Quote:
Originally Posted by ryanoa
Will I need to open up the ports in the knock sequence on the router?
|
Possibly. I personally have EVERY packet forwarded from my router to a "real" firewall and have knockd run on that. Knocks are basically "port probes" and if you router blocks them it won't work. Many routers do, because they don't form a complete connection.
Quote:
Originally Posted by ryanoa
If so, is this a security risk? Could someone potentially scan the routers open ports and come up with my knock sequence?
|
No. If you are forwarding those ports to the knockd server, the ports do NOT have to show as open on the knockd server. Knockd works BEHIND a firewall, just listenening out for packets. It does NOT need an open connection, or even an open port. It can work with closed/stealth ports. For those in the know, knockd uses packet capture libraries rather than "real" TCP/UDP connections.
But I have to echo the thoughts of the previous poster. Knockd is a defense that has certain advantages (prevents log spam, prevent "random" attacks, etc.) but it will not secure your computer for you. Do that FIRST.
Knockd is a "convenience" that *improves* security of existing good setups. It does not *create* security for your computers.