New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
What is the name of this firewall technique?
raindog308
Administrator, Veteran
in General
I seem to recall reading about a way to do the following with iptables.
Using random arbitrary port numbers as examples:
(1) Ports 5577 and 7755 are blocked
(2) If an IP tries to connect to port 5577 first, port 7755 is unblocked for that IP
What is this technique called? I can't seem to google it up, probably because I'm using the wrong terminology.
Comments
Port knocking
Port knocking
Thanks. Playing with different methods for home access.
Right now, I port-forward SSH to a single landing box at home. This landing box only allows access from a couple different VPSes. Everything is ssh key only, of course.
I did it this way because when I'm traveling, I don't know in advance what my remote IP will be. I'm thinking maybe port knocking could eliminate the need for the VPSes.
Using a Wireguard Road Warrior setup to access your internal network is probably more secure than port knocking.
@raindog308
Here are a few links about port knocking that I saved awhile back in 2020. Maybe one or more of them might be helpful or might lead you to something else that's helpful.
https://news.ycombinator.com/item?id=23187662
see Judd Vinet (of Arch fame) and Michael Rash, respectively:
https://zeroflux.org/projects/knock
https://www.cipherdyne.org/author.html
Friendly greetings!
Port knocking
Why not just use tailscale.com?
Put a VPN server in your home router. Use DDNS for home hostname if your home IP changes.
Wireguard. Don't overthink with port knocking, DDNS or tailscale (wtf).
apt install knockd
https://www.tecmint.com/port-knocking-to-secure-ssh/
http://teanazar.com/2016/05/godaddy-ddns-updater/
another method for home ip acquisition is to have a script[bash] upload [curl] it to your vps when it changes. no need for dns or ddns. the script can also email[msmtp] it to u. on vps a script[bash] update bind 'A' record of home dns record and restart bind. this way all your branch links are always up and linked, weather ip from isp is fix or dynamic. And with a ttl of 30 seconds you set in bind for the dynamic changing ips you get a downtime of no more than 2minutes[cron @home and @vps] + 30 seconds + latency variation. all your wireguards are thus always up n accessible
https://www.baeldung.com/linux/specific-dns-for-specific-domain