On 04.01.2010 17:41, AJ Weber wrote:
It wouldn't be granular enough at that, unfortunately. I have a script
that iterates my directories now, and could insert the port-knock command
as well...
However, a port knock typically opens the firewall for a specified
client-IP for a small window of time (typ 30sec). After that timeout, if
you haven't established the TCP session, you can't get in unless you
"knock" again. (Once you have an established connection, the firewall
rules will continue to allow that connection, just not connect a new
one.)
If I'm transferring small, incrementals, it would _probably_ work OK,
because a few scp calls would likely make it within that 30sec timeout.
However, if/when I run a full backup, the backup of most of those
directories would take minutes (some, many minutes) to complete, so
somewhere during the backup-run, the firewall will close-up the ssh port,
and further scp calls will be denied/blocked. Thus the problem with a
lot of individual ssh/scp connects versus one, persistent connection to
tunnel the files/diffs through.
Then how about wrapping scp in a script doing the port knocking (possibly
with a timeout below which it would straight go to scp without knocking,
even) instead of duplicity?