[stunnel-users] Will fwknop work?

Tue Apr 29 17:56:38 CEST 2008

If I understand the question correctly, isn't this what "port knocking" or single packet authorization (e.g. fwknop) is supposed to do?  I have used fwknop and SSH in our lab, but only with Linux and iptables.  However, I think fwknop is supposed to interface with more than just iptables on the local box (meaning you would not have to use a Linux box to replace your current firewall).  

I think you can use fwknop to monitor syslog and parse for specific events and then open the port.  In other words, your current firewall reports to your syslog server and fwknop parses the log file for the security event associated with the reception of a SPA packet on your outside interface.  Fwknop then sends your firewall (through a script?) whatever command is required to open the port you want and redirect it to the appropriate inside machine (or you could simply enable / disable a preconfigured rule).  I am not a scripting guru so I may be WAY off base here and if I am, I apologize for leading you astray.  Anyway, you might want to check out the following:

http://cipherdyne.org/fwknop/ --> FireWall KNock Operator home page
http://fwknop.darwinports.com/ --> OS X fwknop client

There is also a Windows UI version that is supposed to create SPA packets without using fwknop / PERL or running under Cygwin but I have not used that.

Richard

On 4/29/08 7:50 PM, "jz at ellingtongeologic.com" <jz at ellingtongeologic.com> wrote:

> 
> Good Morning Mike:
> 
> I had a question and sent to the list  (it might have not gone thru)  The 
> question was that: is it possible for stunnel to go to the router, for 
> example, 10.10.1.1, to scan for a port of interest and see whether there is a 
> request thru that port?  so the nat router would not have to forward the port 
> to the stunnel of my local machine, e.g. 10.10.1.188, on which stunnel  is 
> listening for port 8888 and will relay it to 5631 of the local program.
> 
> Thanks