IPFW: Why can I add port numbers to established and what does that do ?
Tim Daneliuk
tundra at tundraware.com
Thu Nov 16 20:02:16 UTC 2017
On 11/16/2017 01:29 PM, javocado wrote:
> Almost every single ipfw ruleset I create has this as the very first rule:
>
> allow tcp from any to any established
>
> ... and I just noticed that ipfw allows me to specify a port on this rule:
>
> allow tcp from any to any 22 established
>
> If I create a new connection to port 22, I need a rule to allow port 22
> traffic out:
>
> allow tcp from any to any 22
>
> ... but once that connection is established, doesn't the client begin
> talking to the server on an ephemeral port (not 22) that isn't predictable ?
>
> Why would it ever make sense to specify a port on established ?
If you are running your own sshd *server*, then you need rules that
allow all or some to connect *to* your machine.
If you are running an ssh *client*, you need to first allow access *out*
via port 22 to get to the remote servers. Thereafter - as you suggest -
the server and client rendezvous and establish a permanent connection on
another port (and the server goes back to listening on 22). So, the
firewall has to permit access to the established session w/o knowing
which port will be used ahead of time.
----------------------------------------------------------------------------
Tim Daneliuk tundra at tundraware.com
PGP Key: http://www.tundraware.com/PGP/
More information about the freebsd-questions
mailing list