Summary: fwknop implements an authorization scheme known as Single Packet Authorization (SPA) for strong service concealment. SPA requires only a single packet which is encrypted, non-replayable, and authenticated via an HMAC in order to communicate desired access to a service that is hidden behind a firewall in a default-drop filtering stance. The main application of SPA is to use a firewall to drop all attempts to connect to services such as SSH in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) more difficult. Any service that is concealed by SPA naturally cannot be scanned for with Nmap. The fwknop project supports three different firewalls: iptables on Linux systems, pf on OpenBSD, and ipfw on FreeBSD and Mac OS X.