Benjamin Smith wrote: > On Friday 16 March 2007, MrKiwi wrote: >> mitigate a situation >> where you have no control over an intermediate firewall that >> only passes port 80 > > Yes, that's EXACTLY what I'm trying to do... but I dont' see how this exactly > relates to port knocking. > > Port knocking seems to be that you log connection attempts to various ports > that are otherwise closed, EG: > > iptables -I input -p tcp -j DENY -l > > and then watch the log file for a specific, exact sequence of connections from > a common source IP. How would that help me here? Yes - you're right, it would not be a simple drop in solution. In the other scenario i suggested (reducing your visibility) port knocking would have been perfect. You could still use a modified port knocking system i think - just using a url hit to do the triggering instead of a port knock sequence. That way the port knock config takes care of removing the iptables line after x seconds. See Michael Rash's pdf http://www.usenix.org/publications/login/2006-02/pdfs/rash.pdf His implementation is rock solid, and easy to config. Also anyone with some grep and script skills should be able to hack the port-knock -> httpd-log-watcher part you need. MrKiwi