Architecture advice for a newbie

Seferovic Edvin edvin.seferovic at
Mon Nov 13 07:30:33 CET 2006


Google for portknocking ! It is a solution for opening ports "at run time"
by accessing some, already closed ports, and sending a specific packet type.

You can add/delete iptables rules at runtime enabling access to some ports
or adding destination NAT to some machine behind firewall ( in LAN ). The
only thing is - no one here knows what auth method are you planning to use,
but from my experience - netfilter has enough documentation and API to help
you achieve your goal.

Try being more specific ( if possible ).

-----Original Message-----
From: netfilter-bounces at
[mailto:netfilter-bounces at] On Behalf Of Hal Moroff
Sent: Montag, 13. November 2006 07:12
To: netfilter at
Subject: Architecture advice for a newbie

I'm fairly experienced with Linux and find myself on a project in an
area that is new to me.

We have a Debian based firewall.  When a client (of our own
contacts the firewall I wish to connect it to a device behind the
firewall.  The hole
through the firewall should be closed until the client is explicitly
authenticated, and
should only remain open for a specific amount of time or until the
client disconnects.
When the hole is opened WAN traffic between the client and the
firewall should be

I'm thinking that the client should VPN IPSec to the target, and
netfilter can manage
the hole.

There are 2 small wrinkles to add to this:
  1 - we have our own authentication scheme we wish to use, above and beyond
    any preshared keys

  2 - the target devices are generally dumb and aren't capable of
    (I should add that the internal LAN is trusted, so traffic inside
the LAN can be

I've just started reading up on VPN's and netfilter docs.  It isn't
(yet) clear to me how
to manipulate netfilter at runtime like this (to open and close the hole).

Regarding the "dumb target" in wrinkle #2, I'm thinking that traffic
can be routed to
another process on the firewall.  That process would serve as the "go
between the LAN dumb target and the rest of the world.

Can anyone advise where to start investigating this?

More information about the netfilter mailing list