Date: Thu, 19 Sep 2002 01:14:10 -0400 From: dfolkins <dfolkins@comcast.net> To: Incoming Mail List <mailist@whoweb.com>, questions@freebsd.org Subject: Re: ipfw rulesets Message-ID: <001101c25f9b$63452280$0a00a8c0@groovy3xp> References: <200209190424.AAA02137@whoweb.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> >a return packet is like this "FROM any port 23 TO any > >host [certain port range]". notice that this return packet is not going to > >be let through by the firewall, and therefore you will not be able to get > >the telnet session going. > > I tried this and it worked. Is there a reason you didn't think it would? > allow tcp from any to any 23 > allow tcp from any 23 to any > these two rules should work and allow you to make a tcp connection, just as you say. i actually said that this _would_ work. > > That led me to replacing the above rules with the following single rule, > which did not work. But I don't know why. Can you explain? > allow tcp from any 23 to any 23 > yes, i can. :) the reason this doesnt work is that a telnet connection is not between your host [port 23] and server host [port 23]. it is actually between your host [random port number between 1024 and 65535] and server host [port 23]. for example, imagine that for a particular telnet connection your system chose to use port 4000. then the packets being exchanged on that connection would be of two types: from your host port 4000 TO server port 23 and from server port 23 TO your host port 4000 there are actually NO packets that go from your host port 23 to server port 23 or vice versa, so the rule "allow tcp from any 23 to any 23" does not allow any real telnet session packets. what your two-rule ipfw setup should actually be saying is: allow tcp from any 1024-65535 to any 23 allow tcp from any 23 to any 1024-65535 > > When an remote host attempts to make a telnet connection on my host, > isn't it classified as coming from port 23 on the remote host? just to make sure i am getting this across, no. it is actually coming NOT from port 23 but from a random port between 1024 and 65535. i hope this cleared it up for you? i know its pretty confusing for someone who has not dealt with this before, but once you see how it works its pretty logical. -- dfolkins To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001101c25f9b$63452280$0a00a8c0>