Silent, multi-layer security for your organization.
Port knocking: a stealthy system for network authentication across closed ports
Port Knocking has not been seen on TV
port knocking > primer > filtering

Firewall Primer

Perl prototype: v0.30

  • pcaplib support added; daemon no longer requires firewall log file

2004-Nov-14 18:59 | ...more

new Net::Pcap support added to sniff packets directly ...more

This section introduces the idea of communication ports and firewalls at a very introductory level. If you are familiar with TCP/IP and firewalls, you can skip past this section and go straight to the details of the port knocking implementation. This introduction is not a technical document and is targetted at a non-technical audience or novices computer users and administrators.


Filtering incoming traffic by IP address can minimize a server's exposure to connections from untrusted IP ranges or IPs of computers known to originate or mediate hack attempts. IP filtering can be used to

  1. block traffic to and from IP addresses implicated in scans or attack attempts
  2. block traffic from groups of IP addresses or entire networks

Figure 6 illustrates a typical scenario in which IP filtering is useful. If a known network is found to harbour malevolent users (sipping espressos and trying to penetrate and exploit systems - maybe yours!) filtering all incoming traffic from the network will deflect the aggression to other systems. After all, a lot of internet security is about making yourself less of a target than the computer next-IP to you. This method works very well if (a) you know exactly on which network(s) these espresso junkies (no flames please - I love espresso) reside, and (b) they are stationary and do not change IP addresses or break into hosts which your firewall does not filter.

Port Knocking (c) 2002-2017 Martin Krzywinski
Figure 6 | A possible scenario motivating the use of IP filtering. Two remote locations house trusted users, indicated by green hats, and malevolent users, shown by red hats. If you can map the malfeasants to a set of IP addresses, blocking incoming traffic from these IPs will reduce the risk of attack. In this example, the bad guys cannot connect to port 110.
last updated 2004-Apr-05 16:58
Port Knocking (c) 2002-2017 Martin Krzywinski