Re: netstat *:* udp sockets

2018-12-17 Thread Ted Unangst 
Sebastian Benoit wrote:
> > > or what should it show? Only sockets that are bound
> > > but not connected (local port != 0 but remote addr/port = 0)?
> > 
> > see my other mail for that diff.
> 
> here. Ok for one or the other?

as a non expert, this matches my expectation of what "listening" would map
onto for udp. ok fwiw.

Re: netstat *:* udp sockets

2018-12-17 Thread Claudio Jeker 
On Mon, Dec 17, 2018 at 06:05:00PM +0100, Sebastian Benoit wrote:
> Sebastian Benoit(benoit-li...@fb12.de) on 2018.12.17 17:59:49 +0100:
> > Claudio Jeker(cje...@diehard.n-r-g.com) on 2018.12.17 08:25:07 +0100:
> > > On Sun, Dec 16, 2018 at 05:09:06PM -0500, Ted Unangst wrote:
> > > > Claudio Jeker wrote:
> > > > > On Fri, Dec 14, 2018 at 01:26:25PM -0500, Ted Unangst wrote:
> > > > > > Philip Guenther wrote:
> > > > > > > And, perhaps more directly, how would I block this in pf.conf?
> > > > > > > >
> > > > > > > 
> > > > > > > Excellent choice, blocking dhclient from receiving the leases 
> > > > > > > that it
> > > > > > > requests.
> > > > > > > "What problem are you trying to solve?"
> > > > > > 
> > > > > > Well, this may be something of a lost cause, but I would prefer 
> > > > > > that chrome
> > > > > > not listen for stuff I don't understand. It listens on port 5353 as 
> > > > > > well, for
> > > > > > mDNS, and I can block that easily enough. It's the socket without a 
> > > > > > port
> > > > > > that's giving me trouble.
> > > > > 
> > > > > But a socket without a port is not listening on anything. It will not 
> > > > > get
> > > > > any packets. It does not need to be filtered. This is how UDP works, 
> > > > > it is
> > > > > a connectionless protocol.
> > > > 
> > > > ok, thank you, I was confused because they show up in netstat -ln too. 
> > > > I guess
> > > > that's just historic how it is behavior.
> > 
> > nothing historic about it, i added -l last year.
> > 
> > but i wanted to keep it simple, i thought that its obvious what "listening"
> > sockets mean in this context (i.e. that it only really is a concept in TCP).
> > 
> > > I guess we should change that. Problem is that UDP does not support
> > > listen(2) and so there is no listening state. Should netstat exclude all
> > > of UDP when using -l 
> > 
> > here is a diff for that
> > 
> > > or what should it show? Only sockets that are bound
> > > but not connected (local port != 0 but remote addr/port = 0)?
> > 
> > see my other mail for that diff.
> 
> here. Ok for one or the other?
> 
> (netstat_l_udp_only_otherside_zero.diff)
> 
> diff --git usr.bin/netstat/inet.c usr.bin/netstat/inet.c
> index e8e2a4dcd4f..d378bfe6280 100644
> --- usr.bin/netstat/inet.c
> +++ usr.bin/netstat/inet.c
> @@ -225,6 +225,7 @@ netdomainpr(struct kinfo_file *kf, int proto)
>   int addrlen = 22;
>   int isany = 0;
>   int istcp = 0;
> + int isudp = 0;
>   int isip6 = 0;
>  
>   /* XXX should fix kinfo_file instead but not now */
> @@ -282,6 +283,7 @@ netdomainpr(struct kinfo_file *kf, int proto)
>   case IPPROTO_UDP:
>   name = "udp";
>   name6 = "udp6";
> + isudp = 1;
>   break;
>   case IPPROTO_DIVERT:
>   name = "divert";
> @@ -303,6 +305,9 @@ netdomainpr(struct kinfo_file *kf, int proto)
>   if (!aflag && lflag && istcp &&
>   kf->t_state != TCPS_LISTEN)
>   return;
> + if (!aflag && lflag && isudp &&
> + (kf->inp_lport == 0 || kf->inp_fport != 0))
> + return;
>  
>   if (af != kf->so_family || type != kf->so_type) {
>   af = kf->so_family;
> @@ -310,7 +315,7 @@ netdomainpr(struct kinfo_file *kf, int proto)
>   printf("Active Internet connections");
>   if (aflag)
>   printf(" (including servers)");
> - else if (lflag)
> + else if (lflag && (istcp||isudp))

