Firewall port-knocking

Port knocking is a method that enables access to

the router only after receiving a sequenced
connection attempts (or packets) with a set of
prespecified parameters (port numbers, packet size)
After receiving prespecified sequence, firewall
dynamically adds clients IP to “whitelist” address list
for specified timeout.
It remove clients IP when timeout exceed to
restore security.
Recommended to organize it in a user-chain

182
Firewall port-knocking

Port knocking is a method that enables access to

the router only after receiving a sequenced
connection attempts (or packets) with a set of
prespecified parameters (port numbers, packet size)
After receiving prespecified sequence, firewall
dynamically adds clients IP to “whitelist” address list
for specified timeout.
It remove clients IP when timeout exceed to
restore security.
Recommended to organize it in a user-chain

183
Firewall ICMP-knocking algorithm

Got Packet
We will use two
temporary address-lists
and the sequence of Add SRC-IP
to “White”
Yes Size 70=bytes
AND
ICMP packets with address-list for 10m (In list “stage2”)

prespecified size to No
place Source IP to the Add SRC-IP Yes Size 60=bytes

“whitelist” address-list in to “stage2”

address-list for 10s
AND
(In list “stage1”)

the firewall user-chain

No

Add SRC-IP Yes

1. Packet size=90 bytes to “stage1” Size 90=bytes
address-list for 10s
2. Packet size=60 bytes
No
3. Packet size=70 bytes
Exit

184
ICMP-knocking LAB
LAB

• Login to router via MAC winbox, and add laptop IP

to “blacklist”
• Create user-chain “icmpknock” in firewall
• On the top of input chain create firewall rule that
sends incoming icmp traffic to “icmpknock” chain
• Implement rules to adding sender IP in stages
address-lists, step-by-step according received
icmp packet size and sequence (see prev algo)
• Use timeouts
Note: windows “ping” command adds 28 bytes header to icmp packet size
defined by “-l” option

185
ICMP-knocking LAB
LAB

186