IPFW: Why can I add port numbers to established and what does that do ?
Chris Gordon
freebsd at theory14.net
Fri Nov 17 03:36:57 UTC 2017
Tim,
I think we are talking past each other a little bit.
> On Nov 16, 2017, at 10:03 PM, Tim Daneliuk <tundra at tundraware.com> wrote:
>
> On 11/16/2017 08:53 PM, Chris Gordon wrote:
>> No, that is not how this work. There is no renegotiation of ports
>
> You missed my point entirely. Socket connections to services like
> sshd, sendmail, and so forth only rendevouz on the well known port.
> The server the fork-execs itself with the child going back to listen
> on the well known port
I agree, we’re talking here about the behavior of accept(2), right? The forked process or new thread or whatever is created to handle the on-going “conversation”.
> and the parent and client connecting at some
> ephemeral point. This happens ONCE at initial connection time.
I’m not sure I follow this. I don’t know what you mean by “ephemeral point”. The tuple defining a connection is established when the client sends the initiating SYN packet. The addresses, ports and protocol used from then on is set. Here’s a quick dump of data to show this. I fired up tcpdump on 192.168.10.50 (client) and then made an ssh connection to 192.168.10.20 (server), ran ls, then terminated the ssh session. You’ll see the ports don’t change from the initiating SYN to the final ACK. In this case 64107/tcp is the ephemeral port used throughout the connection.
=== TCPDUMP on client ===
% sudo tcpdump -i en0 -nn host 192.168.10.20 and port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:17:23.669140 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [S], seq 3284314671, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 657309331 ecr 0,sackOK,eol], length 0
22:17:23.669438 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [S.], seq 598828752, ack 3284314672, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2684756759 ecr 657309331], length 0
22:17:23.669485 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 1, win 7828, options [nop,nop,TS val 657309331 ecr 2684756759], length 0
22:17:23.669864 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], seq 1:22, ack 1, win 7828, options [nop,nop,TS val 657309331 ecr 2684756759], length 21
22:17:23.684921 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 1:39, ack 22, win 1026, options [nop,nop,TS val 2684756774 ecr 657309331], length 38
22:17:23.684948 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 39, win 7827, options [nop,nop,TS val 657309346 ecr 2684756774], length 0
22:17:23.686071 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], seq 22:1990, ack 39, win 7827, options [nop,nop,TS val 657309347 ecr 2684756774], length 1968
22:17:23.686418 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [.], ack 1990, win 995, options [nop,nop,TS val 2684756775 ecr 657309347], length 0
22:17:23.686915 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 39:1079, ack 1990, win 995, options [nop,nop,TS val 2684756776 ecr 657309347], length 1040
22:17:23.686934 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 1079, win 7794, options [nop,nop,TS val 657309347 ecr 2684756776], length 0
22:17:23.691433 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], seq 1990:2038, ack 1079, win 7812, options [nop,nop,TS val 657309352 ecr 2684756776], length 48
22:17:23.706656 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 1079:1359, ack 2038, win 1026, options [nop,nop,TS val 2684756796 ecr 657309352], length 280
22:17:23.706680 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 1359, win 7803, options [nop,nop,TS val 657309367 ecr 2684756796], length 0
22:17:23.714353 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], seq 2038:2054, ack 1359, win 7812, options [nop,nop,TS val 657309374 ecr 2684756796], length 16
22:17:23.819091 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [.], ack 2054, win 1026, options [nop,nop,TS val 2684756908 ecr 657309374], length 0
22:17:23.819162 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], seq 2054:2098, ack 1359, win 7812, options [nop,nop,TS val 657309478 ecr 2684756908], length 44
22:17:23.819583 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 1359:1403, ack 2098, win 1026, options [nop,nop,TS val 2684756908 ecr 657309478], length 44
22:17:23.819617 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 1403, win 7811, options [nop,nop,TS val 657309478 ecr 2684756908], length 0
22:17:23.819885 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], seq 2098:2166, ack 1403, win 7812, options [nop,nop,TS val 657309478 ecr 2684756908], length 68
22:17:23.823081 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 1403:1471, ack 2166, win 1026, options [nop,nop,TS val 2684756912 ecr 657309478], length 68
22:17:23.823105 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 1471, win 7810, options [nop,nop,TS val 657309481 ecr 2684756912], length 0
