Port Knock to change firewall configuration

Hi,
I have installed port knock in vyos 1.3.6 to run a command and open certain port. Configuration of the /etct/knockd.conf as below script:

[options]
       logfile = /var/log/knocd.log
       interface = eth0

[opencloseSSH]
       sequence  = 3423:udp,1238:udp,6548:udp
       seq_timeout = 15
       tcpflags = syn,ack
       start_command = /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin && /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper delete firewall name ROUTER-ETH0-LOCAL rule 110 disable && /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit && /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper end
       cmd_timeout   = 60
       stop_command = /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin && /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set firewall name ROUTER-ETH0-LOCAL rule 110 disable && /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit && /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper end

restart knockd

Below screenshot is the result after I have run the port knock :

Its failed to run the command using port knock.
The command is correct, I can run the command and firewall is properly edited and committed.

This should help you.

Create a single script with the command(s) you want in it and call that.

https://docs.vyos.io/en/equuleus/automation/command-scripting.html

#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
configure
delete firewall name ROUTER-ETH0-LOCAL rule 110 disable
commit
exit

Hi @tjh

I’ve tried your script but still show same error :

image

Script is in knockd.log. Already chmod the script.

Result shows returned non-zero status code as below

image

You can check latest 1.4 or 1.5 images, it includes dynamic address groups, used for port knocking.
Task: ⚓ T4839 Dynamic Firewall groups
Documentation for this command is still missing, but you can see the example in the PR