[oneru]

<shameless_plug> Check out fwknop, https://www.cipherdyne.org/fwknop/ It's one solution to this problem. Instead of answering with garbage, it allows for keeping the firewall closed/default drop stance. It's port knocking, but with real cryptography instead of just relying on hitting port numbers, and does it with just a single packet. </shameless_plug> Full disclosure: I'm one of the Fwknop devs.