# Port forwarding fwknop



## drunkenmidget (Jul 16, 2011)

I think I'm posting to the right place, but if not, admins feel free to move the post somewhere else.  Anyway, basically, what I want to know is if it's possible to forward the port fwknop opens with natd.  I have a win server 2008 pdc behind a freebsd NAT router.  Would it be possible to open port 3389 with fwknop and have a latent rule in natd.conf to redirect port 3389 to my internal server 2k8 box?  I've read documentation on fwknop on the internet, but all of it pertains just to opening basically the sshd port on the box that it runs on.  What I want to do is open the port on the local box, and have a natd redirect to redirect that port to my server 2k8 box on my internal lan so I can access it with rdp.  From there, I can use putty to ssh my bsd servers and rdp the computer I use on my LAN. I'm trying to set up a secure entry point into my LAN so I can navigate my whole LAN from externally if I so choose.


----------



## SirDice (Jul 16, 2011)

You don't need portknocking, you don't even need to forward anything.

Just use PuTTY to tunnel port 3389 and run RDP over that.


----------



## drunkenmidget (Jul 16, 2011)

Thanks for the reply, but actually opening the port all the time defeats the purpose of what I'm trying to do.  I don't want the port open all the time in case somebody directly targets my network to try to hack into it.  I could open and redirect port 3389 with ipfw to my internal server 2k8 pdc. Alternatively, I could open some strange port like 5000 and forward it to my internal server 2k8 box's port 3389 to eliminate pass-by exploit scans.  However, that defeats the purpose of using fwknop.  As I understand it, you can use fwknop to knock on some closed ports in sequence, send an SPA key, and then fwknop opens the port on your firewall. Then in a given time interval, it closes it.  What I want to do is open local port 3389 on the NAT firewall, and redirect port 3389 with natd to my server2k8 box.  The whole point is to not have the port open 'all' the time and only opening it when I need it from externally with the fwknop client(morpheus), and have an ipfw rule in my ipfw rulest that keeps all established traffic through port 3389 on the router box from terminating when fwknop closes the port again. The whole point is to open the port only when needed, for a very short duration(maybe 20 or 30 seconds) and close it off again so that way the port isn't open 'all the time.'  I was just wondering if it's technically possible to port forward the fwknop port with natd to accomplish my goal.  Also I could open up some strange port like port 5000 as in the previous example on the local machine with fwknop and port forward it to port 3389 on my internal server2k8 box to eliminate the 15-30 seconds of the connection being open unless fwknop opens the port only for the public ip I'm using to connect to my network.  In any event, what I want to know is if it's possible to do what I want to do.


----------



## SirDice (Jul 18, 2011)

The port won't be open 'all the time'. The port is only available when you use PuTTY and used SSH port forwarding. And even then it's only available to you.

The only port that needs opening is SSH (port 22). That's much safer then opening RDP (port 3389) to the world.

In Putty, under SSH -> forwarding. Add port 8839 and point it to the server you need to access. Then connect with PuTTY. Once the connection is established open Terminal Server client and connect to localhost:3389. SSH/PuTTY will do the rest.


----------

