Hi. Google for portknocking ! It is a solution for opening ports "at run time" by accessing some, already closed ports, and sending a specific packet type. You can add/delete iptables rules at runtime enabling access to some ports or adding destination NAT to some machine behind firewall ( in LAN ). The only thing is - no one here knows what auth method are you planning to use, but from my experience - netfilter has enough documentation and API to help you achieve your goal. Try being more specific ( if possible ). Regards, E:S -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Hal Moroff Sent: Montag, 13. November 2006 07:12 To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Architecture advice for a newbie I'm fairly experienced with Linux and find myself on a project in an area that is new to me. We have a Debian based firewall. When a client (of our own design/implementation) contacts the firewall I wish to connect it to a device behind the firewall. The hole through the firewall should be closed until the client is explicitly authenticated, and should only remain open for a specific amount of time or until the client disconnects. When the hole is opened WAN traffic between the client and the firewall should be encrypted. I'm thinking that the client should VPN IPSec to the target, and netfilter can manage the hole. There are 2 small wrinkles to add to this: 1 - we have our own authentication scheme we wish to use, above and beyond any preshared keys 2 - the target devices are generally dumb and aren't capable of VPN/encryption (I should add that the internal LAN is trusted, so traffic inside the LAN can be unencrypted) I've just started reading up on VPN's and netfilter docs. It isn't (yet) clear to me how to manipulate netfilter at runtime like this (to open and close the hole). Regarding the "dumb target" in wrinkle #2, I'm thinking that traffic can be routed to another process on the firewall. That process would serve as the "go between" between the LAN dumb target and the rest of the world. Can anyone advise where to start investigating this?
