The Doorman
- or -
"Silent Running"

Current version: 0.81    Last update:  Sept. 05, 2005

    Version 0.81 of the doorman is mainly a bug-fix release. Version 0.81 of the knocker unchanged from 0.8, but is given a new number to keep it in sync with the doorman.
    The "silent doorman" problem, in which the doorman mysteriously and stubbbornly ignores all knocks, can now be remedied by use of a new "-X" command-line parameter and "link-header-length" configuration parameter. See the "README" file.


This project allows a server to run silently, invisibly, with all TCP ports closed... except to those who know... the secret knock!


The doorman is intended to run on systems which have their firewall rules turned down tightly enough as to be effectively invisible to the outside world.    The doorman adds and removes extra rules in a carefully controlled manner.

Using metaphor 1...
The doorman daemon "guards the door" of a host, admitting only recognized parties.   It allows a server which is not intended for general public access to run with all of its TCP ports closed to the outside world.   A matching "knocker" is provided, with which to persuade the doorman to open the door a crack, just wide enough for a single TCP connection from a single IP address.

And now, switching to metaphor 2... :)
A private server thus rigged for silent running has greatly enhanced security.   Port scans cannot reveal its existence.   Even if its existence is known by other means (or the firewall isn't all that tight), possible bugs in server code cannot be exploited; packets from unknown sources simply never get to the bug.

The current implementation of the doorman, "doormand",  is suitable for protecting only TCP services on Unix-type systems.     The door-knocker, "knock",  can be run under Unix, GNU/Linux, or  Microsoft Windows.

The doorman is based on an original idea of Martin Krzywinski, who proposed watching firewall logs for a sequence of packets directed to closed ports, which method he described in Sysadmin magazine and
You might also visit his pages at

This particular implementation deviates a bit from his original proposal, in that the doorman watches for only a single UDP packet.   To get the doorman to open up, the packet must contain an MD5 hash which correctly hashes a shared secret, salted with a 32-bit random number, the identifying user or group-name, and the requested service port-number.

To explain a bit further, here are HTML versions of the manual pages included in the tarball:

  doormand.8   guestlist.5   knock.1   knockcf.5   KNOCK.HTM (for the Windows version of the knocker)


The doorman & knocker are here     (there is also a pre-compiled Windows knocker.)

Masochistic guinea-pigs may use anonymous cvs to get the bleeding-edge code:

    > cvs login
        (When prompted for a password for anonymous, simply press the Enter key.)
    > cvs -z3 co doorman

This is 'beta' software, and, of this date, has been tested only under SuSE Linux 7.1 - 9.3.
While the doorman daemon should build and function on most linux distributions, as well as FreeBSD, netBSD, OpenBSD, and MacOS X, only 'knock' has been tested on them.

If you have any comments, suggestions, complaints, bug reports, ( even flames! ), please feel free to mail
bward2 at

keywords = "firewall, security, network security, system security, silent running, portknocker, port knocker, portknocking, port knocking, doorman, daemon, doorman daemon"

Hosted by: Logo         Idea by: Banner         HTML by: Vim Logo         Fuelled by: Mooshead Pale Ale gif