You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

All available public IP addresses are constantly being port scanned by bots and services like shodan.io and anyone can use this information to perform brute force attacks and execute any known exploits. Port knocking is a cost effective way to defend against this by not exposing any ports and simply listening to connection attempts - if the correct sequence of port connection attempts is made, the client is considered safe and added to a list of secured address list that bypass the WAN firewall rules.


Setup example

We are assuming you have already set up a firewall that drops all connection attempts from the WAN port, so you will need to add additional rules before that.
First create a firewall rule that listens on a given port and adds the connected source IP to and address list - this is the first knock.

add action=add-src-to-address-list address-list=888 address-list-timeout=30s chain=input dst-port=888 in-interface-list=WAN protocol=tcp


Then add a rule that does the same on another port, but only approves IP's that are already in the first list. You can repeat this step as many times as you like.


Finally, the last knock will be added to an IP list that is trusted and any input is accepted.



There is a problem here, however, unless you are using a lot of knocks, a simple port scan could accidentally trigger the correct ports in the correct order, so it is advisable to add a blacklist as well.

At the very top of your firewall stack add a drop rule for the blacklist.

Then add suspicious IP's to the blacklist.

Bad ports - ones that will never be used by a trusted user and hence have a high timeout penalty.


Ports that slow down the port scanning process significantly to the point where it is pointless, but will never lock out a real user for too long.


  • No labels