IPFW Why can I add port numbers to established and what does that do ?

[absduser]

Almost every single ipfw ruleset I create has this as the very first rule:

allow tcp from any to any established

... and I just noticed that ipfw allows me to specify a port on this rule:

allow tcp from any to any 22 established

If I create a new connection to port 22, I need a rule to allow port 22 traffic out:

allow tcp from any to any 22

... but once that connection is established, doesn't the client begin talking to the server on an ephemeral port (not 22) that isn't predictable ?

Why would it ever make sense to specify a port on established ?

 

[absduser]

Is it possible for a moderator to change these to the general "networking" forum where perhaps more people could see them ?

I was not aware I was asking such a difficult question so perhaps it would be useful to have an answer for future searchers/readers ?

 

[chrbr]

I am by far no expert, but since there is no reply for some time I will try to answer somehow.

but once that connection is established, doesn't the client begin talking to the server on an ephemeral port (not 22) that isn't predictable ?

May be you think about ftp(1) which usually works at port 21? For better behaving protocols this is no issue.

allow tcp from any to any established

In the section basic packet filtering ipfw(8) informs as below.

     A first and efficient way to limit access (not using dynamic rules) is
     the use of the following rules:

           ipfw add allow tcp from any to any established
           ipfw add allow tcp from net1 portlist1 to net2 portlist2 setup
           ipfw add allow tcp from net3 portlist3 to net3 portlist3 setup
           ...
           ipfw add deny tcp from any to any

     The first rule will be a quick match for normal TCP packets, but it will
     not match the initial SYN packet, which will be matched by the setup
     rules only for selected source/destination pairs.  All other SYN packets
     will be rejected by the final deny rule.

I have no idea in which situations it would make sense to add a port number. But in the section dynamic rules ipfw(8) says

     In order to protect a site from flood attacks involving fake TCP packets,
     it is safer to use dynamic rules:

           ipfw add check-state
           ipfw add deny tcp from any to any established
           ipfw add allow tcp from my-net to any setup keep-state

     This will let the firewall install dynamic rules only for those
     connection which start with a regular SYN packet coming from the inside
     of our network.  Dynamic rules are checked when encountering the first
     occurrence of a check-state, keep-state or limit rule.  A check-state
     rule should usually be placed near the beginning of the ruleset to
     minimize the amount of work scanning the ruleset.  Your mileage may vary.

May be this explains why there has been no reply. I guess the non-dynamic rules are rarely used.
I hope this helps somehow at least a little bit .

 

[absduser]

I am by far no expert, but since there is no reply for some time I will try to answer somehow.

May be you think about ftp(1) which usually works at port 21? For better behaving protocols this is no issue.

No, I'm talking about any TCP connection ....

You connect to a well known port (22, 25, 80, 110, whatever) but after you establish the connection, the OS moves the established connection to an ephemeral port (somewhere up in the 1025-65535 range) for the rest of the connections lifetime.

Otherwise you wouldn't ever need a rule for "established". If a connection to sshd (for instance) stayed on port 22 forever, you would just allow port 22 open and not bother with "established".

So my question is, if "established" is allowing some unknown, unpredictable port to move the connection to, what possible use would it be to allow specifying a port number on the established rule ?

Is it just a bug and it means nothing ?

 

[chrbr]

So my question is, if "established" is allowing some unknown, unpredictable port to move the connection to, what possible use would it be to allow specifying a port number on the established rule ?

Established matches TCP packets that have the RST or ACK bits set. There is no relation to a port number.

You connect to a well known port (22, 25, 80, 110, whatever) but after you establish the connection, the OS moves the established connection to an ephemeral port (somewhere up in the 1025-65535 range) for the rest of the connections lifetime.

Then the number in the rule set can not be the port number chosen by the OS because this is unknown in advance. Since we have created some traffic I hope that people with more knowlegde than myself will notice the thread and chime in...

 

[absduser]

Established matches TCP packets that have the RST or ACK bits set. There is no relation to a port number.

Right That's my point. I don't understand why ipfw allows me to set a rule like that.

I, too, hope someone else will chime in ... I suspect it's just a bug ...

 

[ShelLuser]

You connect to a well known port (22, 25, 80, 110, whatever) but after you establish the connection, the OS moves the established connection to an ephemeral port (somewhere up in the 1025-65535 range) for the rest of the connections lifetime.

Otherwise you wouldn't ever need a rule for "established". If a connection to sshd (for instance) stayed on port 22 forever, you would just allow port 22 open and not bother with "established".

You can do just that if you want to. Connections don't just magically move upwards, it will still be using the main port, depending of course on the service you're using.

But when you run, say, a mail server then it would easily work to just open port 25 and be done with it. The established part and connection tracking becomes important when you also filter outgoing traffic. Or if you have a firewall which filters incoming traffic and you generate some traffic of your own. That's when you need connection tracking; to ensure that the firewall realizes that some traffic needs to be passed (edit): So: passed despite any blocking rules.