Talk:Port knocking

From ArchWiki
Revision as of 19:30, 11 August 2013 by Indigo (Talk | contribs) (merge tag to iptables?)

Jump to: navigation, search

For me the supplied script did not work. Instead of

nmap -P0 --host_timeout 201 -p $2 $1 &> /dev/null

nmap -P0 --host_timeout 201 -p $3 $1 &> /dev/null

I use

nmap -PN --host_timeout 201 --max-retries 0 -p $2 $1 &> /dev/null

nmap -PN --host_timeout 201 --max-retries 0 -p $3 $1 &> /dev/null

The Flag P0 seems to have been renamed to PN in a more recent nmap version. But the important part is max-retries. If it is not set to 0 nmap sends several TCP SYN packets to the target host. This then causes serveral knocks on Port 1 and 2 instead of just one - thus knocking 'out of order'.

Please edit if you agree - I'm not an 'expert' by all means, this are just my thoughts after examining iptables logs. I'll edit the page in a few days if there is no respone - I just wanted to have feedback before I do.

Merge tag with iptables

Hi, I would not merge this to iptables. Three reasons: (1) Iptables is a massive topic. It's basics are hard enough to cover on one page. (2) This here is pretty specialised and only few users will ever have contact with the concept of port knocking. It's likely out-of-bounds on the main page. (3) More adequate imo would be a merge to the stateful-firewall page (port knocking with iptables is great, but boils down to advanced state handling). But that is too large itself and has a small section regarding knockd (maybe that bit could be merged here?). I think it would be enough to link the pages together a bit more. Thoughts? --Indigo (talk) 19:30, 11 August 2013 (UTC)