Skip to content

October 11, 2011

2 An fwknop SPA web-interface

Vasilis Mavroudis has launched, a web-based front end to the fwknop (Single Packet Authorization) client. It does not yet seem to support the full suite of fwknop features, but the WebKnock site allows you to send basic auth packets to your fwknop server in order to open firewall ports. This can definitely come in handy if you need access to a port on your server, and don’t have the fwknop client handy on the computer, Android or iPhone (coming soon).

Note that although WebKnock uses SSL to protect the HTTP session, you are required to supply your fwknop password. If logged or intercepted, your knock details could be used to open firewall ports or even run commands on your server (depending on how you’ve configured fwknop). While WebKnock may be useful in a bind, from a purely security standpoint I don’t recommend using it regularly due to this risk. If you do use it, you should consider changing your fwknop passphrase.

I hope that WebKnock is eventually open-sourced to allow both for the code to be reviewed, and for people to host their own instance of WebKnock. It would also be nice to see more fwknop features being added, including the ability to define a username, and open multiple ports at once (eg. by entering: tcp/22 udp/53 tcp/80). The ‘Allow IP’ field should also get pre-populated with the visitor’s IP address for convenience.

Source: Cipherdyne

2 Comments Post a comment
  1. Oct 13 2011

    Hi! Thanks for the reference and the comments!

    Yes, you are right that currently webknock does not fully support the fwknop features. However, I am planning to do so in the future (the multiple ports feature comes first).

    I plan to open-source the project but this won’t reduce the security risk. I am thinking of ways to do so…maybe having a regular review of the source code from a trusted authority can solve the problem.

    Best regards,

  2. Oct 13 2011

    Hi Vasilis,

    Good to hear you’re still developing it. Although open source would be nice, as you said it doesn’t actually bring that much assurance.

    I think the only way to get a relatively adequate level of assurance would be to set up the fwknop server with a one-time pad approach to passwords. But due to the fact that one doesn’t get a response from fwknop servers, this would make very hard to troubleshoot authentication issues and keeping track of which key to use next.

    I’ll have more of a think about it, but as with all kinds of ‘service-in-the-middle’ services, the user either has to accept some additional risk, or avoid using it.


Share your thoughts, post a comment.


Note: HTML is allowed. Your email address will never be published.

Subscribe to comments