List Receiver
2009-Mar-19 23:56 UTC
Configuring port knocking to allow a subnet rather than an IP
I have an unusual situation where a client uses port knocking to reduce the amount of junk hitting a public service. The service is desired to be accessed on a PDA via T-mobile''s US cell network. The trouble is that T-mobile seems to be natting from a pool of public IP addresses. The PDA can perform the knock, but it doesn''t usually come from the same public IP as the desired connection. The knock seems to always come from a public IP in the same /24 as the desired connection, though. I looked in the docs and researched some on Snow-Man''s page about how the recent match works, but it''s not clear to me how to specify the -s parameter with a /24 to override a /32 designation on the source address when the desired port is opened. We''re using Shorewall-perl 4.2.2 in this instance. Is this not possible with the way the recent match works or the way Shorewall uses it? This setup is basically verbatim to the port knocking example on shorewall.net, and it works flawlessly for connections where the public IP is the same for the knock and the data connection. Sorry for the lack of line wrap...I haven''t seen a way to do this in Outlook yet. ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
Tom Eastep
2009-Mar-20 00:24 UTC
Re: Configuring port knocking to allow a subnet rather than an IP
List Receiver wrote:> Is this not possible with the way the recent match works or the way > Shorewall uses it?Recent match only records and matches individual addresses -- not networks. Sorry, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
Davide Ferrari
2009-Mar-20 12:01 UTC
Re: Configuring port knocking to allow a subnet rather than an IP
On Friday 20 March 2009 00:56:11 List Receiver wrote:> The PDA can perform the knock, but it doesn''t usually come from the same > public IP as the desired connection. The knock seems to always come from a > public IP in the same /24 as the desired connection, though.Can''t you do the knock and the following ssh connection in the same session (in the PDA)? I understand that you''re currently 1) establishing gprs/whatever connection 2) getting a dyn IP 3) knock 4) disconnect 1 5) establishing gprs/whatever connection 6) getting another IP 7) ssh can''t you eliminate 4,5,6 ? -- Davide Ferrari Atrapalo.com System Administrator ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
List Receiver
2009-Mar-20 14:56 UTC
Re: Configuring port knocking to allow a subnet rather than an IP
> Can''t you do the knock and the following ssh connection in the same > session > (in the PDA)? > I understand that you''re currently > 1) establishing gprs/whatever connection > 2) getting a dyn IP > 3) knock > 4) disconnect 1 > 5) establishing gprs/whatever connection > 6) getting another IP > 7) ssh > > can''t you eliminate 4,5,6 ? >No, there is no 4,5,6...this is happening on the same connection. The PDA gets a private IP from the cell provider, and they NAT outbound traffic from a pool of public IP''s. I have no control over their NAT, so I can''t dictate which of the public IP''s in the pool each of my connections comes from. ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
Davide Ferrari
2009-Mar-20 15:36 UTC
Re: Configuring port knocking to allow a subnet rather than an IP
On Friday 20 March 2009 15:56:43 List Receiver wrote:> No, there is no 4,5,6...this is happening on the same connection. The PDA > gets a private IP from the cell provider, and they NAT outbound traffic > from a pool of public IP''s. I have no control over their NAT, so I can''t > dictate which of the public IP''s in the pool each of my connections comes > from.Ok sorry for misunderstanding. So, given Tom''s answer probably the quickest solution is to accept only ssh connections from that range on a non standard port enabling keys as well. -- Davide Ferrari Atrapalo.com System Administrator ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
List Receiver
2009-Mar-20 16:01 UTC
Re: Configuring port knocking to allow a subnet rather than an IP
> On Friday 20 March 2009 15:56:43 List Receiver wrote: > > No, there is no 4,5,6...this is happening on the same connection. > The PDA > > gets a private IP from the cell provider, and they NAT outbound > traffic > > from a pool of public IP''s. I have no control over their NAT, so I > can''t > > dictate which of the public IP''s in the pool each of my connections > comes > > from. > > Ok sorry for misunderstanding. So, given Tom''s answer probably the > quickest > solution is to accept only ssh connections from that range on a non > standard > port enabling keys as well. >No problem. Unfortunately, I''m not aware of knowing all of the public IP ranges that T-mobile might shove them into, so that''s going to be difficult. I wonder if I could somehow create a custom action that would see/intercept the IP from the recent match, but create a rule with /24 as the subnet rather than the default /32? ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com