If I understand the question correctly, isn't this what "port knocking" or single packet authorization (e.g. fwknop) is supposed to do? I have used fwknop and SSH in our lab, but only with Linux and iptables. However, I think fwknop is supposed to interface with more than just iptables on the local box (meaning you would not have to use a Linux box to replace your current firewall).
I think you can use fwknop to monitor syslog and parse for specific events and then open the port. In other words, your current firewall reports to your syslog server and fwknop parses the log file for the security event associated with the reception of a SPA packet on your outside interface. Fwknop then sends your firewall (through a script?) whatever command is required to open the port you want and redirect it to the appropriate inside machine (or you could simply enable / disable a preconfigured rule). I am not a scripting guru so I may be WAY off base here and if I am, I apologize for leading you astray. Anyway, you might want to check out the following:
http://cipherdyne.org/fwknop/ --> FireWall KNock Operator home page http://fwknop.darwinports.com/ --> OS X fwknop client
There is also a Windows UI version that is supposed to create SPA packets without using fwknop / PERL or running under Cygwin but I have not used that.
Richard
On 4/29/08 7:50 PM, "jz@ellingtongeologic.com" jz@ellingtongeologic.com wrote:
Good Morning Mike:
I had a question and sent to the list (it might have not gone thru) The question was that: is it possible for stunnel to go to the router, for example, 10.10.1.1, to scan for a port of interest and see whether there is a request thru that port? so the nat router would not have to forward the port to the stunnel of my local machine, e.g. 10.10.1.188, on which stunnel is listening for port 8888 and will relay it to 5631 of the local program.
Thanks