I'm fairly experienced with Linux and find myself on a project in an area that is new to me. We have a Debian based firewall. When a client (of our own design/implementation) contacts the firewall I wish to connect it to a device behind the firewall. The hole through the firewall should be closed until the client is explicitly authenticated, and should only remain open for a specific amount of time or until the client disconnects. When the hole is opened WAN traffic between the client and the firewall should be encrypted. I'm thinking that the client should VPN IPSec to the target, and netfilter can manage the hole. There are 2 small wrinkles to add to this: 1 - we have our own authentication scheme we wish to use, above and beyond any preshared keys 2 - the target devices are generally dumb and aren't capable of VPN/encryption (I should add that the internal LAN is trusted, so traffic inside the LAN can be unencrypted) I've just started reading up on VPN's and netfilter docs. It isn't (yet) clear to me how to manipulate netfilter at runtime like this (to open and close the hole). Regarding the "dumb target" in wrinkle #2, I'm thinking that traffic can be routed to another process on the firewall. That process would serve as the "go between" between the LAN dumb target and the rest of the world. Can anyone advise where to start investigating this?
