Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Nov 2017 16:07:47 -0800
From:      javocado <javocado@gmail.com>
To:        Tim Daneliuk <tundra@tundraware.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: IPFW: Why can I add port numbers to established and what does that do ?
Message-ID:  <CAP1HOmR4a59Z0_NT6g8N8u2r5zoa1f1YPEJCZmGysCtHY=hvdA@mail.gmail.com>
In-Reply-To: <d80d16dc-c01e-8224-e9a5-df2420390668@tundraware.com>
References:  <CAP1HOmQEKgocsejRHOMEfb-Ghzev%2BDuQiZ5OwYcQLktfu0xvDQ@mail.gmail.com> <d80d16dc-c01e-8224-e9a5-df2420390668@tundraware.com>

next in thread | previous in thread | raw e-mail | index | archive | help
I think you misunderstand what I am asking - you have explained why a
"established" rule is needed in the ruleset.  You are correct and it is
something (an established rule) that I always use.

What I am saying is:  I just noticed that you can specify a port number in
the established rule:


allow tcp from any to any 22 established


... which I don't understand.  In fact, I think it is a bug, but I am
asking to make sure.  It doesn't seem like specifying a port in the
established rule makes any sense ...



On Thu, Nov 16, 2017 at 12:01 PM, Tim Daneliuk <tundra@tundraware.com>
wrote:

> On 11/16/2017 01:29 PM, javocado wrote:
> > Almost every single ipfw ruleset I create has this as the very first
> rule:
> >
> > allow tcp from any to any established
> >
> > ... and I just noticed that ipfw allows me to specify a port on this
> rule:
> >
> > allow tcp from any to any 22 established
> >
> > If I create a new connection to port 22, I need a rule to allow port 22
> > traffic out:
> >
> > allow tcp from any to any 22
> >
> > ... but once that connection is established, doesn't the client begin
> > talking to the server on an ephemeral port (not 22) that isn't
> predictable ?
> >
> > Why would it ever make sense to specify a port on established ?
>
> If you are running your own sshd *server*, then you need rules that
> allow all or some to connect *to* your machine.
>
> If you are running an ssh *client*, you need to first allow access *out*
> via port 22 to get to the remote servers.  Thereafter - as you suggest -
> the server and client rendezvous and establish a permanent connection on
> another port (and the server goes back to listening on 22).  So, the
> firewall has to permit access to the established session w/o knowing
> which port will be used ahead of time.
>
>
>
>
>
> ------------------------------------------------------------
> ----------------
> Tim Daneliuk     tundra@tundraware.com
> PGP Key:         http://www.tundraware.com/PGP/
>
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAP1HOmR4a59Z0_NT6g8N8u2r5zoa1f1YPEJCZmGysCtHY=hvdA>