Needs some spaces   ^^ here

>   printf(" (only servers)");
>   putchar('\n');
>   if (Aflag) {
> 

Apart from that OK claudio@

-- 
:wq Claudio

Re: netstat *:* udp sockets

2018-12-17 Thread Sebastian Benoit 
Sebastian Benoit(benoit-li...@fb12.de) on 2018.12.17 17:59:49 +0100:
> Claudio Jeker(cje...@diehard.n-r-g.com) on 2018.12.17 08:25:07 +0100:
> > On Sun, Dec 16, 2018 at 05:09:06PM -0500, Ted Unangst wrote:
> > > Claudio Jeker wrote:
> > > > On Fri, Dec 14, 2018 at 01:26:25PM -0500, Ted Unangst wrote:
> > > > > Philip Guenther wrote:
> > > > > > And, perhaps more directly, how would I block this in pf.conf?
> > > > > > >
> > > > > > 
> > > > > > Excellent choice, blocking dhclient from receiving the leases that 
> > > > > > it
> > > > > > requests.
> > > > > > "What problem are you trying to solve?"
> > > > > 
> > > > > Well, this may be something of a lost cause, but I would prefer that 
> > > > > chrome
> > > > > not listen for stuff I don't understand. It listens on port 5353 as 
> > > > > well, for
> > > > > mDNS, and I can block that easily enough. It's the socket without a 
> > > > > port
> > > > > that's giving me trouble.
> > > > 
> > > > But a socket without a port is not listening on anything. It will not 
> > > > get
> > > > any packets. It does not need to be filtered. This is how UDP works, it 
> > > > is
> > > > a connectionless protocol.
> > > 
> > > ok, thank you, I was confused because they show up in netstat -ln too. I 
> > > guess
> > > that's just historic how it is behavior.
> 
> nothing historic about it, i added -l last year.
> 
> but i wanted to keep it simple, i thought that its obvious what "listening"
> sockets mean in this context (i.e. that it only really is a concept in TCP).
> 
> > I guess we should change that. Problem is that UDP does not support
> > listen(2) and so there is no listening state. Should netstat exclude all
> > of UDP when using -l 
> 
> here is a diff for that
> 
> > or what should it show? Only sockets that are bound
> > but not connected (local port != 0 but remote addr/port = 0)?
> 
> see my other mail for that diff.

here. Ok for one or the other?

(netstat_l_udp_only_otherside_zero.diff)

diff --git usr.bin/netstat/inet.c usr.bin/netstat/inet.c
index e8e2a4dcd4f..d378bfe6280 100644
--- usr.bin/netstat/inet.c
+++ usr.bin/netstat/inet.c
@@ -225,6 +225,7 @@ netdomainpr(struct kinfo_file *kf, int proto)
int addrlen = 22;
int isany = 0;
int istcp = 0;
+   int isudp = 0;
int isip6 = 0;
 
/* XXX should fix kinfo_file instead but not now */
@@ -282,6 +283,7 @@ netdomainpr(struct kinfo_file *kf, int proto)
case IPPROTO_UDP:
name = "udp";
name6 = "udp6";
+   isudp = 1;
break;
case IPPROTO_DIVERT:
name = "divert";
@@ -303,6 +305,9 @@ netdomainpr(struct kinfo_file *kf, int proto)
if (!aflag && lflag && istcp &&
kf->t_state != TCPS_LISTEN)
return;
+   if (!aflag && lflag && isudp &&
+   (kf->inp_lport == 0 || kf->inp_fport != 0))
+   return;
 
if (af != kf->so_family || type != kf->so_type) {
af = kf->so_family;
@@ -310,7 +315,7 @@ netdomainpr(struct kinfo_file *kf, int proto)
printf("Active Internet connections");
if (aflag)
printf(" (including servers)");
-   else if (lflag)
+   else if (lflag && (istcp||isudp))
printf(" (only servers)");
putchar('\n');
if (Aflag) {

