Let yourself in.
Port knocking: a stealthy system for network authentication across closed ports
Port Knocking has not been seen on TV
port knocking > primer > firewalls

Firewall Primer

Perl prototype: v0.30

  • pcaplib support added; daemon no longer requires firewall log file

2004-Nov-14 18:59 | ...more

new Net::Pcap support added to sniff packets directly ...more

This section introduces the idea of communication ports and firewalls at a very introductory level. If you are familiar with TCP/IP and firewalls, you can skip past this section and go straight to the details of the port knocking implementation. This introduction is not a technical document and is targetted at a non-technical audience or novices computer users and administrators.

firewalls

Firewalls are applications which control network communication. A firewall constrains which computers can connect to the server (IP filtering) and to which ports connections can be made (port filtering). These applications are called firewalls because they serve as a barrier (burning barriers, no less) to unwanted communication attempts.

In Figure 4 the server from Figure 1 is running a firewall. Except for four, all priviliged and well-known ports are blocked by the firewall - connection attempts to these ports are denied. Dynamic ports are left open so that client applications running on the server can communicate with remote services.


Port Knocking (c) 2002-2017 Martin Krzywinski
Figure 4 | A firewall blocking access to all privileged ports except those which provide conduits to running services. The entire range of well-known ports is also blocked.

There are various ways in which firewalls can be configured and that topic is beyond the scope of this introduction. In most cases, however, the firewall rule set is typically set up to precisely define what is allowed while disallowing everything else. For example, an example rule set would look something like this:

  1. allow connections to ports ftp/21, snmp/25, http/80, pop/110
  2. disallow connections to all other ports

This conservative philosophy is a good approach: if an unauthorized application was started on port 81, then nobody could connect to it because port 81 is denied by the "disallow connections to all other ports" part of the rule set. By having a specific allow policy and a general disallow policy the firewall minimizes the risk of forgetting specific ports. Forgetting to open a port is less likely to lead to a security vulnerability than forgetting to close a port. This is similar to the "easier to ask for forgiveness than get permission" rule employed by children, teenagers and occasionally repentent adults.

last updated 2004-Apr-05 16:49
Port Knocking (c) 2002-2017 Martin Krzywinski