From owner-freebsd-questions Wed Sep 18 22:14:21 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92C3D37B404 for ; Wed, 18 Sep 2002 22:14:19 -0700 (PDT) Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id D66F243E65 for ; Wed, 18 Sep 2002 22:14:18 -0700 (PDT) (envelope-from dfolkins@comcast.net) Disposition-notification-to: dfolkins@comcast.net Received: from groovy3xp (pcp01731796pcs.selrsv01.pa.comcast.net [68.83.131.193]) by mtaout04.icomcast.net (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 13 2002)) with SMTP id <0H2O008HK6JUYD@mtaout04.icomcast.net> for questions@freebsd.org; Thu, 19 Sep 2002 01:14:18 -0400 (EDT) Date: Thu, 19 Sep 2002 01:14:10 -0400 From: dfolkins Subject: Re: ipfw rulesets To: Incoming Mail List , questions@freebsd.org Message-id: <001101c25f9b$63452280$0a00a8c0@groovy3xp> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 7BIT X-Priority: 3 X-MSMail-priority: Normal References: <200209190424.AAA02137@whoweb.com> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > >a return packet is like this "FROM any port 23 TO any > >host [certain port range]". notice that this return packet is not going to > >be let through by the firewall, and therefore you will not be able to get > >the telnet session going. > > I tried this and it worked. Is there a reason you didn't think it would? > allow tcp from any to any 23 > allow tcp from any 23 to any > these two rules should work and allow you to make a tcp connection, just as you say. i actually said that this _would_ work. > > That led me to replacing the above rules with the following single rule, > which did not work. But I don't know why. Can you explain? > allow tcp from any 23 to any 23 > yes, i can. :) the reason this doesnt work is that a telnet connection is not between your host [port 23] and server host [port 23]. it is actually between your host [random port number between 1024 and 65535] and server host [port 23]. for example, imagine that for a particular telnet connection your system chose to use port 4000. then the packets being exchanged on that connection would be of two types: from your host port 4000 TO server port 23 and from server port 23 TO your host port 4000 there are actually NO packets that go from your host port 23 to server port 23 or vice versa, so the rule "allow tcp from any 23 to any 23" does not allow any real telnet session packets. what your two-rule ipfw setup should actually be saying is: allow tcp from any 1024-65535 to any 23 allow tcp from any 23 to any 1024-65535 > > When an remote host attempts to make a telnet connection on my host, > isn't it classified as coming from port 23 on the remote host? just to make sure i am getting this across, no. it is actually coming NOT from port 23 but from a random port between 1024 and 65535. i hope this cleared it up for you? i know its pretty confusing for someone who has not dealt with this before, but once you see how it works its pretty logical. -- dfolkins To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message