Re: netstat *:* udp sockets

2018-12-17 Thread Sebastian Benoit 
Claudio Jeker(cje...@diehard.n-r-g.com) on 2018.12.17 08:25:07 +0100:
> On Sun, Dec 16, 2018 at 05:09:06PM -0500, Ted Unangst wrote:
> > Claudio Jeker wrote:
> > > On Fri, Dec 14, 2018 at 01:26:25PM -0500, Ted Unangst wrote:
> > > > Philip Guenther wrote:
> > > > > And, perhaps more directly, how would I block this in pf.conf?
> > > > > >
> > > > > 
> > > > > Excellent choice, blocking dhclient from receiving the leases that it
> > > > > requests.
> > > > > "What problem are you trying to solve?"
> > > > 
> > > > Well, this may be something of a lost cause, but I would prefer that 
> > > > chrome
> > > > not listen for stuff I don't understand. It listens on port 5353 as 
> > > > well, for
> > > > mDNS, and I can block that easily enough. It's the socket without a port
> > > > that's giving me trouble.
> > > 
> > > But a socket without a port is not listening on anything. It will not get
> > > any packets. It does not need to be filtered. This is how UDP works, it is
> > > a connectionless protocol.
> > 
> > ok, thank you, I was confused because they show up in netstat -ln too. I 
> > guess
> > that's just historic how it is behavior.

nothing historic about it, i added -l last year.

but i wanted to keep it simple, i thought that its obvious what "listening"
sockets mean in this context (i.e. that it only really is a concept in TCP).

> I guess we should change that. Problem is that UDP does not support
> listen(2) and so there is no listening state. Should netstat exclude all
> of UDP when using -l 

here is a diff for that

> or what should it show? Only sockets that are bound
> but not connected (local port != 0 but remote addr/port = 0)?

see my other mail for that diff.

(netstat_l_only_tcp.diff)

diff --git usr.bin/netstat/main.c usr.bin/netstat/main.c
index 17c889768a2..6bf155205ee 100644
--- usr.bin/netstat/main.c
+++ usr.bin/netstat/main.c
@@ -189,6 +189,8 @@ main(int argc, char *argv[])
break;
case 'l':
lflag = 1;
+   tp = knownname("tcp");
+   pflag = 1;
break;
case 'M':
memf = optarg;
@@ -203,7 +205,8 @@ main(int argc, char *argv[])
nflag = 1;
break;
case 'p':
-   if ((tp = name2protox(optarg)) == NULL) {
+   if (pflag == 0 &&
+   (tp = name2protox(optarg)) == NULL) {
(void)fprintf(stderr,
"%s: %s: unknown protocol\n",
__progname, optarg);

Re: netstat *:* udp sockets

2018-12-17 Thread Consus 
On 08:25 Mon 17 Dec, Claudio Jeker wrote:
> On Sun, Dec 16, 2018 at 05:09:06PM -0500, Ted Unangst wrote:
> > Claudio Jeker wrote:
> > > On Fri, Dec 14, 2018 at 01:26:25PM -0500, Ted Unangst wrote:
> > > > Philip Guenther wrote:
> > > > > And, perhaps more directly, how would I block this in pf.conf?
> > > > > >
> > > > > 
> > > > > Excellent choice, blocking dhclient from receiving the leases that it
> > > > > requests.
> > > > > "What problem are you trying to solve?"
> > > > 
> > > > Well, this may be something of a lost cause, but I would prefer that 
> > > > chrome
> > > > not listen for stuff I don't understand. It listens on port 5353 as 
> > > > well, for
> > > > mDNS, and I can block that easily enough. It's the socket without a port
> > > > that's giving me trouble.
> > > 
> > > But a socket without a port is not listening on anything. It will not get
> > > any packets. It does not need to be filtered. This is how UDP works, it is
> > > a connectionless protocol.
> > 
> > ok, thank you, I was confused because they show up in netstat -ln too. I 
> > guess
> > that's just historic how it is behavior.
> 
> I guess we should change that. Problem is that UDP does not support
> listen(2) and so there is no listening state. Should netstat exclude all
> of UDP when using -l or what should it show? Only sockets that are bound
> but not connected (local port != 0 but remote addr/port = 0)?

