OpenBSD's PF Single packet acceptance

I have developed a Single Packet authorization client/server pair for OpenBSD's packet filter (aka firewall).
In summary: you have a remote machine (with OpenBSD) on which you need some port open (say 22 or 110) but you want another layer of security. The single packet authorization idea is to keep that port blocked but open it if the machine receives a specifically formed RSA-encrypted packet at a fixed port. If someone sends such a packet (which is RSA verified, obviously), the firewall opens up a specified port for a finite time for connections coming from an IP specified inside the packet.
You can download the source from here. It is now more or less documented but it works.
The server needs OpenBSD (with pf running), while the client is known to compile on OpenBSD, OS X (Tiger), NetBSD and Linux. OpenSSL is needed to compile it. The id_rsa and id_rsa.pub keys are included for your benefit and are pretty much useless.
Back to Pedro's page