Hi rypervenche, I have a working port-knocking nft firewall with this setup: http://yalis.fr/public/knock_nftables.conf In this example, the ports to knock are 123 234 345 456.A I hope this helps. Cheers, Yves. On Thu, 26 Apr 2018, rypervenche wrote:
Hello, I'm looking to set up something of a port knocker in nftables. While I can do this with sets with timeouts, I also would like the flexibility to be able to remove an IP from one of said sets if the next packet that gets sent from the source address is not the port in the specific order I have chosen. This way port scanners would not be able to bruteforce all of the ports within the timeout that I have chosen. Would it be possible to request the addition of a "delete" operation to the following feature? https://wiki.nftables.org/wiki-nftables/index.php/Updating_sets_from_the_packet_path If this is not possible, would it be possible to use the "update" operation to set the timeout to "0s" and this have it immediately delete the element in question? Currently trying to update the element with the timeout 0s does not update the timeout, however non-zero timeouts do work. While my syntax is likely not correct here, this is essentially the idea in mind: table inet filter { set knock1 { type ipv4_addr; timeout 5s; } set knock2 { type ipv4_addr; timeout 5s; } set knock3 { type ipv4_addr; timeout 5s; } chain input { type filter hook input priority 0; policy drop; ct state established,related accept ... cut for space ... meta nfproto ipv4 counter packets 0 bytes 0 jump knock meta l4proto tcp counter packets 0 bytes 0 reject with tcp reset meta nfproto ipv4 counter packets 0 bytes 0 reject with icmp type prot-unreachable counter packets 0 bytes 0 reject } chain knock { tcp dport 1111 ct state new tcp flags & (syn|rst|ack|fin) == syn counter packets 0 bytes 0 set add ip saddr @knock1 reject tcp dport != 2222 ip saddr @knock1 counter packets 0 bytes 0 set update ip saddr timeout 0s @knock1 tcp dport 2222 ip saddr @knock1 ct state new tcp flags & (syn|rst|ack|fin) == syn counter packets 0 bytes 0 set add ip saddr @knock2 reject tcp dport != 3333 ip saddr @knock2 counter packets 0 bytes 0 set update ip saddr timeout 0s @knock2 tcp dport 3333 ip saddr @knock2 ct state new tcp flags & (syn|rst|ack|fin) == syn counter packets 0 bytes 0 set add ip saddr @knock3 reject tcp dport != 4444 ip saddr @knock3 counter packets 0 bytes 0 set update ip saddr timeout 0s @knock3 tcp dport 4444 ip saddr @knock3 ct state new tcp flags & (syn|rst|ack|fin) == syn counter packets 0 bytes 0 accept } } Any and all help with this would be greatly appreciated. Thank you, rypervenche -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