A listening socket is a socket that can "accept" new "connections" --
it's possible to send data to it from some new host (e.g. via sendto).

So

local_port  != 0
remote_addr == NULL

is perfectly fine IMO.

Re: netstat *:* udp sockets

2018-12-16 Thread Claudio Jeker 
On Sun, Dec 16, 2018 at 05:09:06PM -0500, Ted Unangst wrote:
> Claudio Jeker wrote:
> > On Fri, Dec 14, 2018 at 01:26:25PM -0500, Ted Unangst wrote:
> > > Philip Guenther wrote:
> > > > And, perhaps more directly, how would I block this in pf.conf?
> > > > >
> > > > 
> > > > Excellent choice, blocking dhclient from receiving the leases that it
> > > > requests.
> > > > "What problem are you trying to solve?"
> > > 
> > > Well, this may be something of a lost cause, but I would prefer that 
> > > chrome
> > > not listen for stuff I don't understand. It listens on port 5353 as well, 
> > > for
> > > mDNS, and I can block that easily enough. It's the socket without a port
> > > that's giving me trouble.
> > 
> > But a socket without a port is not listening on anything. It will not get
> > any packets. It does not need to be filtered. This is how UDP works, it is
> > a connectionless protocol.
> 
> ok, thank you, I was confused because they show up in netstat -ln too. I guess
> that's just historic how it is behavior.

I guess we should change that. Problem is that UDP does not support
listen(2) and so there is no listening state. Should netstat exclude all
of UDP when using -l or what should it show? Only sockets that are bound
but not connected (local port != 0 but remote addr/port = 0)?

-- 
:wq Claudio

Re: netstat *:* udp sockets

2018-12-16 Thread Ted Unangst 
Claudio Jeker wrote:
> On Fri, Dec 14, 2018 at 01:26:25PM -0500, Ted Unangst wrote:
> > Philip Guenther wrote:
> > > And, perhaps more directly, how would I block this in pf.conf?
> > > >
> > > 
> > > Excellent choice, blocking dhclient from receiving the leases that it
> > > requests.
> > > "What problem are you trying to solve?"
> > 
> > Well, this may be something of a lost cause, but I would prefer that chrome
> > not listen for stuff I don't understand. It listens on port 5353 as well, 
> > for
> > mDNS, and I can block that easily enough. It's the socket without a port
> > that's giving me trouble.
> 
> But a socket without a port is not listening on anything. It will not get
> any packets. It does not need to be filtered. This is how UDP works, it is
> a connectionless protocol.

ok, thank you, I was confused because they show up in netstat -ln too. I guess
that's just historic how it is behavior.

Re: netstat *:* udp sockets

2018-12-16 Thread Claudio Jeker 
On Fri, Dec 14, 2018 at 01:26:25PM -0500, Ted Unangst wrote:
> Philip Guenther wrote:
> > And, perhaps more directly, how would I block this in pf.conf?
> > >
> > 
> > Excellent choice, blocking dhclient from receiving the leases that it
> > requests.
> > "What problem are you trying to solve?"
> 
> Well, this may be something of a lost cause, but I would prefer that chrome
> not listen for stuff I don't understand. It listens on port 5353 as well, for
> mDNS, and I can block that easily enough. It's the socket without a port
> that's giving me trouble.

But a socket without a port is not listening on anything. It will not get
any packets. It does not need to be filtered. This is how UDP works, it is
a connectionless protocol.

