diff --git a/debian/changelog b/debian/changelog
index 638ac87..c1c4c31 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+eofirewall (0.1+git20130723-1) wheezy; urgency=low
+
+  * Add new whitelist management
+  * Improve portknocking management
+
+ -- Jérôme Schneider <jschneider@entrouvert.com>  Tue, 23 Jul 2013 10:07:19 +0200
+
 eofirewall (0.1+git20110704-squeeze0) stable; urgency=low
 
   * Use lsb init messages
diff --git a/firewall b/firewall
index 517b6fe..f24503d 100755
--- a/firewall
+++ b/firewall
@@ -138,7 +138,7 @@ port_knocking()
         return
     fi
 
-    local port=$1
+    local ports=$1
     local knock_ports=$2
     local knock_number=$3
     local i=0
@@ -155,8 +155,10 @@ port_knocking()
             iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc${tock_number}
         fi
     done
-    log_action_msg "Port knocking for $port with combinaison $knock_ports on $WAN_INT"
-    iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT
+    log_action_msg "Port knocking for $ports with combinaison $knock_ports on $WAN_INT"
+    for port in $(echo $ports | sed 's/,/ /g'); do
+        iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT
+    done
 }
 
 start()
@@ -257,11 +259,18 @@ start()
         port_redirection $args
     done
 
-    ## Whitelist
+    ## Old: Whitelist
     for arg in "${WHITELIST_SSH[@]}"; do
+        log_warning_msg "WHITELIST_SSH is obsolete: this option will be removed in next version"
         open_port $arg tcp ssh
     done
 
+    for ip in "${WHITELIST[@]}"; do
+        for args in "${WHITELIST_OPEN_PORTS[@]}"; do
+            open_port $ip $args
+        done
+    done
+
     ## NAT
     if [ $NAT == 1 ]; then
         log_action_msg "Activate nat"
diff --git a/firewall.conf b/firewall.conf
index f58fffa..92284d7 100644
--- a/firewall.conf
+++ b/firewall.conf
@@ -25,8 +25,8 @@ ALLOW_INTS=''
 OPEN_PORTS=("0.0.0.0/0 tcp ssh")
 
 ## Port knocking (tcp only)
-# "port knock_ports_combinaison"
-# example : PORT_KNOCK("22 121,4353,4242,111")
+# "port[,port] knock_ports_combinaison"
+# example : PORT_KNOCK("22,4242 121,4353,4242,111")
 PORT_KNOCK=()
 
 ## Port forwarding
@@ -39,12 +39,15 @@ TRAFFICS=()
 # example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242")
 REDIRECTIONS=()
 
-## Whitelist ssh
+## Whitelist
 # example with an external file
 # source /etc/firewall/whitelist_ssh
-# WHITELIST_SSH=(${WHITELIST_SSH[@]})
-# example : WHITELIST_SSH=("1.2.3.4" "1.3.4.4" "192.168.1.0/24")
-#WHITELIST_SSH=()
+# WHITELIST=(${WHITELIST[@])
+# example : WHITELIST=("1.2.3.4" "1.3.4.4" "192.168.1.0/24")
+#WHITELIST=()
+
+## Whitelist port and protocol
+# exmaple : WHITELIST_OPEN_PORTS=("tcp ssh,8006" "udp 4242")
 
 # Hook point to write your own iptables rules
 ipt_hook()