22:17:23.823160 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], seq 2166:2530, ack 1471, win 7812, options [nop,nop,TS val 657309481 ecr 2684756912], length 364
22:17:23.826830 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 1471:1795, ack 2530, win 1026, options [nop,nop,TS val 2684756916 ecr 657309481], length 324
22:17:23.826913 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 1795, win 7802, options [nop,nop,TS val 657309484 ecr 2684756916], length 0
22:17:23.829649 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], seq 2530:3174, ack 1795, win 7812, options [nop,nop,TS val 657309486 ecr 2684756916], length 644
22:17:23.833147 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 1795:1823, ack 3174, win 1026, options [nop,nop,TS val 2684756922 ecr 657309486], length 28
22:17:23.833246 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 1823, win 7811, options [nop,nop,TS val 657309489 ecr 2684756922], length 0
22:17:23.833476 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], seq 3174:3286, ack 1823, win 7812, options [nop,nop,TS val 657309489 ecr 2684756922], length 112
22:17:23.851323 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 1823:2323, ack 3286, win 1026, options [nop,nop,TS val 2684756940 ecr 657309489], length 500
22:17:23.851380 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 2323, win 7796, options [nop,nop,TS val 657309507 ecr 2684756940], length 0
22:17:23.851561 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 2323:2367, ack 3286, win 1026, options [nop,nop,TS val 2684756941 ecr 657309507], length 44
22:17:23.851584 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 2367, win 7811, options [nop,nop,TS val 657309507 ecr 2684756941], length 0
22:17:23.851708 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], seq 3286:3730, ack 2367, win 7812, options [nop,nop,TS val 657309507 ecr 2684756941], length 444
22:17:23.855062 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 2367:2475, ack 3730, win 1026, options [nop,nop,TS val 2684756944 ecr 657309507], length 108
22:17:23.855124 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 2475, win 7809, options [nop,nop,TS val 657309510 ecr 2684756944], length 0
22:17:23.855310 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 2475:2583, ack 3730, win 1026, options [nop,nop,TS val 2684756944 ecr 657309510], length 108
22:17:23.855335 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 2583, win 7809, options [nop,nop,TS val 657309510 ecr 2684756944], length 0
22:17:23.855565 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 2583:2691, ack 3730, win 1026, options [nop,nop,TS val 2684756944 ecr 657309510], length 108
22:17:23.855602 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 2691, win 7809, options [nop,nop,TS val 657309510 ecr 2684756944], length 0
22:17:23.918270 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 2691:2735, ack 3730, win 1026, options [nop,nop,TS val 2684757007 ecr 657309510], length 44
22:17:23.918297 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 2735, win 7811, options [nop,nop,TS val 657309572 ecr 2684757007], length 0
22:17:23.919521 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 2735:2899, ack 3730, win 1026, options [nop,nop,TS val 2684757009 ecr 657309572], length 164
22:17:23.919545 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 2899, win 7807, options [nop,nop,TS val 657309573 ecr 2684757009], length 0
22:17:23.942523 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 2899:3055, ack 3730, win 1026, options [nop,nop,TS val 2684757031 ecr 657309573], length 156
22:17:23.942594 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 3055, win 7807, options [nop,nop,TS val 657309596 ecr 2684757031], length 0
22:17:30.138663 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], seq 3730:3766, ack 3055, win 7812, options [nop,nop,TS val 657315731 ecr 2684757031], length 36
22:17:30.139462 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 3055:3091, ack 3766, win 1026, options [nop,nop,TS val 2684763228 ecr 657315731], length 36
22:17:30.139552 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 3091, win 7811, options [nop,nop,TS val 657315731 ecr 2684763228], length 0
22:17:30.242029 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], seq 3766:3802, ack 3091, win 7812, options [nop,nop,TS val 657315834 ecr 2684763228], length 36
22:17:30.242644 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 3091:3135, ack 3802, win 1026, options [nop,nop,TS val 2684763332 ecr 657315834], length 44
22:17:30.242707 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 3135, win 7811, options [nop,nop,TS val 657315834 ecr 2684763332], length 0
22:17:30.353697 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], seq 3802:3838, ack 3135, win 7812, options [nop,nop,TS val 657315944 ecr 2684763332], length 36
22:17:30.354568 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 3135:3187, ack 3838, win 1026, options [nop,nop,TS val 2684763443 ecr 657315944], length 52
