Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Question about ports & UFW

  1. #11
    Join Date
    Jul 2011
    Location
    Off the grid
    Beans
    119
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Question about ports & UFW

    Makes sense, since if port 80 isn't open on the clientside, the client wouldn't be able to use HTTP, since a HTTP connection originates from port 80 on the clientside, and if port 80 is closed, then HTTP wouldn't work.

    I guess it boils down to: If you need to SSH to xx.xx.xx.xx:22, does that mean port 22 have to be open as an outbound connection on the client side or open as an incomming connection on the server side?

    And I'm really sorry if these are really dumb questions, but I want to be sure I get it

  2. #12
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Question about ports & UFW

    It has to be open on the machine you want to ssh to.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #13
    Join Date
    Jul 2011
    Location
    Off the grid
    Beans
    119
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Question about ports & UFW

    So, in theory, the client does not have to have port 22 open, only the server?

    Btw CharlesA, I think that was your 12.000th posts, grats

  4. #14
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Question about ports & UFW

    Quote Originally Posted by MadsRC View Post
    So, in theory, the client does not have to have port 22 open, only the server?

    Btw CharlesA, I think that was your 12.000th posts, grats
    Not only in theory, in practice as well.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  5. #15
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Question about ports & UFW

    Privileged ports, below 1024, can only be bound (used) by root (not users).

    Servers (ssh in this case) listen on a port (22 in this case).

    Clinets (ssh client in this case) use a random high port ( > 1024 )to connect to the server.

    So your ssh client may well use port 5555 to connect to the server port 22.

    You can see this with any packet sniffer (wireshark, tcpdump).

    See also http://bodhizazen.net/Tutorials/iptables

    At lease the first few sections.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  6. #16
    Join Date
    Jul 2011
    Location
    Off the grid
    Beans
    119
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Question about ports & UFW

    I have just tried deleting the "allow out 22/tcp" rule for the client, and it would not connect to the server via SSH. But if I added the "allow out 22/tcp" it would connect again.

    This kinda contradicts the theory that the client does not need to have port 22 open to SSH to a server via port 22.

    But is it because that the firewall looks at the connection to see what port it is bound for (the server port) and if it sees that the bound port isn't allowed in the outgoing, it will be stopped? But no matter what port the connection tries to exit client from (example 5555 as in bodhi.zazen's example) it will be allowed?

    I've read the forum stickies and used your (bodhi.zazen) guide on your website/blog, but to be frank, there's still some basic stuff I'm not really 100% sure of.

    EDIT: Must admit, I hadn't seen your Basic Networking Concept on your page bodhi.zazen.

    I'll see if they will help me better understand networking.

  7. #17
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Question about ports & UFW

    The port is not open on the client. You are only allowing traffic to go out on port 22.

    You are correct. The firewall checks to see what the destination port is and if it is on the "allow out" list, it will allow it through the firewall. If the destination port is not on the allow out list, it will block the outbound connection.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  8. #18
    Join Date
    Jul 2011
    Location
    Off the grid
    Beans
    119
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Question about ports & UFW

    I guess that was the line I was looking for.

    So if the destination port is NOT on the allow out list it will be blocked.

    Does that also mean that the allow out list have nothing to do with the default deny/allow out/incomming? Because it wouldn't make much sense that we have to say "allow out 22/tcp" when it is set to default allow outgoing. Does default allow outgoing really mean that it don't care what port the connection exits the client from (in your example it exits from 5555 and is destined to 22 on the server) and the default deny incomming means that it will not let anything through that is destined for any port on the client.?

  9. #19
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Question about ports & UFW

    Quote Originally Posted by CharlesA View Post
    The port is not open on the client. You are only allowing traffic to go out on port 22.

    You are correct. The firewall checks to see what the destination port is and if it is on the "allow out" list, it will allow it through the firewall. If the destination port is not on the allow out list, it will block the outbound connection.
    As CharlesA is telling you, if you look at the actual rules you will see it has nothing to do with port 22 on the client.


    Code:
    iptables -A OUTPUT -p tcp -m port --dport 22 -j ALLOW
    iptables -A OUTPUT -j DROP
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  10. #20
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Question about ports & UFW

    Quote Originally Posted by MadsRC View Post
    I guess that was the line I was looking for.

    So if the destination port is NOT on the allow out list it will be blocked.

    Does that also mean that the allow out list have nothing to do with the default deny/allow out/incomming? Because it wouldn't make much sense that we have to say "allow out 22/tcp" when it is set to default allow outgoing. Does default allow outgoing really mean that it don't care what port the connection exits the client from (in your example it exits from 5555 and is destined to 22 on the server) and the default deny incomming means that it will not let anything through that is destined for any port on the client.?
    This rule tells ufw to drop anything that is not allowed:

    Code:
    Anywhere                   DENY OUT    Anywhere
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •