Hi,
Rather than adding an address that matches certain IP criteria (port/protocol etc) and add them to a list
I would like to remove them from a list once they don’t match those criterii anymore.
(cleaning up lists once status of connection changes)
Is there a way to do this within the firewall/filter?
I know there is no direct “action”, but maybe some work around?
Have you tried to use a timeout parameter? When time exceeds the IP address is removed from the list. Afterward, they should be added again if it match your configured parameters.
There’s a gotcha with dynamic address list members: they don’t survive router reboot.
If desired timeout is long and missing address in the address list means problem, then one still has to maintain static member list and develop mechanism to remove unneeded entries … using comment field might prove invaluable help here.
Hi Skylark, thanks, Yes I know about time out which I use heavily already.
But I would like to deterministic add OR remove IP addresses from a list.
This is for Port Knocking, which I use to remote control some none-essential router functions (adding kid control internet time etc.,
it is not used for accessing the router, only triggering scripts).
What I would want to do is: after first port knocked, if 2nd knock is wrong, remove source IP from the address list.
Would have just be awesome/simplifying life, if there were an action like remove-from-address list…
I also have a multi-stage portknock sequence and I use a timer.
The first port-knock packet hits my router and is place on a list valid for 30 seconds.
So within that time-frame I expect the second port-knock packet from the same remote public IP (offcourse!)
And so on for some more stages.
On Android there are some good working Portknock tools that I use to sequence everything.
After final knocking the remote public IP is allowed for X amount of time (eg. several hours) for a specific service.
Works very good actually
Out of curiosity, how can a 2nd knock be wrong ? You don’t do that manually no ? Any port-knock tool out there just follows a sequence you saved so quite deterministic.
If you set a timer you could have this IP flushed from your list anyway in 5-10-15 seconds.
Sure it would be nice feature-request and perhaps there are some use-cases for a remove src-address-from-list action.
jvanhambelgium
This is also what I do. And have port knock tool on phones.
But I would just like to have it fully secured and don’t give a chance to random port scanners:
Like on credit cards/sim cards… if you try wrong then your eliminated…
Would just be a clean solution for this.
I actually time out after 2 seconds at each step, and only last address list takes a bit longer so the script to trigger
the action don’t need to run too often.
Actually a question: Do you think it is better to “knock” in bigger time distance (and its hard to trace / see that
those knocks are related) or do it in shorter distance and leave less “surface attack” as the lists time out faster?
This is not about your own knocks, but about an attacker penetrating your security.
Guess you have a knock sequence of three ports in random order. The attacker issues three port scans et voilà… That’s why acting on wrong knocks is important.
But the solution is really simple. You have three dynamic address lists “knock1”, “knock2” and “knock3” (each with a timeout of just 5 or 10 seconds), that have to be unlocked one after another. Now add a forth one “knock-failed” (with a timeout of 15 seconds) and add the addresses that made it to “knock1” or “knock2” but sent wrong address after. Just ignore every knock from “knock-failed”.
The chance of that happening is very,very,very small.
There are 64K TCP and 64K UDP port combinations, and the correct sequence must be completed in some seconds.
I do it exactly like you describe above with the several lists that timeout in a few seconds.
The chances of breaches by an attacker a close-to-zero. Really.
And you can even increase to 4-5-6 stages etc.
In my case when you try too much faulty attempts you are thrown onto a list and remain there for a week…
I know leave ± 500ms between each “knock” , the different packets that make out the knock-sequence are stored in the ACL for 10 second or something. So time-window / window-of-opportunity is quite small.
I think attack-surface is pretty small when having these ACL’s timeout in the order of “seconds”.
I had to experiment a bit with the timers because I also have a rule to add “port-scanners” straight onto a ACL and they are stuck on there for a week or so.
This port-knocking in essence is also port-scanning, so I added an “exclusion” for that port-scanning rules that it does not trigger IF you made it already onto some stage in the knocking-sequence.
I use the
Weight Threshold
Delay Threshold
Low Port Weight
High Port Weight
parameters for this. So any public IP that tries certain quantities of probes over a period of several hours is thrown on the “Port Scanners” list.
It was a bit tuning to make sure port-knocking was not captured by this rules. Offcourse using a Portknock APP with a saved sequence normally prevents this, but some intermediate network-issue can prevent certain things to come through from the first time , hence I’m not toooo aggressive on the parameters.
The downside is that these ACL’s do not survive reboots. See below an example. I had upgraded my Mikrotik hence the list got flushed 
But in average about 170-200 IP’s are on that port-scanner list and remain there for a week.
Sure they would get denied anyway by a final “drop any” rule, so my “construction” is more just to make thing visible and for fun actually.
(below graph is over 1 month)
Is it also not better to only use UDP for knocking?
I see no reason why that would be?
It is a choice and offers you 64K TCP x 64K UDP = 4million possibilities
Hell, you could even include ICMP even (some port-knock programs allow you to craft certain ICMP packet type) but I remain on the TCP+UDP side
UDP is shoot and forget so no response is given by the target if you hit it.
Maybe I am paranoiac, I was thinking about some infected/compromised internet core routers be able to track/detect connections
that are going to different ports between two identical IP addresses in short time and can detect and extract the port knocking sequence?
And in this case would be better to “space” the individual knocks to something like 10-20 or even 30 seconds?
But if you never had any issue, then I might be over protective…?
Although in theory you are correct, you are indeed a bit paranoiac
But remember this is only 1 line of defense. Having succeeded the port-knock does not really grant you full access on your environment I hope.
I hope you are still protected by some logins etc for the different applications you might consume once port-knocking opened the gate.
In my case only some services are opened up, each of them again password protected.
Alternative then would be VPN I guess but each has it advantages/disadvantages.
Yes, no service is actually opened after knocking …
I use it to enable for instance failover LTE modem easily via mobile phone.
So not harmful in case someone would get that one.