Resurrect knockd?

Would it be possible to resurrect the knockd package?

The suggested replacement of fwknop lacks an iOS app store client.

Pretty please? If desired I can take a stab at the code and submit a pull request.


You don't need permission. Just go for it.

@krazeh are you a maintainer? i just want to know that the code would get merged prior to doing the work. thanks.

I'm not a maintainer, but I doubt anyone would be able to tell you what you're wanting to know. Without seeing what the changes are it's unlikely anyone would commit to saying it'd get merged. On the other hand, it's equally unlikely anyone else is going to make the changes. If they were it would've been done already. So you're kinda stuck at do the work and hope it gets merged, or don't do it and nothing will get changed.

1 Like

Interesting years ago, totally useless today with modern, far more secure methods, e.g. use wireguard instead.

Just my two cents.


nftables can do it

These days, wireguard is pretty much always a 'better knockd'. It doesn't respond at all, unless the provided key/ passphrase are correct, you have full control over what aspects remain accessible via firewall (zone-) rules and split horizon/ pbr settings.

1 Like

There is something super quaint about the concept of port knocking.

  • knock knock
  • silence
  • knock knock knock
  • silence
  • knock knock knock knock
  • Who's there?
  • Mr Port
  • Mr Port who?
  • Mr Port is now open Sir, that's who!

and with wireguard:

  • portscan
    • silence
  • connection attempt using an incorrect pubkey
    • silence
  • connection attempt using an incorrect PSK
    • silence
  • pubkey and PSK correct
    • encrypted VPN tunnel established
      • welcome to the castle, the firewall zones guard your steps

it behaves just like port knocking in the sense of not being observable from the outside, without access to the credentials - and is actually secure on top.