OpenBSD's PF Single packet acceptance
I have developed a Single Packet
authorization client/server pair for OpenBSD's
packet filter (aka firewall).
In summary: you have a remote machine (with OpenBSD) on which you need some
port open (say 22 or 110) but you want another layer of security. The single
packet authorization idea is to keep that port blocked but open it if
the machine receives a specifically formed RSA-encrypted packet at a fixed port.
If someone sends such a packet (which is RSA verified, obviously),
the firewall opens up a specified port for a finite time for connections coming
from an IP specified inside the packet.
You can download the source from here. It is now
more or less documented but it works.
The server needs OpenBSD (with pf running), while the client is known to compile
on OpenBSD, OS X (Tiger), NetBSD and Linux. OpenSSL is needed to compile it. The
id_rsa and id_rsa.pub keys are included for your benefit and are pretty much
useless.
Back to Pedro's page