knock(1)                       Doorman & Knocker                      knock(1)



NAME
       knock - The port-knock client

SYNOPSIS
       knock [-h] [-v] [-g groupid] [-p port] [-s secret] \
             [-r program arg1 arg2 ... ]   host  service


DESCRIPTION
       "Knock  on  the  door"  of a host running the 'doorman' daemon.  If the
       conditions outlined below are met, a firewall rule will be created  for
       a  short  time  allowing  a TCP connection on the requested port.  If a
       connection is made within this time, the rule will  be  left  in  place
       until the connection is broken.
       No  reply is made to the knock; success is apparent only when a connec-
       tion to the requested server has been made.


OPTIONS
       -h      'help'; print a message explaining the options and quit.

       -v      'version'; print the version number and quit.

       -p port
              Override the 'port' value in .knockcf.  Knock on  the  specified
              UDP port.

       -g groupid
              Override the 'group' value in .knockcf

       -r "program arg1 arg2..."
              Override  the  'run'  value in .knockcf.  Run this program after
              sending the knock packet.  The argument list given to  the  pro-
              gram may include the special strings %H% and %P%.  '%H%' substi-
              tutes for the hostname to which the knock is sent; '%P%' substi-
              tutes for the portnumber or service name.

              Example:   knock -r"ssh -l myname %H%" abc.whatever.org ssh

              To  avoid running the program specified by the 'run' record, use
              any of:
              -r" " , -r' ' , -r0 , -rX , or -rx

       -s secret
              Override the 'secret' value in .knockcf

        host  the IP address or DNS name of the host to which a TCP connection
              is desired.

        service
              the port number or service name (as defined in /etc/services) of
              the desired service.


CONDITIONS
       In order for a knock to succeed, the following conditions must be met:

       1. the groupid must be in the doorman's 'guestlist' file

       2. the secret must match that in the guestlist record for that group

       3. the IP address of the client machine's interface must match  one  of
       the addresses in the guestlist record.

       4. the service requested must be in the guestlist record

       5.  A  randomly-chosen  number  (called  a  'tag') is sent in the knock
       packet; it must not occur in a list of old tags kept  by  the  doorman.
       It  may  occasionally  happen  that a tag is found in the list, and the
       knock will fail; there is no other remedy for this but to make  another
       attempt.   However,  since  tags  are 32 bits in magnitude, such occur-
       rences should be rare.


FILES
       ~/.knockcf: the configuration file for 'knock'.
        '.knockcf' must be readable and writeable only by the owner.


SEE ALSO
       knockcf(5), doormand(8), doormand.cf(5), guestlist(5)


ACKNOWLEDGEMENT
       doormand and knock are an implementation of an original idea by  Martin
       Krzywinski.  See his site at http://www.portknocking.org


COPYRIGHT
       Copyright (c) 2003-2005, J.B.Ward
       <bward2@users.sourceforge.net>




Port-knocker, V0.81               Aug 14 2005                         knock(1)