IPFW: Why can I add port numbers to established and what does that do ?
javocado
javocado at gmail.com
Fri Nov 17 00:07:49 UTC 2017
I think you misunderstand what I am asking - you have explained why a
"established" rule is needed in the ruleset. You are correct and it is
something (an established rule) that I always use.
What I am saying is: I just noticed that you can specify a port number in
the established rule:
allow tcp from any to any 22 established
... which I don't understand. In fact, I think it is a bug, but I am
asking to make sure. It doesn't seem like specifying a port in the
established rule makes any sense ...
On Thu, Nov 16, 2017 at 12:01 PM, Tim Daneliuk <tundra at tundraware.com>
wrote:
> On 11/16/2017 01:29 PM, javocado wrote:
> > Almost every single ipfw ruleset I create has this as the very first
> rule:
> >
> > allow tcp from any to any established
> >
> > ... and I just noticed that ipfw allows me to specify a port on this
> rule:
> >
> > allow tcp from any to any 22 established
> >
> > If I create a new connection to port 22, I need a rule to allow port 22
> > traffic out:
> >
> > allow tcp from any to any 22
> >
> > ... but once that connection is established, doesn't the client begin
> > talking to the server on an ephemeral port (not 22) that isn't
> predictable ?
> >
> > Why would it ever make sense to specify a port on established ?
>
> If you are running your own sshd *server*, then you need rules that
> allow all or some to connect *to* your machine.
>
> If you are running an ssh *client*, you need to first allow access *out*
> via port 22 to get to the remote servers. Thereafter - as you suggest -
> the server and client rendezvous and establish a permanent connection on
> another port (and the server goes back to listening on 22). So, the
> firewall has to permit access to the established session w/o knowing
> which port will be used ahead of time.
>
>
>
>
>
> ------------------------------------------------------------
> ----------------
> Tim Daneliuk tundra at tundraware.com
> PGP Key: http://www.tundraware.com/PGP/
>
>
More information about the freebsd-questions
mailing list