FWbuilder config of port-knocking access?

  • Anonymous - 2011-07-12

    I've been asked to provide & protect occassional roaming access to SSH listener ports at a bunch of geo-distributed boxes.

    fwbuilder is really! handy for managing all the various boxes' firewall rulesets.

    I do NOT want to keep SSH ports always open to the net-at-large, so I'm looking at a port-knocking setup.

    Can fwbuilder setup port-knocking detection using iptables' "recent" module?

    Basically, I want to have SSH listening on a closed, random port, say #12345.  Then a telent to ports #11111, #22222, and #33333 in order within 30 seconds from a given IP would open port #12345 for SSH access *just* for that IP.

    Here's a simple example of what'd need to be done:


    I'm just not sure if, and HOW, that'd be done with fwbuilder.

  • Anonymous - 2011-07-13

    Thanks, I think that should do it.

    One thing I noticed is that when I create a CustomService object, the code string appears to be concatenated with the iptables command

    So if I enter,

    "-dport 10000  -m recent -name SSH -set"

    when I hover over the new object, the display shows:

    "iptables-dport 10000  -m recent -name SSH -set"

    See? "iptables-dport" - no space.

    But if I enter,

    " -dport 10000  -m recent -name SSH -set"

    with a leading space I get

    "iptables -dport 10000  -m recent -name SSH -set"

    I don't know if that's a real problem, or just one with display.

  • Mike Horn

    Mike Horn - 2011-07-13

    The "iptables" you see at the beginning when you hover over it just shows the type of custom service object this is, so this won't affect your generated rules.


Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks