From owner-freebsd-questions@freebsd.org Fri Nov 17 02:59:59 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DB15FDB8186 for ; Fri, 17 Nov 2017 02:59:59 +0000 (UTC) (envelope-from freebsd@theory14.net) Received: from bacon.theory14.net (bacon.theory14.net [45.55.200.27]) by mx1.freebsd.org (Postfix) with ESMTP id 9B3BF76C69 for ; Fri, 17 Nov 2017 02:59:59 +0000 (UTC) (envelope-from freebsd@theory14.net) Received: from remote.theory14.net (remote.theory14.net [173.79.116.36]) by bacon.theory14.net (Postfix) with ESMTPSA id E1736125F10; Thu, 16 Nov 2017 21:53:21 -0500 (EST) Received: from anubis.int.theory14.net (anubis.int.theory14.net [192.168.10.50]) by remote.theory14.net (Postfix) with ESMTPS id A5502BAA7; Thu, 16 Nov 2017 21:53:21 -0500 (EST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: IPFW: Why can I add port numbers to established and what does that do ? From: Chris Gordon In-Reply-To: Date: Thu, 16 Nov 2017 21:53:21 -0500 Cc: javocado , freebsd-questions@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <4C321B9B-EFA1-411C-8DDB-2399FBCFF4AC@theory14.net> References: To: Tim Daneliuk X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Nov 2017 02:59:59 -0000 > On Nov 16, 2017, at 3:01 PM, Tim Daneliuk = wrote: >=20 > On 11/16/2017 01:29 PM, javocado wrote: >>=20 >=20 > If you are running your own sshd *server*, then you need rules that > allow all or some to connect *to* your machine. >=20 > If you are running an ssh *client*, you need to first allow access = *out* > via port 22 to get to the remote servers. Thereafter - as you suggest = - > the server and client rendezvous and establish a permanent connection = on > another port (and the server goes back to listening on 22). =20 No, that is not how this work. There is no renegotiation of ports. A = =E2=80=9Cconnection=E2=80=9D is identified by: - Source Address - Source Port - Destination Address - Destination Port - Protocol Though source and destination are relative to the client and server, = these values don=E2=80=99t change over the life of the connection. Let=E2=80=99s assume the following: - Client is on 192.168.10.2 - Client wants to connect to sshd (so we know this is tcp and on port 22 = by default) on Server at 10.1.1.1 The client then sends packets with a source of 192.168.10.2:=E2=80=9Dephem= eral port"/tcp to a destination of 10.1.1.1:22/tcp. The server replies = to the client with a source of 10.1.1.1:22/tcp and a destination of = 192.168.10.2:=E2=80=9Dsame ephemeral port that the client used=E2=80=9D/tc= p. This goes on until the =E2=80=9Csession=E2=80=9D is over and the = entire connection gets torn down, typically either from one side = initiating a FIN or a RESET. The =E2=80=9Cephemeral port=E2=80=9D is some port number, typically high = in the range of possible ports, that is randomly chosen for each = connection and it stays the same for each connection. It is this tuple = of source and destination address and protocols that defines a = connection and allows the multiple connections to a server to occur. = Take a look at the net.inet.ip.portrange.* sysctl=E2=80=99s for the = ranges used here. You can fire up tcpdump (or wireshark or similar tool) and watch the = traffic to validate that this is how things work. When you talk about negotiating different ports, you may be thinking of = something like FTP where you initially establish a control connection = and then when data is to be transferred and entirely new connection is = created, in parallel with the control channel, to transfer the data. = This data connection is an entirely new connection and obeys the same = rules as above. The tricky and confusing part for FTP is if it=E2=80=99s = =E2=80=9Cactive=E2=80=9D or =E2=80=9Cpassive=E2=80=9D meaning which end = establishes the data connection. IRC=E2=80=99s DCC and certain = protocols that use portmapper are similar in that they create = additional/new connections following an initial connection. ssh (and = http, etc) does NOT do this. As for the original question about the purpose of =E2=80=9Cestablished=E2=80= =9D in ipfw syntax, I don=E2=80=99t use ipfw so I don=E2=80=99t know = without some further reading of the man pages and handbook. > So, the > firewall has to permit access to the established session w/o knowing > which port will be used ahead of time. An established session means the ports ARE all known.=20 Hope this helps some. Chris=