Projects / fwknop


fwknop implements an authorization scheme called Single Packet Authorization that requires only a single encrypted packet to communicate various pieces of information, including desired access through an iptables, ipfw, or pf firewall policy and/or specific commands to execute on the target system. The main application of this program is to protect services such as SSH with an additional layer of security in order to make the exploitation of vulnerabilities much more difficult. The authorization server works by passively monitoring authorization packets via libpcap. Also supported is a robust port knocking implementation based around iptables log messages.

Operating Systems

Recent releases

  •  29 Apr 2014 02:30

    Release Notes: A double free bug in the libfko SPA parser discovered with a new Python SPA payload fuzzer was fixed.

    •  14 Apr 2014 01:23

      Release Notes: When SPA packets are built with GnuPG, the fwknopd daemon now requires a valid GnuPG signature by default, and a new variable GPG_DISABLE_SIG was added for backwards compatibility (but using this is not a recommended configuration). A bug was fixed in fwknopd for a memory in SPA packet decryption when GnuPG is used. A new code coverage mode was added to the test suite to interface with the 'lcov' tool. Several other minor bugs were fixed.

      •  13 Jan 2014 04:49

        Release Notes: This release adds HMAC support to the Android client, adds an AppArmor policy for the fwknop daemon, adds support for building on Mac OS X "Mavericks", and adds a new Valgrind test mode via the CPAN Test::Valgrind module. A few bugs were fixed with dealing with GnuPG encryption modes in the fwknopd daemon, and the fwknop project has a Coverity defect score of zero.

        •  27 Jul 2013 17:48

          Release Notes: A bugfix in the fwknop client to reset terminal settings to orignal values after entering keys via stdin. A bugfix in the fwknopd daemon to not print a PID file existence warning. A test suite bugfix to not run an iptables Rijndael HMAC test on non-Linux systems.

          •  20 Jul 2013 02:07

            Release Notes: This release added support for HMAC SHA-256 authenticated encryption in the encrypt-then-authenticate model. Many bugs discovered by the Coverity static analyzer were fixed. OpenSSL compatibility tests were added to the test suite. Client stanza saving ability was added for the ~/.fwknoprc file, simplifying fwknop client usage. The ability to automatically generate both Rijndael and HMAC keys with --key-gen was added.

            Recent comments

            19 Nov 2007 17:50 michaelrash

            Re: Extra external IP source

            > You can use as IP source also the

            > following Webpage:





            Thanks, yes that page works great as an additional auto-resolution URL with the --URL option to the fwknop client.

            19 Nov 2007 09:39 aamoruso

            Extra external IP source
            You can use as IP source also the following Webpage:



            Project Spotlight


            A Fluent OpenStack client API for Java.


            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.