nk23x/haproxy-portknock.cfg

## haproxy-portknock.cfg
# Listens on 6000-9000 for a sequence of port knocks.
# Requires an explicit order of port access before opening
# Current defined order is 6001,7001,8001,9000
# If another port is accessed during the sequence it must be started from the beginning
listen portknock
  mode tcp
  bind *:6000-9000
  stick-table type ip size 1m expire 24h store conn_cnt,gpt0
  tcp-request connection track-sc0 src
  tcp-request connection sc-set-gpt0(0) 1 if { dst_port 6001 } { sc_get_gpt0(0) -m int lt 4 }
  tcp-request connection sc-set-gpt0(0) 2 if { dst_port 7001 } { sc_get_gpt0(0) -m int eq 1 }
  tcp-request connection sc-set-gpt0(0) 3 if { dst_port 8001 } { sc_get_gpt0(0) -m int eq 2 }
  tcp-request connection sc-set-gpt0(0) 4 if { dst_port 9000 } { sc_get_gpt0(0) -m int eq 3 }
  tcp-request connection sc-set-gpt0(0) 0 unless { dst_port 6001 7001 8001 9000 }
  tcp-request connection silent-drop unless { sc_get_gpt0(0) 4 }
  server ssh 127.0.0.1:22
	# Listens on 6000-9000 for a sequence of port knocks.
	# Requires an explicit order of port access before opening
	# Current defined order is 6001,7001,8001,9000
	# If another port is accessed during the sequence it must be started from the beginning
	listen portknock
	mode tcp
	bind *:6000-9000
	stick-table type ip size 1m expire 24h store conn_cnt,gpt0
	tcp-request connection track-sc0 src
	tcp-request connection sc-set-gpt0(0) 1 if { dst_port 6001 } { sc_get_gpt0(0) -m int lt 4 }
	tcp-request connection sc-set-gpt0(0) 2 if { dst_port 7001 } { sc_get_gpt0(0) -m int eq 1 }
	tcp-request connection sc-set-gpt0(0) 3 if { dst_port 8001 } { sc_get_gpt0(0) -m int eq 2 }
	tcp-request connection sc-set-gpt0(0) 4 if { dst_port 9000 } { sc_get_gpt0(0) -m int eq 3 }
	tcp-request connection sc-set-gpt0(0) 0 unless { dst_port 6001 7001 8001 9000 }
	tcp-request connection silent-drop unless { sc_get_gpt0(0) 4 }
	server ssh 127.0.0.1:22