Date: Thu, 16 Nov 2017 16:07:47 -0800 From: javocado <javocado@gmail.com> To: Tim Daneliuk <tundra@tundraware.com> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW: Why can I add port numbers to established and what does that do ? Message-ID: <CAP1HOmR4a59Z0_NT6g8N8u2r5zoa1f1YPEJCZmGysCtHY=hvdA@mail.gmail.com> In-Reply-To: <d80d16dc-c01e-8224-e9a5-df2420390668@tundraware.com> References: <CAP1HOmQEKgocsejRHOMEfb-Ghzev%2BDuQiZ5OwYcQLktfu0xvDQ@mail.gmail.com> <d80d16dc-c01e-8224-e9a5-df2420390668@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I think you misunderstand what I am asking - you have explained why a "established" rule is needed in the ruleset. You are correct and it is something (an established rule) that I always use. What I am saying is: I just noticed that you can specify a port number in the established rule: allow tcp from any to any 22 established ... which I don't understand. In fact, I think it is a bug, but I am asking to make sure. It doesn't seem like specifying a port in the established rule makes any sense ... On Thu, Nov 16, 2017 at 12:01 PM, Tim Daneliuk <tundra@tundraware.com> wrote: > On 11/16/2017 01:29 PM, javocado wrote: > > Almost every single ipfw ruleset I create has this as the very first > rule: > > > > allow tcp from any to any established > > > > ... and I just noticed that ipfw allows me to specify a port on this > rule: > > > > allow tcp from any to any 22 established > > > > If I create a new connection to port 22, I need a rule to allow port 22 > > traffic out: > > > > allow tcp from any to any 22 > > > > ... but once that connection is established, doesn't the client begin > > talking to the server on an ephemeral port (not 22) that isn't > predictable ? > > > > Why would it ever make sense to specify a port on established ? > > If you are running your own sshd *server*, then you need rules that > allow all or some to connect *to* your machine. > > If you are running an ssh *client*, you need to first allow access *out* > via port 22 to get to the remote servers. Thereafter - as you suggest - > the server and client rendezvous and establish a permanent connection on > another port (and the server goes back to listening on 22). So, the > firewall has to permit access to the established session w/o knowing > which port will be used ahead of time. > > > > > > ------------------------------------------------------------ > ---------------- > Tim Daneliuk tundra@tundraware.com > PGP Key: http://www.tundraware.com/PGP/ > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAP1HOmR4a59Z0_NT6g8N8u2r5zoa1f1YPEJCZmGysCtHY=hvdA>