From owner-freebsd-questions@freebsd.org Fri Nov 17 03:36:57 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D6EFFDB90F0 for ; Fri, 17 Nov 2017 03:36:57 +0000 (UTC) (envelope-from freebsd@theory14.net) Received: from bacon.theory14.net (bacon.theory14.net [45.55.200.27]) by mx1.freebsd.org (Postfix) with ESMTP id AF450782A6 for ; Fri, 17 Nov 2017 03:36:57 +0000 (UTC) (envelope-from freebsd@theory14.net) Received: from remote.theory14.net (remote.theory14.net [173.79.116.36]) by bacon.theory14.net (Postfix) with ESMTPSA id 1DC4D125F10; Thu, 16 Nov 2017 22:36:56 -0500 (EST) Received: from anubis.int.theory14.net (anubis.int.theory14.net [192.168.10.50]) by remote.theory14.net (Postfix) with ESMTPS id D1CE3BAB2; Thu, 16 Nov 2017 22:36:55 -0500 (EST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: IPFW: Why can I add port numbers to established and what does that do ? From: Chris Gordon In-Reply-To: Date: Thu, 16 Nov 2017 22:36:55 -0500 Cc: javocado , freebsd-questions@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <77066374-D052-412F-83F2-A56F945CACA7@theory14.net> References: <4C321B9B-EFA1-411C-8DDB-2399FBCFF4AC@theory14.net> To: Tim Daneliuk X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Nov 2017 03:36:57 -0000 Tim, I think we are talking past each other a little bit. > On Nov 16, 2017, at 10:03 PM, Tim Daneliuk = wrote: >=20 > On 11/16/2017 08:53 PM, Chris Gordon wrote: >> No, that is not how this work. There is no renegotiation of ports >=20 > You missed my point entirely. Socket connections to services like > sshd, sendmail, and so forth only rendevouz on the well known port. > The server the fork-execs itself with the child going back to listen > on the well known port I agree, we=E2=80=99re talking here about the behavior of accept(2), = right? The forked process or new thread or whatever is created to = handle the on-going =E2=80=9Cconversation=E2=80=9D. > and the parent and client connecting at some > ephemeral point. This happens ONCE at initial connection time. I=E2=80=99m not sure I follow this. I don=E2=80=99t know what you mean = by =E2=80=9Cephemeral point=E2=80=9D. The tuple defining a connection = is established when the client sends the initiating SYN packet. The = addresses, ports and protocol used from then on is set. Here=E2=80=99s = a quick dump of data to show this. I fired up tcpdump on 192.168.10.50 = (client) and then made an ssh connection to 192.168.10.20 (server), ran = ls, then terminated the ssh session. You=E2=80=99ll see the ports = don=E2=80=99t change from the initiating SYN to the final ACK. In this = case 64107/tcp is the ephemeral port used throughout the connection. =3D=3D=3D TCPDUMP on client =3D=3D=3D % sudo tcpdump -i en0 -nn host 192.168.10.20 and port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol = decode listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes 22:17:23.669140 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [S], = seq 3284314671, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val = 657309331 ecr 0,sackOK,eol], length 0 22:17:23.669438 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [S.], = seq 598828752, ack 3284314672, win 65535, options [mss 1460,nop,wscale = 6,sackOK,TS val 2684756759 ecr 657309331], length 0 22:17:23.669485 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 1, win 7828, options [nop,nop,TS val 657309331 ecr 2684756759], = length 0 22:17:23.669864 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], = seq 1:22, ack 1, win 7828, options [nop,nop,TS val 657309331 ecr = 2684756759], length 21 22:17:23.684921 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 1:39, ack 22, win 1026, options [nop,nop,TS val 2684756774 ecr = 657309331], length 38 22:17:23.684948 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 39, win 7827, options [nop,nop,TS val 657309346 ecr 2684756774], = length 0 22:17:23.686071 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], = seq 22:1990, ack 39, win 7827, options [nop,nop,TS val 657309347 ecr = 2684756774], length 1968 22:17:23.686418 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [.], = ack 1990, win 995, options [nop,nop,TS val 2684756775 ecr 657309347], = length 0 22:17:23.686915 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 39:1079, ack 1990, win 995, options [nop,nop,TS val 2684756776 ecr = 657309347], length 1040 22:17:23.686934 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 1079, win 7794, options [nop,nop,TS val 657309347 ecr 2684756776], = length 0 22:17:23.691433 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], = seq 1990:2038, ack 1079, win 7812, options [nop,nop,TS val 657309352 ecr = 2684756776], length 48 22:17:23.706656 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 1079:1359, ack 2038, win 1026, options [nop,nop,TS val 2684756796 = ecr 657309352], length 280 22:17:23.706680 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 1359, win 7803, options [nop,nop,TS val 657309367 ecr 2684756796], = length 0 22:17:23.714353 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], = seq 2038:2054, ack 1359, win 7812, options [nop,nop,TS val 657309374 ecr = 2684756796], length 16 22:17:23.819091 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [.], = ack 2054, win 1026, options [nop,nop,TS val 2684756908 ecr 657309374], = length 0 22:17:23.819162 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], = seq 2054:2098, ack 1359, win 7812, options [nop,nop,TS val 657309478 ecr = 2684756908], length 44 22:17:23.819583 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 1359:1403, ack 2098, win 1026, options [nop,nop,TS val 2684756908 = ecr 657309478], length 44 22:17:23.819617 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 1403, win 7811, options [nop,nop,TS val 657309478 ecr 2684756908], = length 0 22:17:23.819885 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], = seq 2098:2166, ack 1403, win 7812, options [nop,nop,TS val 657309478 ecr = 2684756908], length 68 22:17:23.823081 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 1403:1471, ack 2166, win 1026, options [nop,nop,TS val 2684756912 = ecr 657309478], length 68 22:17:23.823105 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 1471, win 7810, options [nop,nop,TS val 657309481 ecr 2684756912], = length 0 22:17:23.823160 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], = seq 2166:2530, ack 1471, win 7812, options [nop,nop,TS val 657309481 ecr = 2684756912], length 364 22:17:23.826830 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 1471:1795, ack 2530, win 1026, options [nop,nop,TS val 2684756916 = ecr 657309481], length 324 22:17:23.826913 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 1795, win 7802, options [nop,nop,TS val 657309484 ecr 2684756916], = length 0 22:17:23.829649 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], = seq 2530:3174, ack 1795, win 7812, options [nop,nop,TS val 657309486 ecr = 2684756916], length 644 22:17:23.833147 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 1795:1823, ack 3174, win 1026, options [nop,nop,TS val 2684756922 = ecr 657309486], length 28 22:17:23.833246 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 1823, win 7811, options [nop,nop,TS val 657309489 ecr 2684756922], = length 0 22:17:23.833476 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], = seq 3174:3286, ack 1823, win 7812, options [nop,nop,TS val 657309489 ecr = 2684756922], length 112 22:17:23.851323 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 1823:2323, ack 3286, win 1026, options [nop,nop,TS val 2684756940 = ecr 657309489], length 500 22:17:23.851380 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 2323, win 7796, options [nop,nop,TS val 657309507 ecr 2684756940], = length 0 22:17:23.851561 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 2323:2367, ack 3286, win 1026, options [nop,nop,TS val 2684756941 = ecr 657309507], length 44 22:17:23.851584 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 2367, win 7811, options [nop,nop,TS val 657309507 ecr 2684756941], = length 0 22:17:23.851708 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], = seq 3286:3730, ack 2367, win 7812, options [nop,nop,TS val 657309507 ecr = 2684756941], length 444 22:17:23.855062 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 2367:2475, ack 3730, win 1026, options [nop,nop,TS val 2684756944 = ecr 657309507], length 108 22:17:23.855124 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 2475, win 7809, options [nop,nop,TS val 657309510 ecr 2684756944], = length 0 22:17:23.855310 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 2475:2583, ack 3730, win 1026, options [nop,nop,TS val 2684756944 = ecr 657309510], length 108 22:17:23.855335 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 2583, win 7809, options [nop,nop,TS val 657309510 ecr 2684756944], = length 0 22:17:23.855565 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 2583:2691, ack 3730, win 1026, options [nop,nop,TS val 2684756944 = ecr 657309510], length 108 22:17:23.855602 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 2691, win 7809, options [nop,nop,TS val 657309510 ecr 2684756944], = length 0 22:17:23.918270 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 2691:2735, ack 3730, win 1026, options [nop,nop,TS val 2684757007 = ecr 657309510], length 44 22:17:23.918297 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 2735, win 7811, options [nop,nop,TS val 657309572 ecr 2684757007], = length 0 22:17:23.919521 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 2735:2899, ack 3730, win 1026, options [nop,nop,TS val 2684757009 = ecr 657309572], length 164 22:17:23.919545 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 2899, win 7807, options [nop,nop,TS val 657309573 ecr 2684757009], = length 0 22:17:23.942523 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 2899:3055, ack 3730, win 1026, options [nop,nop,TS val 2684757031 = ecr 657309573], length 156 22:17:23.942594 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 3055, win 7807, options [nop,nop,TS val 657309596 ecr 2684757031], = length 0 22:17:30.138663 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], = seq 3730:3766, ack 3055, win 7812, options [nop,nop,TS val 657315731 ecr = 2684757031], length 36 22:17:30.139462 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 3055:3091, ack 3766, win 1026, options [nop,nop,TS val 2684763228 = ecr 657315731], length 36 22:17:30.139552 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 3091, win 7811, options [nop,nop,TS val 657315731 ecr 2684763228], = length 0 22:17:30.242029 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], = seq 3766:3802, ack 3091, win 7812, options [nop,nop,TS val 657315834 ecr = 2684763228], length 36 22:17:30.242644 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 3091:3135, ack 3802, win 1026, options [nop,nop,TS val 2684763332 = ecr 657315834], length 