Problematic ports #25
Comments
|
Are you running a service on port 80 as well and have TCP flags configured as part of the sequence? |
|
Yes. I did. When I removed port 80 the issue was resolved. |
|
What was your configuration out of interest (particularly interested in the tcpflags setting)? Am relatively new to the codebase so might be wrong, but I have spotted something interesting that might cause this. In the sniff function, there's a check to see if the TCP flags match on the first port and if they don't skip over them: if(!flags_match(door, ip, tcp)) {
continue;
}My guess is if you happen to be using the service at the same time as the knock with different TCP flags, it would invalidate the knock sequence at that time. I see a way of mitigating this would be to send known encoded information in the IP packet using something like IND-CCA possibly so knockd can determine between a knock request and other usage of the service running on the knock port. |
|
In this case all the port requests were made using tcp. |
|
Have added this to the TODO file and have slated it for a 0.9 release. |
Question: I'm not sure what the problem exactly is, but when I used port 80 as part of the knock sequence it would often fail. I switched another port and it seemed to work correctly. Is this expected?
The text was updated successfully, but these errors were encountered: