IPFW: Why can I add port numbers to established and what does that do ?

Chris Gordon freebsd at theory14.net
Fri Nov 17 02:59:59 UTC 2017 

> On Nov 16, 2017, at 3:01 PM, Tim Daneliuk <tundra at tundraware.com> wrote:
> 
> On 11/16/2017 01:29 PM, javocado wrote:
>> 
> 
> If you are running your own sshd *server*, then you need rules that
> allow all or some to connect *to* your machine.
> 
> If you are running an ssh *client*, you need to first allow access *out*
> via port 22 to get to the remote servers.  Thereafter - as you suggest -
> the server and client rendezvous and establish a permanent connection on
> another port (and the server goes back to listening on 22).  

No, that is not how this work.  There is no renegotiation of ports.  A “connection” is identified by:
- Source Address
- Source Port
- Destination Address
- Destination Port
- Protocol

Though source and destination are relative to the client and server, these values don’t change over the life of the connection.

Let’s assume the following:
- Client is on 192.168.10.2
- Client wants to connect to sshd (so we know this is tcp and on port 22 by default) on Server at 10.1.1.1

The client then sends packets with a source of 192.168.10.2:”ephemeral port"/tcp to a destination of 10.1.1.1:22/tcp.  The server replies to the client with a source of 10.1.1.1:22/tcp and a destination of 192.168.10.2:”same ephemeral port that the client used”/tcp.  This goes on until the “session” is over and the entire connection gets torn down, typically either from one side initiating a FIN or a RESET.

The “ephemeral port” is some port number, typically high in the range of possible ports, that is randomly chosen for each connection and it stays the same for each connection.  It is this tuple of source and destination address and protocols that defines a connection and allows the multiple connections to a server to occur.  Take a look at the net.inet.ip.portrange.* sysctl’s for the ranges used here.

You can fire up tcpdump (or wireshark or similar tool) and watch the traffic to validate that this is how things work.

When you talk about negotiating different ports, you may be thinking of something like FTP where you initially establish a control connection and then when data is to be transferred and entirely new connection is created, in parallel with the control channel, to transfer the data.  This data connection is an entirely new connection and obeys the same rules as above.  The tricky and confusing part for FTP is if it’s “active” or “passive” meaning which end establishes the data connection.  IRC’s DCC and certain protocols that use portmapper are similar in that they create additional/new connections following an initial connection.  ssh (and http, etc) does NOT do this.

As for the original question about the purpose of “established” in ipfw syntax, I don’t use ipfw so I don’t know without some further reading of the man pages and handbook.

> So, the
> firewall has to permit access to the established session w/o knowing
> which port will be used ahead of time.

An established session means the ports ARE all known. 

Hope this helps some.

Chris

More information about the freebsd-questions mailing list