44 22:17:30.242707 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 3135, win 7811, options [nop,nop,TS val 657315834 ecr 2684763332], = length 0 22:17:30.353697 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], = seq 3802:3838, ack 3135, win 7812, options [nop,nop,TS val 657315944 ecr = 2684763332], length 36 22:17:30.354568 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 3135:3187, ack 3838, win 1026, options [nop,nop,TS val 2684763443 = ecr 657315944], length 52 22:17:30.354624 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 3187, win 7810, options [nop,nop,TS val 657315944 ecr 2684763443], = length 0 22:17:30.359559 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 3187:3287, ack 3838, win 1026, options [nop,nop,TS val 2684763448 = ecr 657315944], length 100 22:17:30.359590 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 3287, win 7809, options [nop,nop,TS val 657315949 ecr 2684763448], = length 0 22:17:30.360055 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 3287:3427, ack 3838, win 1026, options [nop,nop,TS val 2684763449 = ecr 657315949], length 140 22:17:30.360057 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 3427:3487, ack 3838, win 1026, options [nop,nop,TS val 2684763449 = ecr 657315949], length 60 22:17:30.360083 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 3427, win 7808, options [nop,nop,TS val 657315949 ecr 2684763449], = length 0 22:17:30.360095 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 3487, win 7806, options [nop,nop,TS val 657315949 ecr 2684763449], = length 0 22:17:30.382790 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 3487:3643, ack 3838, win 1026, options [nop,nop,TS val 2684763472 = ecr 657315949], length 156 22:17:30.382815 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 3643, win 7807, options [nop,nop,TS val 657315972 ecr 2684763472], = length 0 22:17:32.162070 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], = seq 3838:3874, ack 3643, win 7812, options [nop,nop,TS val 657317749 ecr = 2684763472], length 36 22:17:32.162540 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 3643:3695, ack 3874, win 1026, options [nop,nop,TS val 2684765252 = ecr 657317749], length 52 22:17:32.162602 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 3695, win 7810, options [nop,nop,TS val 657317749 ecr 2684765252], = length 0 22:17:32.164784 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 3695:3731, ack 3874, win 1026, options [nop,nop,TS val 2684765254 = ecr 657317749], length 36 22:17:32.164810 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 3731, win 7811, options [nop,nop,TS val 657317751 ecr 2684765254], = length 0 22:17:32.165283 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], = seq 3731:3871, ack 3874, win 1026, options [nop,nop,TS val 2684765254 = ecr 657317751], length 140 22:17:32.165308 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 3871, win 7808, options [nop,nop,TS val 657317751 ecr 2684765254], = length 0 22:17:32.165450 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], = seq 3874:3910, ack 3871, win 7812, options [nop,nop,TS val 657317751 ecr = 2684765254], length 36 22:17:32.165480 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], = seq 3910:3970, ack 3871, win 7812, options [nop,nop,TS val 657317751 ecr = 2684765254], length 60 22:17:32.165524 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [F.], = seq 3970, ack 3871, win 7812, options [nop,nop,TS val 657317751 ecr = 2684765254], length 0 22:17:32.165795 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [.], = ack 3970, win 1025, options [nop,nop,TS val 2684765255 ecr 657317751], = length 0 22:17:32.165796 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [.], = ack 3971, win 1026, options [nop,nop,TS val 2684765255 ecr 657317751], = length 0 22:17:32.165826 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [F.], = seq 3970, ack 3871, win 7812, options [nop,nop,TS val 657317752 ecr = 2684765255], length 0 22:17:32.165838 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 3871, win 7812, options [nop,nop,TS val 657317752 ecr 2684765255], = length 0 22:17:32.166037 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [.], = ack 3971, win 1026, options [nop,nop,TS val 2684765255 ecr 657317751], = length 0 22:17:32.166786 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [F.], = seq 3871, ack 3971, win 1026, options [nop,nop,TS val 2684765256 ecr = 657317752], length 0 22:17:32.166831 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], = ack 3872, win 7812, options [nop,nop,TS val 657317752 ecr 2684765256], = length 0 Here is the netstat output showing the established connection on the = same tuple as used in the initial SYN. =3D=3D=3D netstat output on server =3D=3D=3D netstat -an -p tcp Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address = (state) tcp4 0 0 192.168.10.20.22 192.168.10.50.64107 = ESTABLISHED > If it did not work this way, servers would be prevented from listening > for more requests while they handled a single request ... they would > effectively be serialized on a request-by-request basis. The 5-tuple of address, ports and protocols allows for multiple = connections to be made to the same server port. The fork-exec, new = thread, whatever allows the sever software to actually process the data. = Both are used to avoid serialization of connections, but the port = numbers are not renegotiated.=20 Thanks, Chris