knock(1)                Doorman & Knocker                knock(1)



NAME
       knock - The port-knock client

SYNOPSIS
       knock [-h] [-v] [-U] [-t s.s] [-p port] \
             [-g groupid] [-s secret]  host  service


DESCRIPTION
       "Knock  on  the door"  of a host running the 'doorman' dae
       mon.  If the conditions outlined below are met, a firewall
       rule  will be created for a  short time allowing a TCP con
       nection on the requested port.  If a  connection  is  made
       within this time, the rule will be left in place until the
       connection is broken.
       No reply is made to the knock; success  is  apparent  only
       when a connection to the requested server has been made.


OPTIONS
       -h     'help'; print a message explaining the options and
              quit.

       -v     'version'; print the version number and quit.

       -p port
              Override the 'port' value in 'KNOCK.CFG'.  Knock on
              the specified UDP port.

       -g groupid
              Override the 'group' value in 'KNOCK.CFG'.

       -r "program arg1 arg2..."
              Override  the  'run'  value in KNOCK.CFG.  Run this
              program after sending the knock packet.  The  argu­
              ment list given to the program may include the spe­
              cial strings %H% and %P%.   '%H%'  substitutes  for
              the hostname to which the knock is sent; '%P%' sub­
              stitutes for the portnumber or service name.

              Example:   knock -r"ssh -l  myname  %H%"  abc.what­
              ever.org ssh

              To avoid running the program specified by the 'run'
              record, use any of:
              -r" " , -r' ' , -r0 , -rX , or -rx

       -s secret
              Override the 'secret' value in 'KNOCK.CFG'.

        host  the  IP  address or DNS name of the host to which a
              TCP connection is desired.

        service
              the port number or  service  name  (as  defined  in
              /etc/services) of the desired service.


CONDITIONS
       In  order for a knock to succeed, the following conditions
       must be met:

       1. the groupid must be in the doorman's 'guestlist' file

       2. the secret must match that in the guestlist record  for
       that group

       3. the IP address of the  client machine's interface  must
       match  one  of  the  addresses  in  the  guestlist  record

       4. the service requested must be in the guestlist record

       5. A  randomly-chosen  number (called a 'tag') is sent in
       the knock packet; it must not occur in a list of old  tags
       kept  by  the  doorman.  It may occasionally happen that a
       tag is found in the list, and the knock will  fail;  there
       is  no  other remedy for this but to make another attempt.
       However, since tags are 32 bits in magnitude, such  occur-
       rences should be rare.


FILES
       C:\KNOCK.CFG: the configuration file for 'knock'.


SEE ALSO
       knockcf(5), doormand(8), doormand.cf(5), guestlist(5)


ACKNOWLEDGEMENT
       doormand and knock are an implementation  of  an  original
       idea    by   Martin   Krzywinski.    See   his   site   at
       http://www.portknocking.org


COPYRIGHT
       Copyright (c) 2003-2005, J.B.Ward
       <bward2@users.sourceforge.net>




Port-knocker, V0.81        Sept 03, 2005                  knock(1)