Date: Thu, 16 Nov 2017 14:01:58 -0600 From: Tim Daneliuk <tundra@tundraware.com> To: javocado <javocado@gmail.com>, freebsd-questions@freebsd.org Subject: Re: IPFW: Why can I add port numbers to established and what does that do ? Message-ID: <d80d16dc-c01e-8224-e9a5-df2420390668@tundraware.com> In-Reply-To: <CAP1HOmQEKgocsejRHOMEfb-Ghzev%2BDuQiZ5OwYcQLktfu0xvDQ@mail.gmail.com> References: <CAP1HOmQEKgocsejRHOMEfb-Ghzev%2BDuQiZ5OwYcQLktfu0xvDQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/16/2017 01:29 PM, javocado wrote: > Almost every single ipfw ruleset I create has this as the very first rule: > > allow tcp from any to any established > > ... and I just noticed that ipfw allows me to specify a port on this rule: > > allow tcp from any to any 22 established > > If I create a new connection to port 22, I need a rule to allow port 22 > traffic out: > > allow tcp from any to any 22 > > ... but once that connection is established, doesn't the client begin > talking to the server on an ephemeral port (not 22) that isn't predictable ? > > Why would it ever make sense to specify a port on established ? If you are running your own sshd *server*, then you need rules that allow all or some to connect *to* your machine. If you are running an ssh *client*, you need to first allow access *out* via port 22 to get to the remote servers. Thereafter - as you suggest - the server and client rendezvous and establish a permanent connection on another port (and the server goes back to listening on 22). So, the firewall has to permit access to the established session w/o knowing which port will be used ahead of time. ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d80d16dc-c01e-8224-e9a5-df2420390668>