Enabling/disabling port forward through CLI for knockd

jrmymllr · December 16, 2020, 3:48pm

I have a port forward set up to access an internal system from the Internet. Nothing new there. However I thought leaving the port forward disabled by default, then enabling it with knockd would be an easy way to configure this. Are there any problems with doing this?

I'm not good with iptables so I'm trying to take the easy/safe way out. If I enable the port forward with the command I got from "Unsaved changes" which is:

uci set firewall.cfg133837.enabled=**'1'**

followed by

/etc/init.d/firewall reload

will this do the job? Will this disrupt current open connections?

vgaetera · December 16, 2020, 4:07pm

Yes.

No.

But it should be more reliable and safe to open only a VPN port permanently.

jrmymllr · December 16, 2020, 4:15pm

I agree. I've considered this and I do have OpenVPN set up on the router. The issue is sometimes I need to access this from a computer on which I'm not able to install the OpenVPN client.

vgaetera · December 16, 2020, 4:24pm

Specify the source IP if knockd provides it.
It should help to limit the scope of the firewall rule/redirect.

jrmymllr · December 16, 2020, 4:38pm

If you mean the IP of the connecting client, that's changes and isn't predictable. Or do you mean something else?

vgaetera · December 17, 2020, 5:10am