Date: Thu, 16 Nov 2017 21:53:21 -0500 From: Chris Gordon <freebsd@theory14.net> To: Tim Daneliuk <tundra@tundraware.com> Cc: javocado <javocado@gmail.com>, freebsd-questions@freebsd.org Subject: Re: IPFW: Why can I add port numbers to established and what does that do ? Message-ID: <4C321B9B-EFA1-411C-8DDB-2399FBCFF4AC@theory14.net> In-Reply-To: <d80d16dc-c01e-8224-e9a5-df2420390668@tundraware.com> References: <CAP1HOmQEKgocsejRHOMEfb-Ghzev%2BDuQiZ5OwYcQLktfu0xvDQ@mail.gmail.com> <d80d16dc-c01e-8224-e9a5-df2420390668@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Nov 16, 2017, at 3:01 PM, Tim Daneliuk <tundra@tundraware.com> = wrote: >=20 > On 11/16/2017 01:29 PM, javocado wrote: >>=20 >=20 > If you are running your own sshd *server*, then you need rules that > allow all or some to connect *to* your machine. >=20 > If you are running an ssh *client*, you need to first allow access = *out* > via port 22 to get to the remote servers. Thereafter - as you suggest = - > the server and client rendezvous and establish a permanent connection = on > another port (and the server goes back to listening on 22). =20 No, that is not how this work. There is no renegotiation of ports. A = =E2=80=9Cconnection=E2=80=9D is identified by: - Source Address - Source Port - Destination Address - Destination Port - Protocol Though source and destination are relative to the client and server, = these values don=E2=80=99t change over the life of the connection. Let=E2=80=99s assume the following: - Client is on 192.168.10.2 - Client wants to connect to sshd (so we know this is tcp and on port 22 = by default) on Server at 10.1.1.1 The client then sends packets with a source of 192.168.10.2:=E2=80=9Dephem= eral port"/tcp to a destination of 10.1.1.1:22/tcp. The server replies = to the client with a source of 10.1.1.1:22/tcp and a destination of = 192.168.10.2:=E2=80=9Dsame ephemeral port that the client used=E2=80=9D/tc= p. This goes on until the =E2=80=9Csession=E2=80=9D is over and the = entire connection gets torn down, typically either from one side = initiating a FIN or a RESET. The =E2=80=9Cephemeral port=E2=80=9D is some port number, typically high = in the range of possible ports, that is randomly chosen for each = connection and it stays the same for each connection. It is this tuple = of source and destination address and protocols that defines a = connection and allows the multiple connections to a server to occur. = Take a look at the net.inet.ip.portrange.* sysctl=E2=80=99s for the = ranges used here. You can fire up tcpdump (or wireshark or similar tool) and watch the = traffic to validate that this is how things work. When you talk about negotiating different ports, you may be thinking of = something like FTP where you initially establish a control connection = and then when data is to be transferred and entirely new connection is = created, in parallel with the control channel, to transfer the data. = This data connection is an entirely new connection and obeys the same = rules as above. The tricky and confusing part for FTP is if it=E2=80=99s = =E2=80=9Cactive=E2=80=9D or =E2=80=9Cpassive=E2=80=9D meaning which end = establishes the data connection. IRC=E2=80=99s DCC and certain = protocols that use portmapper are similar in that they create = additional/new connections following an initial connection. ssh (and = http, etc) does NOT do this. As for the original question about the purpose of =E2=80=9Cestablished=E2=80= =9D in ipfw syntax, I don=E2=80=99t use ipfw so I don=E2=80=99t know = without some further reading of the man pages and handbook. > So, the > firewall has to permit access to the established session w/o knowing > which port will be used ahead of time. An established session means the ports ARE all known.=20 Hope this helps some. Chris=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C321B9B-EFA1-411C-8DDB-2399FBCFF4AC>