eofirewall (0.1-20110621.1) unstable; urgency=low
* New release
* Support port knocking
* Add a test option
* Add save and load of the rules
* Modify states to support last iptables version
* Add logrotate support for the Debian packages
-- Jérôme Schneider <> Tue, 21 Jun 2011 14:27:36 +0200
eofirewall (0.1-20110509.1) unstable; urgency=low
* Using SNAT instead of DNAT

@ -128,17 +128,20 @@ port_knocking()
iptables -N toc2
iptables -A toc2 -m recent --name toc1 --remove
iptables -A toc2 -m recent --name toc2 --set
iptables -N toc3
iptables -A toc3 -m recent --name toc2 --remove
iptables -A toc3 -m recent --name toc3 --set
for port in $(echo $knock_ports | sed 's/,/ /g'); do
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --set --name toc1
for kport in $(echo $knock_ports | sed 's/,/ /g'); do
if [ $i -gt 1 ]; then
iptables -N toc$i
iptables -A toc$i -m recent --name toc$(($i-1)) --remove
iptables -A toc$i -m recent --name toc$i --set
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$(($i-1)) -j toc$i
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc$i
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc3 -m state --state NEW -j ACCEPT
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc$i -m state --state NEW -j ACCEPT

@ -24,7 +24,7 @@ ALLOW_INTS=''
# " tcp ssh,imap,imaps,1024:2048,32")
OPEN_PORTS=(" tcp ssh")
## Port knocking
## Port knocking (tcp only)
# "port knock_ports_combinaison"
# example : PORT_KNOCK("22 121,4353,4242,111")