Port-knocking

Port-knocking solves the problem elegantly, safely, and without considerable modifications to firewall rules. Here, the client attempts successively to set up connections to various firewall ports from the internet. The firewall merely logs these "knocks" and otherwise ignores them. A background program analyses the firewall's log files. If it finds a certain pattern in access attempts to various ports, it launches a program that creates a WOL package in the LAN. The pattern of access attempts triggers the authorisation and transmission of the target MAC address. And all this happens without a single package passing through the firewall. As soon as the knock daemon hears the right pattern of knocks, it launches the wakeonlan program, which generates a magic packet containing the actual wake-up call. For the firewall to enter the pattern of knocks in its log file, which the knock daemon analyzes, a LOG rule needs to be added:

iptables -I INPUT -p tcp -s 0/0 -d 0/0 --dport 55000:55255 -j LOG

Written in Perl, the daemon needs quite a few additional CPAN modules – the readme file tells you how many. They can be installed via the CPAN shell, but we should first make sure it is up to date:

perl -MCPAN -e shell
cpan> install Bundle::CPAN Â&
cpan> reload cpan 

Now, the CPAN command install MODULENAME loads and installs the module in question. All of the daemon's settings are given in the file knockdaemon.conf. logfile=/var/log/messages tells the daemon where to find the firewall's logs in file mode runmode=file. A pattern of knocks should contain the MAC address (flag0 to flag5) and look as follows:

knock=IP,PORT,FLAG0,FLAG1,FLAG2,FLAG3,FLAG4,FLAG5,CHECKSUM

The IP and PORT fields are basically irrelevant for Wake-on-LAN and are only included here to ensure compatibility with other knocks. An action determines how the daemon is to react to specific patterns of knocks:

<action>
condition = PORT==9 && FLAG0<255
template = wake_on_lan
use = yes
</action>

The wake_on_lan template launches the wakeonlan program, which must be in the same folder as the knock daemon. It generates the actual magic packet:

<template wake_on_lan>
system = "./wakeonlan -i 192.168.1.255
`printf "%02x\n" FLAG0`:
`printf "%02x\n" FLAG1`:
`printf "%02x\n" FLAG2`:
`printf "%02x\n" FLAG3`:
`printf "%02x\n" FLAG4`:
`printf "%02x\n" FLAG5`"
</template>

An apparently complicated construct with all of the printf commands, it creates the hexadecimal MAC address from the six-decimal FLAGx fields.

Knock, knock...

These knocks create a knockclient, which is also written in Perl. It runs on Linux and Windows and has the configuration file knockclient.conf. This file must match the server's configuration file and contain the firewall's address in addition to the knocking pattern. The options for encrypted transmission and the crypto key must exactly match those in knockdaemon.conf.

Port-knocking also allows the wake-up procedure to be authorised via the knock daemon's crypto function. And if that is not enough security for you, you can make the knock rules even stricter and set up a pattern for each computer in the LAN. Then, not even the MAC address has to pass the firewall.

Tools

• Test SSL certificates
• Whois query
• My IP address
• Traceroute
• DNS query
• Subnet calculator

• MAC addresses
• RFCs
• Ping
• Bandwidth calculator
• Spam list query
• IP addresses

Forums

• heise Networks
• Hardware
• Protocols
• Applications

Latest Posts

• Re: heise standart-maschiene27.03.2008
• heise standart-maschiene08.02.2008