Port knocking: a stealthy system for network authentication across closed ports

Firewall Primer

Perl prototype: v0.30

pcaplib support added; daemon no longer requires firewall log file

2004-Nov-14 18:59 | ...more

new Net::Pcap support added to sniff packets directly ...more

This section introduces the idea of communication ports and firewalls at a very introductory level. If you are familiar with TCP/IP and firewalls, you can skip past this section and go straight to the details of the port knocking implementation. This introduction is not a technical document and is targetted at a non-technical audience or novices computer users and administrators.

ports packets services allocation firewalls rationale ip filtering limitations resources

port types

The figures in this introduction depict four different types of ports, each with a different icon.

an open port without an associated application an open port without a listening application. Remote computers are not prevented from attempting to make a connection by a firewall but there is no application listening on this port

an open port with an application listening for connections. Remote hosts can successfully connect to a port and communicate with the listening application (e.g. view a web page).

a closed port without an associated application a closed port without a listening application. A firewall on the server has been configured to prevent remote hosts from attempting a connection to this port.

a closed port with an application listening for connections. Because connections to this port are blocked by the server's firewall, it is not possible to communicate with the listening application.

server

Consider a network server which hosts a number of network services . These services are applications which accept connections from remote computers and allow the users to carry out some tasks: send or check mail, log in, look at a web page, etc. Service applications listen for connections to particular ports, agreed upon by the internet community. The organization IANA (Internet Assigned Numbers Authority) regulates the use of ports 0-1023, assigning to each port a well-known service. For example, web services use port 80. You can imagine that without such a convention it would not be possible to quickly figure out how to connect to a computer serving web pages - it would be like trying to guess the right entrance on a house with 65,356 doors.

The table on the right shows four possible states for any given port. Ports can be either closed or opened as prescribed by the server's firewall configuration, regardless of the presence of any listening applications. Ports can appear open to some computers but not others with the use of firewall-based IP-filtering, described below. The firewall, as in the case of IPCHAINS/IPTABLES on Linux, is mediated by the operating system kernel and controls the flow of communication upstream of any listening applications.

Figure 1 shows a server which is running four services and which has no firwall. All ports are open. Remote computers may attempt to connect to all ports and will successfully connect to four ports: ftp/21, smtp/25, http/80 and pop/110.

Port Knocking (c) 2002-2018 Martin Krzywinski

Figure 1 | A hypothetical internet server running FTP (port 21), mail (SMTP, port 25), web (HTTP, port 80) and POP (port 110) services. POP (Post Office Protocol) is a protocol used by mail clients (e.g., Eudora, pine, Outlook Express, etc). Remote hosts can establish connections to ports that are open (green) and that have listening applications. This server has no firewall and consequently all ports are open. Two of the applications (grey) are not network services and are not listening to ports.

last updated 2004-Apr-05 16:42