-- 
:wq Claudio

Re: netstat *:* udp sockets

2018-12-14 Thread Theo de Raadt 
>Ted Unangst wrote:
>> Philip Guenther wrote:
>> > And, perhaps more directly, how would I block this in pf.conf?
>> > >
>> > 
>> > Excellent choice, blocking dhclient from receiving the leases that it
>> > requests.
>> > "What problem are you trying to solve?"
>> 
>> Well, this may be something of a lost cause, but I would prefer that chrome
>> not listen for stuff I don't understand. It listens on port 5353 as well, for
>> mDNS, and I can block that easily enough. It's the socket without a port
>> that's giving me trouble.
>
>Oops, followup question. If the situation is that these are simply unbound
>sockets that don't receive traffic, that makes life easier. I wasn't sure if
>they were some catch-all sockets or what.

They will receive responses to traffic they send.

Re: netstat *:* udp sockets

2018-12-14 Thread Theo de Raadt 
>Philip Guenther wrote:
>> And, perhaps more directly, how would I block this in pf.conf?
>> >
>> 
>> Excellent choice, blocking dhclient from receiving the leases that it
>> requests.
>> "What problem are you trying to solve?"
>
>Well, this may be something of a lost cause, but I would prefer that chrome
>not listen for stuff I don't understand. It listens on port 5353 as well, for
>mDNS, and I can block that easily enough. It's the socket without a port
>that's giving me trouble.

So it doesn't bind() and it doesn't connect(), but uses sendto

It is part of POSIX

If you want to block that piece of talking to the mothership you're
going to have to get into the source code.

Re: netstat *:* udp sockets

2018-12-14 Thread Ted Unangst 
Ted Unangst wrote:
> Philip Guenther wrote:
> > And, perhaps more directly, how would I block this in pf.conf?
> > >
> > 
> > Excellent choice, blocking dhclient from receiving the leases that it
> > requests.
> > "What problem are you trying to solve?"
> 
> Well, this may be something of a lost cause, but I would prefer that chrome
> not listen for stuff I don't understand. It listens on port 5353 as well, for
> mDNS, and I can block that easily enough. It's the socket without a port
> that's giving me trouble.

Oops, followup question. If the situation is that these are simply unbound
sockets that don't receive traffic, that makes life easier. I wasn't sure if
they were some catch-all sockets or what.

Re: netstat *:* udp sockets

2018-12-14 Thread Ted Unangst 
Philip Guenther wrote:
> And, perhaps more directly, how would I block this in pf.conf?
> >
> 
> Excellent choice, blocking dhclient from receiving the leases that it
> requests.
> "What problem are you trying to solve?"

Well, this may be something of a lost cause, but I would prefer that chrome
not listen for stuff I don't understand. It listens on port 5353 as well, for
mDNS, and I can block that easily enough. It's the socket without a port
that's giving me trouble.

Re: netstat *:* udp sockets

2018-12-14 Thread Stuart Henderson 
On 2018-12-14, Sebastian Benoit  wrote:
> As for chrome, i have no idea what it is doing... ;)

My first guess would be maybe it's using this to send probes for QUIC /
HTTP/3. I don't see that in chromium here but maybe something in testing
(they run different "field trials" for different people)

Re: netstat *:* udp sockets

2018-12-14 Thread Consus 
On 13:38 Thu 13 Dec, Ted Unangst wrote:
> netstat -an tells me I am listening to all the udp.
> 
> Active Internet connections (including servers)
> Proto   Recv-Q Send-Q  Local Address  Foreign Address(state)
> udp  0  0  *.**.*   
> udp  0  0  127.0.0.1.53   *.*   
> udp  0  0  *.**.*   
> udp  0  0  *.5353 *.*   
> udp  0  0  *.**.*   
> 
> What are those *.* sockets doing? How can you listen to all the ports?
> 
> According to fstat, two belong to dhclient and one to chrome.
> 
> root dhclient   552413* internet dgram udp *:0
> root dhclient   552415* internet dgram udp *:0
> tedu chrome 52839  107* internet dgram udp *:0
> 
> Although now they are printed as *:0. How do such sockets work?
> 
> And, perhaps more directly, how would I block this in pf.conf?

Wait, ain't

$ netstat -anl

should be used to get _listening_ sockets?

Re: netstat *:* udp sockets

2018-12-14 Thread Sebastian Benoit 
Ted Unangst(t...@tedunangst.com) on 2018.12.13 13:38:58 -0500:
> netstat -an tells me I am listening to all the udp.
> 
> Active Internet connections (including servers)
> Proto   Recv-Q Send-Q  Local Address  Foreign Address(state)
> udp  0  0  *.**.*   
> udp  0  0  127.0.0.1.53   *.*   
> udp  0  0  *.**.*   
> udp  0  0  *.5353 *.*   
> udp  0  0  *.**.*   
> 
> What are those *.* sockets doing? How can you listen to all the ports?

In the case of dhclient, it opens that SOCK_RAW socket to send packets
to a dhcp server:

get_udp_sock() does socket(AF_INET, SOCK_RAW, IPPROTO_UDP). But it does not
bind() or connect(). Thats why you have "Local Address" and "Foreign
Address" *.*.

I think the second one might be the one it opens with ioctlfd =
socket(AF_INET, SOCK_DGRAM, 0). It only uses it to do ioctl() on it, see
section INTERFACES in netintro(4).

> According to fstat, two belong to dhclient and one to chrome.
> 
> root dhclient   552413* internet dgram udp *:0
> root dhclient   552415* internet dgram udp *:0
> tedu chrome 52839  107* internet dgram udp *:0
> 
> Although now they are printed as *:0. How do such sockets work?

The first socket above is used in send_packet() in sendmsg(ifi->ufdesc, msg,
&0) to a specific dhcp server. 
It is not used to receive packets and indeed it cannot receive any on that
socket.
It sends broadcast packets via bpf(4) and receives packets via bpf(4).
 
> And, perhaps more directly, how would I block this in pf.conf?

In the case of dhclient, you cant. Well, you can try, but it will break
things. The problem is that dhclient is special, it needs to send things
while there is no IP configuration on an interfaces. So it needs to do
things itself that the IP stack would do for normal programs.

If you run dhclient, you trust it not to send bad things, and not to receive
things it should not see (It configures the bpf filter to only get packets
to port 67).

As for chrome, i have no idea what it is doing... ;)

Re: netstat *:* udp sockets

2018-12-14 Thread Janne Johansson 
Den fre 14 dec. 2018 kl 03:58 skrev Philip Guenther :
> On Thu, Dec 13, 2018 at 10:40 AM Ted Unangst  wrote:
> > netstat -an tells me I am listening to all the udp.
> >
> > Active Internet connections (including servers)
> > Proto   Recv-Q Send-Q  Local Address  Foreign Address
> > (state)
> > udp  0  0  *.**.*
> > udp  0  0  127.0.0.1.53   *.*
> > udp  0  0  *.**.*
> > udp  0  0  *.5353 *.*
> > udp  0  0  *.**.*
> >
> > What are those *.* sockets doing? How can you listen to all the ports?
>
> Those are just UDP sockets on which connect() hasn't been called and that
> aren't in the middle of a recvfrom()  or recvmsg(), no?

Isn't there something inherently weird in listing a lot of things
which "sort -u" would remove?

The streams at the bottom of netstat output are at least unique in some sense:
0x81e50880 stream  0  00x0
0x81e509000x00x0
..even if they might not tell me much more than udp *.*

-- 
May the most significant bit of your life be positive.

Re: netstat *:* udp sockets

2018-12-13 Thread Philip Guenther 
On Thu, Dec 13, 2018 at 10:40 AM Ted Unangst  wrote:

> netstat -an tells me I am listening to all the udp.
>
> Active Internet connections (including servers)
> Proto   Recv-Q Send-Q  Local Address  Foreign Address
> (state)
> udp  0  0  *.**.*
> udp  0  0  127.0.0.1.53   *.*
> udp  0  0  *.**.*
> udp  0  0  *.5353 *.*
> udp  0  0  *.**.*
>
> What are those *.* sockets doing? How can you listen to all the ports?
>

Those are just UDP sockets on which connect() hasn't been called and that
aren't in the middle of a recvfrom()  or recvmsg(), no?


And, perhaps more directly, how would I block this in pf.conf?
>

Excellent choice, blocking dhclient from receiving the leases that it
requests.
"What problem are you trying to solve?"

Philip Guenther