ipfw and temporary port access

[Noah]

Daniel Bye wrote:
> On Sat, Sep 16, 2006 at 03:06:13PM -0700, Noah wrote:
>   
>> Hi there,
>>
>> I am trying to figure out how to open a port temporarily for a specific 
>> IP who is able to provide a proper username and password on the website 
>> of the box.  After authentication is verified then the IP address is 
>> cached and temporarily allowed to access a specific port on the 
>> server.   This temporary firewall changes would be handled by ipfw.
>>
>> Any clues if a system like this is a already coded and out there somewhere?
>>     
>
> Take a look at security/doorman or security/knock, both of which might
> fit the bill.
>
>   


Hi there,

I have really specific needs and wondering if somebody has written a 
port knocker out there already that fits the criteria of what I am 
looking for.

Portknocker capabilities:

1) User needs to telnet to specific port and/or log into a website.
2) Learns the IP address that the user is coming from in step 1.
3) Opens ssh port to specifically to the IP address grabbed in step 1 
but also keeps ssh port open to statically defined IPs in /etc/rc.firewall .
4) As soon as the user disconnects from the ssh port the IP address in 
step 1 no longer can access the ssh port unless they log back in like 
the procedure in step 1.

I reviewed two programs doorman and knock (found in FreeBSD 
/usr/ports/security)

Doorman Review:
I am unable to figure out how to configure the ability to capture the IP 
address of where the UDP packet was sent.   Therefore this program does 
not completely match what I am looking for, or I do not understanding 
how to configure it.

Knock Review:
This is nice but still requires closing the port as a step when done.  
It would be nice to automatically close the ssh port when the user 
disconnects from the ssh port.  Also I am not clear but I don't think 
there is a way to grab the source IP address, right?

Anybody know of other programs I could check out?

Cheers,

Noah





> Dan
>
>