>>> If you are running servers (including SSHD), your rules are not good at >>> all since they categorize traffic only by DEST PORT. Responses from >>> servers need to be categorized by SOURCE PORT. >> >> I've been trying to get my mind around this but I can't seem to. >> Responses from my servers will have a DEST PORT too right? That won't >> work for classification? > > It's disheartening to have to explain the very basic principles of > sockets to people but here goes. > > For the purposes of this discussion, the world is separated into clients > and servers. Servers provide services to clients. > > When a server starts, it creates a socket and *binds* the socket to an > *address*. For AF_INET (IPv4) and AF_INET6 (IPv6) sockets, that address > is an ordered triple consisting of an IPv4 or IPv6 address, a protocol, > and possibly a port number. Port numbers are only used when the protocol > is TCP, UDP, SCTP or SCCP. The protocol and port number used by a server > are typically well-known so that clients will be able to connect to it. > So SSH servers bind to TCP port 22, SMTP servers bind to TCP port 25, > etc. We will call this port the SERVER PORT. > > When a client want to use the service provided by a server, it also > creates a socket. Like the server's socket, the client's socket must > also be bound to an address. But in the case of the client, the socket > is usually given an automatic address binding. For AF_INET and AF_INET6 > sockets. the IP address is the IP address of the client system (loose > generalization) and the port number is selected from a *local port > range*. On Linux systems, the local port ranges can be seen by 'cat > /proc/sys/net/ipv4/ip_local_port_range'. So it is not possible in > advance to determine what port the client will be using. Whatever it is, > we'll call it the CLIENT PORT. > > Now: > > Packets send from the client to the server will have: > > SOURCE PORT = CLIENT PORT > DEST PORT = SERVER PORT > > Packets send from the server to the client will have: > > SOURCE PORT = SERVER PORT > DEST PORT = CLIENT PORT > > Since the SERVER PORT is generally the only port known ahead of time, we > therefore categorize traffic from the server to the client using the > SOURCE PORT.
Thank you very much for that. I think I understand now. I thought the SOURCE and DEST ports involved in a connection always matched. Illuminating.... - Grant ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
