States and ports.. why…
-
This is a quick one..
Why for example… 10.1.1.101:61515 -> 157.240.20.15:443 (States page)
… the ports part, how can it go from 61515 to 443... and all states are like that.. I would expect something like.. 443 to 443..
It's not that I think something is wrong, I can see it only goes to the common ports I specified... but the weirdness.. tell me the logic?.
-
Introducing the concept of "source port":
https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure
https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_ports
-
@kpa:
Introducing the concept of "source port":
https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure
https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_ports
Ok, thanks :)…. But.. why… whhyyy… hehe ;D ::).. To me computer should just say: "Hey, I am 10.1.1.101.. and i want to go to x.x.x.x IP on port 22!", Pfsense replies: "Ok, that is noted, let me check if you can pass.. ok, I made state, you called 22 and got 22 to go out".
I am guessing they are "Dynamic ports" ?… because this rings bell with me "Dynamic/private ports do not contain any meaning outside of any particular TCP connection."
... I will continue reading wikis :), just fishing for more simple short answer.
-
10.1.1.101:61515 -> 157.240.20.15:443
"61515" is known as a "client port". Your example of just connecting from port 443 to 443 would mean you could only have ONE connection. It would become ambiguous as to which connection you were talking about if there were not unique client ports. Client ports are higher ports as not to consume the service ports. This is more to make it easier to manage security. If all services are in the lower ports, then you can trivially block outside access to internal services by blocking all lower ports.
-
10.1.1.101:61515 -> 157.240.20.15:443
"61515" is known as a "client port". Your example of just connecting from port 443 to 443 would mean you could only have ONE connection. It would become ambiguous as to which connection you were talking about if there were not unique client ports. Client ports are higher ports as not to consume the service ports. This is more to make it easier to manage security. If all services are in the lower ports, then you can trivially block outside access to internal services by blocking all lower ports.
Ahaa :), that actually makes some sense. Yes, just read about the categories of ports. … so it would also be why some programs need a substantial amount of ports in a range opened maybe.
-
you need to understand what a source port is..
Here this might help
http://www.firewall.cx/networking-topics/protocols/tcp/133-tcp-source-destination-ports.html -
you need to understand what a source port is..
Here this might help
http://www.firewall.cx/networking-topics/protocols/tcp/133-tcp-source-destination-ports.htmlThanks for link.
So, there is no need to really think too much about this source port, is there?. It's a port that is just agreed upon.
When i enter page, … i say, hey.. calling you on 80.. i select 80.. call me back on... XXXX port, i am listening. Plus more. -
With TCP the operating system of the client selects the source port automatically and at random from the set of currently unused ports. The destination of the connection (the server) will know this source port because it's included in every packet of the connection it receives and it will send the return traffic back to this source port. This is all automated by TCP and the client software doesn't have to worry about the details, all it gets and cares about is a reliable data stream between it and the server that is can use to send and receive data.
With UDP the source port can be the same as the destination port because UDP is stateless and connectionless, for example all NTP traffic between a client and a server is transmitted from UDP source port 123 to UDP destination port 123 on the server. However, source port randomization is used on UDP as well in some applications for additional security because UDP based protocols are more vulnerable to spoofing attacks than TCP based, DNS is the probably the best example.
-
Another analogy for IP+Port would be Address+Name. If you sent mail to a frat house and you want it to get to a certain person, you need to include their name along with their address because many people live at the same address.
-
^ very true and the source port would be the name of the person to contact on the return address of the envelope ;) While the address would be the source IP.
Keep in mind with NAPT (network address port translation… The device doing the napt will often change the source port as well..
So for example your machine at 192.168.1.100 wants to talk to fourms.pfsense.org on port 80.. So it sends this traffic to pfsense its gateway with the destination IP and Port.. Like so..
192.168.1.100:12345 ---> IPof-forum.pfsense.org:80
The napt device (pfsense) will change that when it sends it that traffic on using your wan IP and some other source port.. So you end up with
publicIP:45678 ---> IPof-forum.pfsense.org:80
So when forum.pfsense.org answers back from 80 to 45678, pfsense via its state table knows which client to send that back too..
IPof-forum.pfsense.org:80 ---> publicIP:45678 ---> 192.168.1.100:12345
This also allows for multiple clients behind your public IP to all be talking to the same forum.pfsense.org:80 from your publicIP all at the same time. If pfsense didn't change the source port you could have problems were multiple machines were picking the same source port.. Which would be a problem..
This is why you see states in your state table showing the 3 parts of the conversation.. the clients IP:sourceport, pfsense:sourceport --> destIP:port.
-
Thanks all 8), I understand the most part of it now, or atleast what I feel I need to know for now.
-
Has anyone talked to you yet about Source Ports?
;D ;D ;D ;D ;D ;D ;D ;D
-
@KOM:
Has anyone talked to you yet about Source Ports?
And once finished with that, we can have another talk about some more entertaining topics, such as