From owner-freebsd-questions@freebsd.org  Fri Nov 17 02:59:59 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DB15FDB8186
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Fri, 17 Nov 2017 02:59:59 +0000 (UTC)
 (envelope-from freebsd@theory14.net)
Received: from bacon.theory14.net (bacon.theory14.net [45.55.200.27])
 by mx1.freebsd.org (Postfix) with ESMTP id 9B3BF76C69
 for <freebsd-questions@freebsd.org>; Fri, 17 Nov 2017 02:59:59 +0000 (UTC)
 (envelope-from freebsd@theory14.net)
Received: from remote.theory14.net (remote.theory14.net [173.79.116.36])
 by bacon.theory14.net (Postfix) with ESMTPSA id E1736125F10;
 Thu, 16 Nov 2017 21:53:21 -0500 (EST)
Received: from anubis.int.theory14.net (anubis.int.theory14.net
 [192.168.10.50])
 by remote.theory14.net (Postfix) with ESMTPS id A5502BAA7;
 Thu, 16 Nov 2017 21:53:21 -0500 (EST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Subject: Re: IPFW: Why can I add port numbers to established and what does
 that do ?
From: Chris Gordon <freebsd@theory14.net>
In-Reply-To: <d80d16dc-c01e-8224-e9a5-df2420390668@tundraware.com>
Date: Thu, 16 Nov 2017 21:53:21 -0500
Cc: javocado <javocado@gmail.com>,
 freebsd-questions@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <4C321B9B-EFA1-411C-8DDB-2399FBCFF4AC@theory14.net>
References: <CAP1HOmQEKgocsejRHOMEfb-Ghzev+DuQiZ5OwYcQLktfu0xvDQ@mail.gmail.com>
 <d80d16dc-c01e-8224-e9a5-df2420390668@tundraware.com>
To: Tim Daneliuk <tundra@tundraware.com>
X-Mailer: Apple Mail (2.3124)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2017 02:59:59 -0000


> On Nov 16, 2017, at 3:01 PM, Tim Daneliuk <tundra@tundraware.com> =
wrote:
>=20
> On 11/16/2017 01:29 PM, javocado wrote:
>>=20
>=20
> If you are running your own sshd *server*, then you need rules that
> allow all or some to connect *to* your machine.
>=20
> If you are running an ssh *client*, you need to first allow access =
*out*
> via port 22 to get to the remote servers.  Thereafter - as you suggest =
-
> the server and client rendezvous and establish a permanent connection =
on
> another port (and the server goes back to listening on 22). =20

No, that is not how this work.  There is no renegotiation of ports.  A =
=E2=80=9Cconnection=E2=80=9D is identified by:
- Source Address
- Source Port
- Destination Address
- Destination Port
- Protocol

Though source and destination are relative to the client and server, =
these values don=E2=80=99t change over the life of the connection.

Let=E2=80=99s assume the following:
- Client is on 192.168.10.2
- Client wants to connect to sshd (so we know this is tcp and on port 22 =
by default) on Server at 10.1.1.1

The client then sends packets with a source of 192.168.10.2:=E2=80=9Dephem=
eral port"/tcp to a destination of 10.1.1.1:22/tcp.  The server replies =
to the client with a source of 10.1.1.1:22/tcp and a destination of =
192.168.10.2:=E2=80=9Dsame ephemeral port that the client used=E2=80=9D/tc=
p.  This goes on until the =E2=80=9Csession=E2=80=9D is over and the =
entire connection gets torn down, typically either from one side =
initiating a FIN or a RESET.

The =E2=80=9Cephemeral port=E2=80=9D is some port number, typically high =
in the range of possible ports, that is randomly chosen for each =
connection and it stays the same for each connection.  It is this tuple =
of source and destination address and protocols that defines a =
connection and allows the multiple connections to a server to occur.  =
Take a look at the net.inet.ip.portrange.* sysctl=E2=80=99s for the =
ranges used here.

You can fire up tcpdump (or wireshark or similar tool) and watch the =
traffic to validate that this is how things work.

When you talk about negotiating different ports, you may be thinking of =
something like FTP where you initially establish a control connection =
and then when data is to be transferred and entirely new connection is =
created, in parallel with the control channel, to transfer the data.  =
This data connection is an entirely new connection and obeys the same =
rules as above.  The tricky and confusing part for FTP is if it=E2=80=99s =
=E2=80=9Cactive=E2=80=9D or =E2=80=9Cpassive=E2=80=9D meaning which end =
establishes the data connection.  IRC=E2=80=99s DCC and certain =
protocols that use portmapper are similar in that they create =
additional/new connections following an initial connection.  ssh (and =
http, etc) does NOT do this.

As for the original question about the purpose of =E2=80=9Cestablished=E2=80=
=9D in ipfw syntax, I don=E2=80=99t use ipfw so I don=E2=80=99t know =
without some further reading of the man pages and handbook.

> So, the
> firewall has to permit access to the established session w/o knowing
> which port will be used ahead of time.

An established session means the ports ARE all known.=20

Hope this helps some.

Chris=