Let yourself in.
Port knocking: a stealthy system for network authentication across closed ports
Port Knocking has not been seen on TV
port knocking > primer > rationale

Firewall Primer

Perl prototype: v0.30

  • pcaplib support added; daemon no longer requires firewall log file

2004-Nov-14 18:59 | ...more

new Net::Pcap support added to sniff packets directly ...more

This section introduces the idea of communication ports and firewalls at a very introductory level. If you are familiar with TCP/IP and firewalls, you can skip past this section and go straight to the details of the port knocking implementation. This introduction is not a technical document and is targetted at a non-technical audience or novices computer users and administrators.


VIRUS A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses can also replicate themselves. A simple virus that can make a copy of itself over and over again is relatively easy to produce. Even such a simple virus is dangerous because it will quickly use all available memory and bring the system to a halt. An even more dangerous type of virus is one capable of transmitting itself across networks and bypassing security systems look up virus on webopedia.com look up virus on FOLDOC

TROJAN A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer (partial lists). look up trojan on webopedia.com look up trojan on FOLDOC

WORM A program or algorithm that replicates itself over a computer network and usually performs malicious actions, such as using up the computer's resources and possibly shutting the system down. look up worm on webopedia.com look up worm on FOLDOC

BACKDOOR An undocumented way of gaining access to a program, online service or an entire computer system. The backdoor is written by the programmer who creates the code for the program. It is often only known by the programmer. look up backdoor on webopedia.com look up backdoor on FOLDOC

DoS Attack Short for denial-of-service attack, a type of attack on a network that is designed to bring down a network by flooding it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols.

definitions courtesy of Webopedia.

rationale for port knocking

You may be wondering: "What is the purpose of firewalls?". After all, if we don't want people connecting to our server, why not simply turn off the network services? An open port without an associated listening application is like a walled-in door and not a security risk, right? Well, not exactly.

The primary purpose of firewalls is to precisely define and limit the variety of communication possible within a network. System administrators tend to be justifiably paranoid and need to enforce limits to help monitoring and troubleshooting. However, the purpose of firewalls does not primarily rest in deriving a sense of control. Unless you are very familiar with your operating system, you may not be aware of all the services running on your computer.

Some operating systems install with a large number of listening services (e.g. ftp, mail, finger, telnet, time, echo, etc.) and leave their ports open. Instead of you hunting these services down and turning them off, it would be the firewall's role to deny communication to these services' ports. You might make a mistake and accidentally start the telnet service - a bad thing if your firewall doesn't block the telnet port. It might be a bad thing because you are unaware that now you have a listening application on an open port. This is somewhat equivalent to not only leaving a window open in your house while on vacation, but not even knowing that the window is there.

Aside from unwanted, but legitimate services, illegitimate services such as backdoors or trojans may be silently running on your computer. Their spread is made possible, and increasingly so, by the common practise of downloading software from unverified/untrusted sources. If you are not running an updated virus scanner and have download software from the internet (peer-to-peer, personal web sites of friends, of friends of friends, and of strangers, etc) it's likely that you are infected. If you have a firewall which blocks the illegitimate service's port then the infection is merely a nuisance.

Port Knocking (c) 2002-2019 Martin Krzywinski
Figure 5 | A server with IP-filtering enabled in its firwall rule set. Specific remote hosts are allowed to check mail via the POP service running on port 110. Logging of connections to port POP/110 tracks usage. Logging of the closed mysql/3306 port keeps tabs of potentially malicious remote IPs.

Firewalls control which remote computers can connect to given ports. While some ports are typically meant for general public use (e.g. http/80), communications to others might need to be tightly controlled (e.g. telnet/22, pop/110, proprietary applications, etc.). The scenario corresponding to the following rule set is shown in Figure 5.

  1. allow connections from everywhere to ports ftp/21, snmp/25, http/80
  2. allow connections from IP1,IP2,IP3 to ports POP/110 (+log all connection attempts)
  3. disallow connections to port mysql/3306 (+log all connection attempts)
  4. disallow connections to all other ports

In this example, specific remote hosts are allowed to connect to the POP service. Presumably only users at these IP addresses have legitimate reasons to connect to this service. All remote hosts are still allowed to connect to ftp/21, snmp/25 and http/80 services. Firewalls can log traffic and in this particular case logging is turned on for ports pop/110 and mysql/3306. While it's clear why logging might be turned on a port which to which connections are allowed, you may be wondering why logging is turned on for a closed port.

First, logging of closed ports can detect port scans. Port scans describe a process in which a user at a remote computer attempts to connect to all or a subset of ports in order to detect which services are running. If there is no reason for someone to be connecting to your mysql/3306 port, then any attempted connection may be a sign of malevolent intentions. Of course, it may not be a sign of anything - the user at the remote end may be simply be connecting to the wrong IP address. "Hello? ... Oh, sorry, I have the wrong IP address." Well, you get the idea.

last updated 2004-Apr-05 16:55
Port Knocking (c) 2002-2019 Martin Krzywinski