roamed or had their IP change on them.

Actions

Also available in: Atom PDF