Pedro Fortuny Ayuso

Profesor Ayudante Doctor, Matemática Aplicada
Escuela Politécnica de Ingeniería de Gijón.
OpenBSD's PF Single packet acceptance

I have developed a Single Packet authorization client/server pair for the OpenBSD packet filter pf.

In summary: you have a remote machine (with OpenBSD) on which you need some port open (say 22 or 110) but you want another layer of security. The single packet authorization idea is to keep that port blocked but open it if the machine receives a specifically formed RSA-encrypted packet at a fixed port. If someone sends such a packet (which is RSA verified, obviously), the firewall opens up a specified port for a finite time for connections coming from an IP specified inside the packet.

You can download the source. It is now more or less documented and most probably outdated, but it used to work and, in some sense, the code is clear, clean and ---modestly--- readable.

The server needs OpenBSD (with pf running), while the client is known to compile on OpenBSD, OS X (Tiger), NetBSD and Linux. OpenSSL is needed to compile it. The id_rsa and id_rsa.pub keys are included for your benefit and are pretty much useless.