Question about ports & UFW

[MadsRC]

Makes sense, since if port 80 isn't open on the clientside, the client wouldn't be able to use HTTP, since a HTTP connection originates from port 80 on the clientside, and if port 80 is closed, then HTTP wouldn't work.

I guess it boils down to: If you need to SSH to xx.xx.xx.xx:22, does that mean port 22 have to be open as an outbound connection on the client side or open as an incomming connection on the server side?

And I'm really sorry if these are really dumb questions, but I want to be sure I get it

[CharlesA]

It has to be open on the machine you want to ssh to.

[MadsRC]

So, in theory, the client does not have to have port 22 open, only the server?

Btw CharlesA, I think that was your 12.000th posts, grats

[CharlesA]

So, in theory, the client does not have to have port 22 open, only the server?

Btw CharlesA, I think that was your 12.000th posts, grats

Not only in theory, in practice as well.

[bodhi.zazen]

Privileged ports, below 1024, can only be bound (used) by root (not users).

Servers (ssh in this case) listen on a port (22 in this case).

Clinets (ssh client in this case) use a random high port ( > 1024 )to connect to the server.

So your ssh client may well use port 5555 to connect to the server port 22.

You can see this with any packet sniffer (wireshark, tcpdump).

See also http://bodhizazen.net/Tutorials/iptables

At lease the first few sections.

[MadsRC]

I have just tried deleting the "allow out 22/tcp" rule for the client, and it would not connect to the server via SSH. But if I added the "allow out 22/tcp" it would connect again.

This kinda contradicts the theory that the client does not need to have port 22 open to SSH to a server via port 22.

But is it because that the firewall looks at the connection to see what port it is bound for (the server port) and if it sees that the bound port isn't allowed in the outgoing, it will be stopped? But no matter what port the connection tries to exit client from (example 5555 as in bodhi.zazen's example) it will be allowed?

I've read the forum stickies and used your (bodhi.zazen) guide on your website/blog, but to be frank, there's still some basic stuff I'm not really 100% sure of.

EDIT: Must admit, I hadn't seen your Basic Networking Concept on your page bodhi.zazen.

I'll see if they will help me better understand networking.

[CharlesA]

The port is not open on the client. You are only allowing traffic to go out on port 22.

You are correct. The firewall checks to see what the destination port is and if it is on the "allow out" list, it will allow it through the firewall. If the destination port is not on the allow out list, it will block the outbound connection.

[MadsRC]

I guess that was the line I was looking for.

So if the destination port is NOT on the allow out list it will be blocked.

Does that also mean that the allow out list have nothing to do with the default deny/allow out/incomming? Because it wouldn't make much sense that we have to say "allow out 22/tcp" when it is set to default allow outgoing. Does default allow outgoing really mean that it don't care what port the connection exits the client from (in your example it exits from 5555 and is destined to 22 on the server) and the default deny incomming means that it will not let anything through that is destined for any port on the client.?

[bodhi.zazen]

The port is not open on the client. You are only allowing traffic to go out on port 22.

You are correct. The firewall checks to see what the destination port is and if it is on the "allow out" list, it will allow it through the firewall. If the destination port is not on the allow out list, it will block the outbound connection.

As CharlesA is telling you, if you look at the actual rules you will see it has nothing to do with port 22 on the client.

Code:

iptables -A OUTPUT -p tcp -m port --dport 22 -j ALLOW
iptables -A OUTPUT -j DROP

[CharlesA]

I guess that was the line I was looking for.

So if the destination port is NOT on the allow out list it will be blocked.

Does that also mean that the allow out list have nothing to do with the default deny/allow out/incomming? Because it wouldn't make much sense that we have to say "allow out 22/tcp" when it is set to default allow outgoing. Does default allow outgoing really mean that it don't care what port the connection exits the client from (in your example it exits from 5555 and is destined to 22 on the server) and the default deny incomming means that it will not let anything through that is destined for any port on the client.?

This rule tells ufw to drop anything that is not allowed:

Code:

Anywhere                   DENY OUT    Anywhere