22:17:30.354624 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 3187, win 7810, options [nop,nop,TS val 657315944 ecr 2684763443], length 0
22:17:30.359559 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 3187:3287, ack 3838, win 1026, options [nop,nop,TS val 2684763448 ecr 657315944], length 100
22:17:30.359590 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 3287, win 7809, options [nop,nop,TS val 657315949 ecr 2684763448], length 0
22:17:30.360055 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 3287:3427, ack 3838, win 1026, options [nop,nop,TS val 2684763449 ecr 657315949], length 140
22:17:30.360057 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 3427:3487, ack 3838, win 1026, options [nop,nop,TS val 2684763449 ecr 657315949], length 60
22:17:30.360083 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 3427, win 7808, options [nop,nop,TS val 657315949 ecr 2684763449], length 0
22:17:30.360095 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 3487, win 7806, options [nop,nop,TS val 657315949 ecr 2684763449], length 0
22:17:30.382790 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 3487:3643, ack 3838, win 1026, options [nop,nop,TS val 2684763472 ecr 657315949], length 156
22:17:30.382815 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 3643, win 7807, options [nop,nop,TS val 657315972 ecr 2684763472], length 0
22:17:32.162070 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], seq 3838:3874, ack 3643, win 7812, options [nop,nop,TS val 657317749 ecr 2684763472], length 36
22:17:32.162540 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 3643:3695, ack 3874, win 1026, options [nop,nop,TS val 2684765252 ecr 657317749], length 52
22:17:32.162602 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 3695, win 7810, options [nop,nop,TS val 657317749 ecr 2684765252], length 0
22:17:32.164784 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 3695:3731, ack 3874, win 1026, options [nop,nop,TS val 2684765254 ecr 657317749], length 36
22:17:32.164810 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 3731, win 7811, options [nop,nop,TS val 657317751 ecr 2684765254], length 0
22:17:32.165283 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [P.], seq 3731:3871, ack 3874, win 1026, options [nop,nop,TS val 2684765254 ecr 657317751], length 140
22:17:32.165308 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 3871, win 7808, options [nop,nop,TS val 657317751 ecr 2684765254], length 0
22:17:32.165450 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], seq 3874:3910, ack 3871, win 7812, options [nop,nop,TS val 657317751 ecr 2684765254], length 36
22:17:32.165480 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [P.], seq 3910:3970, ack 3871, win 7812, options [nop,nop,TS val 657317751 ecr 2684765254], length 60
22:17:32.165524 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [F.], seq 3970, ack 3871, win 7812, options [nop,nop,TS val 657317751 ecr 2684765254], length 0
22:17:32.165795 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [.], ack 3970, win 1025, options [nop,nop,TS val 2684765255 ecr 657317751], length 0
22:17:32.165796 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [.], ack 3971, win 1026, options [nop,nop,TS val 2684765255 ecr 657317751], length 0
22:17:32.165826 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [F.], seq 3970, ack 3871, win 7812, options [nop,nop,TS val 657317752 ecr 2684765255], length 0
22:17:32.165838 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 3871, win 7812, options [nop,nop,TS val 657317752 ecr 2684765255], length 0
22:17:32.166037 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [.], ack 3971, win 1026, options [nop,nop,TS val 2684765255 ecr 657317751], length 0
22:17:32.166786 IP 192.168.10.20.22 > 192.168.10.50.64107: Flags [F.], seq 3871, ack 3971, win 1026, options [nop,nop,TS val 2684765256 ecr 657317752], length 0
22:17:32.166831 IP 192.168.10.50.64107 > 192.168.10.20.22: Flags [.], ack 3872, win 7812, options [nop,nop,TS val 657317752 ecr 2684765256], length 0
Here is the netstat output showing the established connection on the same tuple as used in the initial SYN.
=== netstat output on server ===
netstat -an -p tcp
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.10.20.22 192.168.10.50.64107 ESTABLISHED
> If it did not work this way, servers would be prevented from listening
> for more requests while they handled a single request ... they would
> effectively be serialized on a request-by-request basis.
The 5-tuple of address, ports and protocols allows for multiple connections to be made to the same server port. The fork-exec, new thread, whatever allows the sever software to actually process the data. Both are used to avoid serialization of connections, but the port numbers are not renegotiated.
Thanks,
Chris
More information about the freebsd-questions
mailing list