From owner-freebsd-questions@freebsd.org Thu Nov 16 19:29:31 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EACD0DE6BD3 for ; Thu, 16 Nov 2017 19:29:31 +0000 (UTC) (envelope-from javocado@gmail.com) Received: from mail-vk0-x233.google.com (mail-vk0-x233.google.com [IPv6:2607:f8b0:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A56CF66FDC for ; Thu, 16 Nov 2017 19:29:31 +0000 (UTC) (envelope-from javocado@gmail.com) Received: by mail-vk0-x233.google.com with SMTP id n63so82078vkf.2 for ; Thu, 16 Nov 2017 11:29:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=hDceJr8HgZilo+tUaX3RCARqWPquVgNv/rR5h75IXQU=; b=Sn6qq3DLn6RBSOZy3/tRIeA0MObVVQd/jLNe3nzDEBsgWhVqVvw190BcfKJWxXJoWE De4PDmCZp3FBsMS7wy8eG9oGZuAb7HA6/yjsuYv4UwFAIJSbYepZDUJlgtH5fnUgNZfC vH6gmBFBMZ/U66vQ/VPavFzPnhhidpIZsfvA3BbGY+8g1+hFVLwSTdLiBzzPwFjBLkSe N7bFqoMqW8LrRM1WfXhbodRG/dWznslIzLWBBdfIZaKmIM4lcfR+La1Kye/771YeIxh9 51D6l/Du+dk9SyD9VktGbpSO9hKyH51xeoFhAwnyrf9ZicJ+CCEw8GSkCY5PBJzIRgV5 beWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=hDceJr8HgZilo+tUaX3RCARqWPquVgNv/rR5h75IXQU=; b=n3pFCM1qg2g2y1TWHLi2CEpHt+Yk2sQliH/YGYpOfDwH1fV8htJXzufUZ8Ze1nXMDL N8L+tfhBlM3kzz/EFnEK5XwfCoMeAKtN7sAbnY1JOMLFa1XAMEvrXVGjuxBffROIsA8G mWNGZM3GpP6OXGrG4I8nUoSLGmk1joHsgp1GugvSniIxiCX+NZIbSeolMozyHmmqDwMa n7EWso+6pfK96X7f9galmS5ERM+2tLv6DkKKySnj/XJwUtLyjpLhs4epWjNhZyI2wRLj ObCCNE5kfRZ+1TWikhO+WOej2oLL8JUjYDKZKPuvIdg1dWx0w/+OG2PI/7T3vsvQVi4/ CK4A== X-Gm-Message-State: AJaThX6RfZA4Vvm8Ib3MRlAJU5QP4fUQMU+ednX5/+i/f8DN45yRxVAv bxrp880ve4k5a9KhyOVNDhkhsMshi4K1BSms/+rqxw== X-Google-Smtp-Source: AGs4zMa7JRP3aX7R4uPoAq/ijs+8HnmHDojalYCa8o/r5as5FPMXKzEWD1idskNx45qPuG/44W4rgeHuHpjRQa7VKOE= X-Received: by 10.31.57.65 with SMTP id g62mr2147349vka.73.1510860569984; Thu, 16 Nov 2017 11:29:29 -0800 (PST) MIME-Version: 1.0 Received: by 10.159.48.198 with HTTP; Thu, 16 Nov 2017 11:29:29 -0800 (PST) From: javocado Date: Thu, 16 Nov 2017 11:29:29 -0800 Message-ID: Subject: IPFW: Why can I add port numbers to established and what does that do ? To: freebsd-questions@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2017 19:29:32 -0000 Almost every single ipfw ruleset I create has this as the very first rule: allow tcp from any to any established ... and I just noticed that ipfw allows me to specify a port on this rule: allow tcp from any to any 22 established If I create a new connection to port 22, I need a rule to allow port 22 traffic out: allow tcp from any to any 22 ... but once that connection is established, doesn't the client begin talking to the server on an ephemeral port (not 22) that isn't predictable ? Why would it ever make sense to specify a port on established ?