--- ./doc/knockd.1.in.orig 2005-06-29 20:45:17.000000000 +0200 +++ ./doc/knockd.1.in 2011-08-17 13:29:55.000000000 +0200 @@ -60,13 +60,13 @@ sequence = 7000,8000,9000 seq_timeout = 10 tcpflags = syn - command = /usr/sbin/iptables -A INPUT -s %IP% -j ACCEPT + command = /usr/sbin/iptables -A INPUT -s %IP% --dport 22 -j ACCEPT [closeSSH] sequence = 9000,8000,7000 seq_timeout = 10 tcpflags = syn - command = /usr/sbin/iptables -D INPUT -s %IP% -j ACCEPT + command = /usr/sbin/iptables -D INPUT -s %IP% --dport 22 -j ACCEPT .fi .RE @@ -115,7 +115,7 @@ start_command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 25 -j ACCEPT cmd_timeout = 5 stop_command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 25 -j ACCEPT - + .fi .RE .SH CONFIGURATION: GLOBAL DIRECTIVES @@ -132,7 +132,7 @@ .TP .B "Interface = " Network interface to listen on. Only its name has to be given, not the path to -the device (eg, "eth0" and not "/dev/eth0"). Default: eth0. +the device (eg, "fxp0" and not "/dev/fxp0"). Default: fxp0. .SH CONFIGURATION: KNOCK/EVENT DIRECTIVES .TP .B "Sequence = [:][,[:] ...]" @@ -158,7 +158,7 @@ \fBNote\fP: Do not edit the file while knockd is running! .TP .B "Seq_Timeout = " -Time to wait for a sequence to complete in seconds. If the time elapses +Time to wait (in seconds) for a sequence to complete in seconds. If the time elapses before the knock is complete, it is discarded. .TP .B "TCPFlags = fin|syn|rst|psh|ack|urg" @@ -183,10 +183,10 @@ directive is optional, only required if \fBStop_Command\fP is used. .TP .B "Stop_Command = " -Specify the command to be executed when \fBCmd_Timeout\fP seconds have passed +Specify the command to be executed when \fBCmd_Timeout\fP seconds have passed since \fBStart_Command\fP has been executed. All instances of \fB%IP%\fP will be replaced with the knocker's IP address. This directive is optional. -.SH SECURITY NOTES +.SH SECURITY NOTES Using the \fB-l\fP or \fB--lookup\fP commandline option to resolve DNS names for log entries may be a security risk! An attacker may find out the first port of a sequence if he can monitor the DNS traffic of the host running knockd.