Knockd serves as a port-knock software.
Once the server detects a specific sequence of port-hits, it performs a command defined in the configuration file. This feature could be widely useful since it can be utilized to open security holes in a firewall, providing quick access when required. For instance, you can create a strict DENY firewall policy that can only be accessed through a successful knock sequence.
Here’s how it works: The client sends four TCP SYN packets to the server on specific ports, including 38281, 29374, 4921, and 54918. The knockd server detects this and runs an iptables command to open port 22 and allow the client's connection through. Once the client connects to the server using SSH, it can perform its intended task.
After the task is completed, the client sends another sequence of four TCP SYN packets to the server on ports 37281, 8529, 40127, and 10100. Again, knockd detects this and runs another iptables command to close port 22 to the client.
In the latest release, knockd has added several features designed to improve user experience. Now, users can change the knocking protocol on a per-port basis using the knock client rather than the -u switch. Memory leaks and potential security vulnerabilities have been fixed, and the --lookup option for DNS lookups has been added. One-time sequences are now supported, and the Interface directive has been added to help select the listening interface. The packet filtering has been moved to the kernel space with BPF filters, allowing for excluding TCP flags with an exclamation mark. Additionally, the leftover/deprecated layer-2 MAC logic has been removed, resulting in improved performance and more robust security.
Version 0.5: N/A