knock(1) Doorman & Knocker knock(1) NAME knock - The port-knock client SYNOPSIS knock [-h] [-v] [-U] [-t s.s] [-p port] \ [-g groupid] [-s secret] host service DESCRIPTION "Knock on the door" of a host running the 'doorman' dae mon. If the conditions outlined below are met, a firewall rule will be created for a short time allowing a TCP con nection on the requested port. If a connection is made within this time, the rule will be left in place until the connection is broken. No reply is made to the knock; success is apparent only when a connection to the requested server has been made. OPTIONS -h 'help'; print a message explaining the options and quit. -v 'version'; print the version number and quit. -p port Override the 'port' value in 'KNOCK.CFG'. Knock on the specified UDP port. -g groupid Override the 'group' value in 'KNOCK.CFG'. -r "program arg1 arg2..." Override the 'run' value in KNOCK.CFG. Run this program after sending the knock packet. The argu ment list given to the program may include the spe cial strings %H% and %P%. '%H%' substitutes for the hostname to which the knock is sent; '%P%' sub stitutes for the portnumber or service name. Example: knock -r"ssh -l myname %H%" abc.what ever.org ssh To avoid running the program specified by the 'run' record, use any of: -r" " , -r' ' , -r0 , -rX , or -rx -s secret Override the 'secret' value in 'KNOCK.CFG'. host the IP address or DNS name of the host to which a TCP connection is desired. service the port number or service name (as defined in /etc/services) of the desired service. CONDITIONS In order for a knock to succeed, the following conditions must be met: 1. the groupid must be in the doorman's 'guestlist' file 2. the secret must match that in the guestlist record for that group 3. the IP address of the client machine's interface must match one of the addresses in the guestlist record 4. the service requested must be in the guestlist record 5. A randomly-chosen number (called a 'tag') is sent in the knock packet; it must not occur in a list of old tags kept by the doorman. It may occasionally happen that a tag is found in the list, and the knock will fail; there is no other remedy for this but to make another attempt. However, since tags are 32 bits in magnitude, such occur- rences should be rare. FILES C:\KNOCK.CFG: the configuration file for 'knock'. SEE ALSO knockcf(5), doormand(8), doormand.cf(5), guestlist(5) ACKNOWLEDGEMENT doormand and knock are an implementation of an original idea by Martin Krzywinski. See his site at http://www.portknocking.org COPYRIGHT Copyright (c) 2003-2004, J.B.Ward <bward2@users.sourceforge.net> Port-knocker, V0.8 July 29, 2004 knock(1)