pfSense » pfSense Packages

Just started using pfSense recently and I'm really surprised fwknop is not available. I can install fwknop on OpenWrt and have it setup in minutes! With it I can open a port for ssh or a VPN connection for specific public IP address for 10 seconds and complete the 3 way hand shake. The android client setup is painless using the camera on your phone with a QR code. Very slick !
Does anyone remember Heart Bleed ?

Stilez y wrote:

fwknop is a quite well established "next generation" advance on simple port knocking, to conceal and safeguard external-facing services and open (or semi-open) ports, and avoid known limitations/issues of port knocking. Main advantages - single encrypted packet used for knocking, not vulnerable to replay attacks or DoS, faster, and seems a lot more flexible.

These capabilities would be useful firewall enhancements. fwknop is compatible with pf on OpenBSD and can run on FreeBSD, but it would be necessary to confirm if it's also compatible with pf on FreeBSD - I've opened an issue on their tracker to that effect (#269). So it's probably a "for future" request.

For crossref purposes, note that there's an old request for a pfSense tie-in on the fwknop issues tracker (issue #130).

Jim Pingle wrote:

If you want secure remote access, use a VPN. If someone wants to make a package for this, we could review a PR for it, but I don't see it being generally useful.

I just created an account to upvote this package request, and respond to the above statement by Jim Pingle. The usefulness is in section 1.3 of the FAQ "why are you releasing this?" (https://www.cipherdyne.org/fwknop/docs/faq.html#release)

Because security bugs are frequently discovered in all sorts of software, including security software such as VPN and encrypted shell services, and so providing an additional layer of security can mean the difference between being compromised or not

Emphasis mine.

Pulse VPN recently had a pretty bad vulnerability, and they're not the only one (https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF). Better for us as VPN users to assume our VPN software is also vulnerable and protect it with an extra layer of security.

Kurt Yoder wrote:

Because security bugs are frequently discovered in all sorts of software, including security software such as VPN and encrypted shell services, and so providing an additional layer of security can mean the difference between being compromised or not

Emphasis mine.

I would like to upvote this as well, and contribute another reason for why port-knocking is useful. About a year ago I had to shut down a VPN server for one of the networks I operate here. The reason? Once the botnets discovered the VPN, it was bombarded with password-cracking attempts. I have a 300/30 connection and there were times it was flooding the uplink so bad that connectivity ground to a halt. I was essentially being DOS'd by the swarm of break-in attempts.

This problem would instantly go away with port-knocking. Port-knocking would also make me more comfortable with exposing things like SSH, the HTTPS configuration pages, etc on the WAN port because I'd have a high degree of confidence that malicious actors would not be pummeling them 24/7.

With the VPN, I was fortunate enough that is was so rarely needed that I could just turn it up on demand. Had that not been the case I would have had to resort to source-IP pinholes and the headaches of adjusting them as the users roamed or had their IP change on them.

I'm adding my vote here as well, I'd like port knocking to be possible within pfSense either natively or as a separate package for the same reasons as those above.

I'm adding my vote here as well. The point is that we all know that we should not open any management services to the wide internet and that is what we do. Although I'm able to access my networks and the router itself only via OpenVPN (configured with 2FA enabled and static key) I continue to have some concerns about the bugs in the software. You know that, wherever have software, anywhere have bugs in it, which is normal. The software is written by people, and people are error prone.

I know that security with obscurity is not the best security at all, but if possible to hide services from the wide internet, behind a security logic it will benefit at all in my opinion.
That's all by me, wish you all the best, and thanks for the effort you do to develop this great software.

I'd like to add a vote here, too. This would be incredibly useful.

Port knocking is not an alternative to a VPN it is an additional layer of security.

There are also situations where a VPN connection is not possible, so it provides an additional layer of security for those services as well as the VPN service itself.

I really want to see this as well. I'll explain why people want fwknop or at the minimum knockd support...

Fwknop and knockd are tools to mitigate zero-day vulnerabilities. In other words, if the attacker doesn't know that a service port is available (like a vpn server port), there isn't anything to attack. Currently I have an OpenWRT router sitting at the edge of my network running fwknop. That's pretty much all it does. When I'm traveling, I can't pre-program a nat/firewall rule to allow my source ip address because I won't know what it is. First I send a special spa packet to the edge appliance, it enables a nat/firewall rule for 60 seconds (just enough time to get my vpn established). Next I connect to my vpn. After 60 seconds have passed the config is removed, while keeping the vpn session alive.

I'm really surprised this package isn't supported in pfSense yet.

I'm willing to chip in, help code this myself or hire someone to develop this. Either way I'd like to see this package supported. What's the procedure to get this rolling along?

Jim Pingle wrote in #note-1:

If you want secure remote access, use a VPN.

I understand that censorship circumvention is not the point of pfSense, but my usecase partially falls into that. One of my pfSense boxes is located at my mother's house in Russia (so it's a completely non-commercial installation), and the government is more and more hostile to VPNs each day.
Outgoing VPN handshakes from Russia to outside internet are already virtually impossible, even to private addresses, and I am concerned incoming might also be blocked in the future, rendering it impossible for me to administer her network. Because of this I decided to setup port-knocking in advance, but was surprised pfSense does not support it.

VPN might be a very convenient and effective way to have secure remote access in more lucky parts of the world, but it's not universal, even ignoring everything stated above about potential vulnerabilities (and it shouldn't be ignored).

There are vpn technologies now using crypto based port knocking for just this reason. In my view it’s a reasonable feature request..too many vpn technologies being compromised these days..

Also upvote.

Because bruteforcing by thousands of IoT devices (fridges, smart bulbs, smart locks, smart tvs, Alexa-based devices, home automation systems,…) and cheap home routers become more and more easy way for obtaining access for hackers nowadays.