Re: Default DENY with ipchains

To: Steve Bowman <sbowman@frostwork.net>
Cc: haver@aub.dk, debian-firewall@lists.debian.org
Subject: Re: Default DENY with ipchains
From: James Antill <james@and.org>
Date: 23 Oct 2000 11:16:30 -0400
Message-id: <[🔎] nnn1fvy4dt.fsf@code.and.org>
In-reply-to: Steve Bowman's message of "Sun, 22 Oct 2000 22:33:53 -0700"
References: <[🔎] 000b01c03a10$8f514690$0200a8c0@aub.dk> <[🔎] nn66moxxn2.fsf@code.and.org> <[🔎] 20001019183021.A12550@frostwork.net> <[🔎] nn3dhr6qk4.fsf@code.and.org> <[🔎] 20001022175302.B1936@frostwork.net> <[🔎] nn4s24qjz2.fsf@code.and.org> <[🔎] 20001022223353.A1135@frostwork.net>

Steve Bowman <sbowman@frostwork.net> writes:

> On Mon, Oct 23, 2000 at 12:06:57AM -0400, James Antill wrote:
> > instance run the following /bin/sh script under potato...
> > 
> > #! /bin/sh
> > 
> > while :; do 
> >  telnet localhost 1200; 
> > done

 Trust me, leave this program running in a gnome-terminal for a
while. Hopefully what I'm saying should seem clearer then.

> > ...after a while it will stop saying 
> > "telnet: Unable to connect to remote host: Connection refused" and
> > anything you type will then be repeated back to you when you press
> > return (or after every character if you turn telnet into character
> > mode). This is because the connect() to port 1200 by chance connect'd
> > to the port that had been implicitly bound by the connect() before it
> > happened (connect() is guaranteed to have this bahaviour) -- if you
> > follow that.
> 
> If I understand you correctly, you're saying that the incoming connection
> will fail because the outgoing connection already bound 1200 and because
> the outgoing connection binds first....  Something doesn't sound quite
> right with that so maybe I misunderstand.

 No, the connection to localhost:1200 will normally fail because there
is nothing listening on 1200. However sometimes the implicit bind()
that connect() does when doing an outgoing connection will be to 1200
and so the connect() will succeed.

> On my box, it will fail because nothing is listening at 1200.  However, if
> something were to be listening at 1200, an attempt to bind it explicitly
> would fail because the port's in use (IIRC).  A connect with a * port
> would simply get a different port.

 You are missing the point when you call connect then unless you've
called bind() explicitly you will try and connect 2 different ips and
ports (lets call these local and remote), this is equivilant to...

bind(fd, { <out going hostname interface>, 0 });
connect(fd, { <remote hostname>, <remote port> });

...except the bind() is done implicitly (the 0 in place of a port in
the call to bind means pick a port for me).

 And if I've still managed to explain badly then probably the best
thing to do is look at openssh-1.2.3/sshconnect.c and understand what
ssh_create_socket() does and hopefully all will become clear.

-- 
James Antill -- james@and.org
"If we can't keep this sort of thing out of the kernel, we might as well
pack it up and go run Solaris." -- Larry McVoy.

Reply to:

References:
- Default DENY with ipchains
  - From: "Srebrenko Sehic" <haver@aub.dk>
- Re: Default DENY with ipchains
  - From: James Antill <james@and.org>
- Re: Default DENY with ipchains
  - From: Steve Bowman <sbowman@frostwork.net>
- Re: Default DENY with ipchains
  - From: James Antill <james@and.org>
- Re: Default DENY with ipchains
  - From: Steve Bowman <sbowman@frostwork.net>
- Re: Default DENY with ipchains
  - From: James Antill <james@and.org>
- Re: Default DENY with ipchains
  - From: Steve Bowman <sbowman@frostwork.net>

Prev by Date: RE: Setting up firewall on 2 interface within same subnet?
Next by Date: RE: Setting up firewall on 2 interface within same subnet?
Previous by thread: Re: Default DENY with ipchains
Next by thread: Re: Default DENY with ipchains
Index(es):
- Date
- Thread