fwknop VS pfSense

sounds fun; i see the arch aur has a few options as well. have you tried https://www.cipherdyne.org/fwknop/ ?

Yes that's the basic idea, i tried to use fwknop first but it didn't do what i wanted it to do so i made my own

Port knocking. Or better yet FWKNOP. I'm disappointed I don't hear people talk about it more. The port isn't even open until you give the secret combination of knocks on a large number of ports. There's much more to it. I recommend listening to Episode 865 ofSecurity Now.

> Is this approach used elsewhere?

Yes, or at least in a similar fashion. An alternative variant of port knocking is SPA (Single Packet Authorization). Often SPA protocols use UDP and contain within the body field an encrypted payload containing all the required data to authenticate and authorize a particular request.

There are multiple different implementations of SPA: OpenSPA [1] (full disclosure: I am the author of OpenSPA), fwknop [2] just to name a few.

SDP (Software Defined Perimeter) often builds upon SPA technologies in order to achieve a form of zero trust access.

[1] - https://github.com/greenstatic/openspa

[2] - https://github.com/mrash/fwknop

I am currently re-writting the OpenSPA protocol (version 2) and I plan on playing around with eBPF as well, so thanks eeriedusk for paving the way :)

As an alternative to port knocking, there is: https://github.com/mrash/fwknop

fwknop is nice and simple

Sure, few links for when you dig in: http://iplists.firehol.org/, https://crowdsec.net/, https://www.zeroflux.org/projects/knock/, https://www.cipherdyne.org/fwknop/

An upgrade to port knocking is Single Packet Authorization [1]. It doesn’t suffer from the observability, and other, problems of port knocking.

[1] https://www.cipherdyne.org/fwknop/

Or keep the port closed like I do with my ssh port and use fwknop to open the port only when needed.

One option is Firewalla Gold Plus, or you could buy a mini PC like it and run pfSense/OPNsense yourself.

Download and install pfsense as a virtual machine or partition: https://www.pfsense.org Configure it with the rules you want: https://youtu.be/VAGFGppSt74 Play with it, but be careful because it will block all traffic unless you check everything properly.

Another option is Firewalla, or buy a mini PC like it and run pfSense/OPNsense yourself. Two similar concepts, with the cost being either money or your DIY time. A lot of Firewalla users say that it's much easier for home use than pfSense/OPNsense, so you might find it worthwhile to spend a little more on it upfront and have to tinker less.

If you want firewall, I think you can use https://www.pfsense.org/ or https://opnsense.org/ , maybe running on an old PC or a Raspberry Pi. Not sure.

I've recently started using OPNsense. It's similar to pfSense, but seems to be considered a little more user-friendly.

For most router issues, I recommend people always put them in to dumb bridge mode and put a proper firewall like pfsense or opnsense as your gateway.

I have found that my historical average packet loss is about 0.02%. Something distinctly changed around 4/20 of this year, and now the average packet loss has gone up to 0.05% with spikes even higher, associated with periods of elevated ping times. It rarely did that before. Typically the IPv6 stack has more problems than v4 (especially an incident of packet loss on 4/28), and neither has been trouble-free since I started service in early 2020. My data comes from a pfSense installation.

I have done this using the Pfsense