Port Knock to change firewall configuration

I have installed port knock in vyos 1.3.6 to run a command and open certain port. Configuration of the /etct/knockd.conf as below script:

       logfile = /var/log/knocd.log
       interface = eth0

       sequence  = 3423:udp,1238:udp,6548:udp
       seq_timeout = 15
       tcpflags = syn,ack
       start_command = /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin && /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper delete firewall name ROUTER-ETH0-LOCAL rule 110 disable && /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit && /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper end
       cmd_timeout   = 60
       stop_command = /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin && /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set firewall name ROUTER-ETH0-LOCAL rule 110 disable && /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit && /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper end

restart knockd

Below screenshot is the result after I have run the port knock :

Its failed to run the command using port knock.
The command is correct, I can run the command and firewall is properly edited and committed.

This should help you.

Create a single script with the command(s) you want in it and call that.


source /opt/vyatta/etc/functions/script-template
delete firewall name ROUTER-ETH0-LOCAL rule 110 disable

Hi @tjh

I’ve tried your script but still show same error :


Script is in knockd.log. Already chmod the script.

Result shows returned non-zero status code as below


You can check latest 1.4 or 1.5 images, it includes dynamic address groups, used for port knocking.
Task: ⚓ T4839 Dynamic Firewall groups
Documentation for this command is still missing, but you can see the example in the PR

I have found the solution. I need to run iptables command to open ssh port. So I don’t need to change anything in firewall rules (by default to drop any packet). Below is the example

logfile = /var/log/knockd.log
interface = eth0

sequence = 7000,8000,9000
seq_timeout = 5
start_command = /sbin/iptables -I INPUT -s %IP% -m comment --comment "Temporary whitelist %IP% " -p tcp --dport 22 -j ACCEPT
cmd_timeout = 5
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -m comment --comment "Temporary whitelist %IP% " -j ACCEPT

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.