hi,all
how do i use port knocking?
I use command below in winbox terminal
/ip firewall filter
Knock.exe 192.168.0.2 1337:tcp 7331:tcp
it not work for me how do I make it correct?
what is “Knock.exe” and where did you get this command ???I suggest you to read the manual on command line interface:
hi, is httP://wiki.mikrotik.com means anyone can change information there,so there may not be correct?
It is correct, but that command is not for RouterOS - it is for WINDOWS !!!
Add firewall rules:
/ ip firewall filter
add chain=input protocol=tcp dst-port=1337 action= add-src-to-address-list address-list=temp address-list-timeout=15s
add chain=input protocol=tcp dst-port=7331 src-address-listddress-list=temp action= add-src-to-address-list address-list=safe address-list-timeout=15m
Now you can download knock.exe http://www.zeroflux.org/proj/knock/files/knock-cygwin.zip
and execute Knock.exe 192.168.0.2 1337:tcp 7331:tcp from windows terminal ( you will be able to access router for 15 minutes ).
shouldn’t you add some more rules to complete this setup? like rules that block people not in the safe list 
yes right, but i just wanted to point out configuration rules for port knocking.
so the complete rule list would be:
/ ip firewall filter
add chain=input src-address-list=safe action=accept
add chain=input protocol=tcp dst-port=1337 action= add-src-to-address-list address-list=temp address-list-timeout=15s
add chain=input protocol=tcp dst-port=7331 src-address-listddress-list=temp action= add-src-to-address-list address-list=safe address-list-timeout=15m
add chain=input action=drop
another question, how do I add people to safe list?
why do you need to add people to safe list?
those who will know how to knock will be able to access router.
but anyway you can do this by adding static entries to list:
/ip firewall address-list
add list=safe address=xx.xx.xx.xx
Good luck finding the port combination (is it just two?), and then the router password after that!
i would agree on the idea, that router needs safelist - where you know that only you will be trying to connect to your router, or you can control who tries to connect.
so create address list for safe IP that can connect without knocking
accept them before port knocking kicks in
what’s the point of knocking then, if you create a safe list? anyone could spoof you IP if they knew it was in the safe list. knocking is not so easy to guess, so it is safer.
i would not agree on that completely.
but will add that security is good while costs of security is not more than value of system it protects. so, see how valuable your system is and introduce measures that you find appropriate.
(like, why to use 32 symbol password if 12 - 15 symbols password will suffice)
OP wanted portknock
is pork knock only work for Public?
because I use local PC ,and I dont add any safe address list,I still can access to router
thanks!
why when I execute knock.exe ,it close automatic I have no chance to typing command.
any advice?
You have to type the command line all at once, it’s not interactive, it won’t prompt you for variables.
I use this batch file for my system
knock 172.125.3.203 45:tcp
pause
knock 172.125.3.203 46:tcp<<
that way I have to hit the enter key, that helps me to know that the command has run correctly.
I have not chance to type ,when I double click knock.exe ,it close immediately
as mentioned before knock.exe is command line utility.
http://en.wikipedia.org/wiki/Command_line_interface
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ntcmds.mspx?mfr=true
read carefully and only then ask dumb questions.