Re: [SLUG] Re: Doorman - opening firewall ports

From: Robert Snyder (
Date: Mon Jan 02 2006 - 20:44:57 EST

Sick Twist wrote:

>> From: Levi Bard <>
>> Reply-To:
>> To:
>> Subject: [SLUG] Re: Doorman - opening firewall ports
>> Date: Mon, 2 Jan 2006 09:09:57 -0600
>> I'm basically against portknocking as a security layer. It's the kind
>> of security-by-obscurity thing that will give people a false sense of
>> safety while it in fact does little or nothing at all. The only port
>> knocking implementations I've seen that attempt to block replay
>> attacks use onetime pads for the port sequences, but if you're going
>> to use onetime pads, you may as well use them for authentication and
>> cut out the middleman. One of my previous employers ran a onetime pad
>> authenticator on a high port - until you authenticated with that
>> service, everything was closed to you. Once you authenticated, your
>> allowed set of ports was opened to the IP from which you
>> authenticated, as long as you kept the auth connection open and
>> active. Less convoluted than port knocking, and at least as secure.
>> > If your port knocking protocol permits replay attacks, then you really
>> > haven't kept out the most interested folks.
>> Or *any* of the folks who would have been able to realistically
>> compromise the system.
> If you're previous employer ran an authenticator on a high port,
> doesn't that mean that the port was open for the world to see? If so,
> that open port would indicate that there was in fact a host at the
> given IP address.
> If I understand port knocking correctly, the neat thing about it is
> that the server is completely invisible (no open ports at all) unless
> the correct "knock" is sent. It's a neat idea and one that I wasn't
> familiar with until it came up on this list. I agree that other
> safeguards should certainly be in place, but doorman seems like it
> would be quite useful.
> -Jonathon

Now there is a solution that I rather like if you are just looking to
connect to a machine safely for xyz service.

if you go to they have a great zeroconf vpn system that
gives you a virtual ip in a range of ips that been reserved by IANA but
never used (5.x.x.x.) It transverse firewalls and Nat routers but can
not transverse a Proxy if you are behind one.) what is great about this
is it uses standard ipsec security, so you get AES 256 bit encription.
it also easy to use and it works on linux and windows the linux version
now has a gtk gui for it ( gui found in forums for download)

great thing is only the machines that you put in your password protected
virtual network have access so you really dont have to worry about
leaving ports open.
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:58:42 EDT