netfilter-devel Digest, Vol 27, Issue 18
J. Federico Hernandez
fede.hernandez at gmail.com
Sat Oct 14 00:01:54 CEST 2006
> On Oct 12, 2006, Alexey Toptygin wrote:
>
> > On Wed, 11 Oct 2006, Luis Floreani wrote:
> >
> > >>If you're interested in port knocking, you might want to read this
> > >>paper: http://www.acsac.org/2005/abstracts/156.html It covers security
> > >>issues relating to port knocking in detail, and presents an architecture
> > >>for solving most of them.
> > >>
> > >>Full disclosure: I wrote that paper. Feel free to contact me if you
> > >>have questions.
> > >>
> > >>Rennie deGraaf
> > >
> > >In our implementation, for security, we are using the Tumbler protocol, we
> > >found it simple yet powerful, check it out here:
> > >http://tumbler.sourceforge.net/.
> >
> > It seems that Tumbler is not capable of working across NAT, unless the
> > client can somehow obtain its public IP address. Also, it relies on clocks
> > being synchronized, since authentication will fail if the UTC time in
> > minutes is not identical on the client and server. Tumbler is not as
> > stealthy as the techniques in Rennie deGraaf's paper, since it uses an
> > open UDP port.
>
> Why not use fwknop in Single Packet Authorization mode?:
Why not using iptables to implement port knocking?
You won't depend on any daemon.
If you know the iptables syntaxis, you don't need to learn the daemon
syntaxis or its configuration.
--
Federico
More information about the netfilter-devel
mailing list