Conversation

Notices

1. Embed this notice
   Alex Gleason (alex@gleasonator.com)'s status on Sunday, 16-Jul-2023 06:21:54 JST Alex Gleason
   Realizing I don't know how computers work. "Source port" is a concept dreamed up by the utterly deranged.
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Sunday, 16-Jul-2023 06:23:46 JST Alex Gleason

     in reply to

     • ​🇧​​🇷​​🇴​​🇳​​🇿​​🇪​​🇦​​🇬​​🇪​​🇭​​🇴​​🇬​​🇨​​🇷​​🇦​​🇳​​🇰​​🇪​​🇷​
     @BronzeAgeHogCranker What's the real answer then?
   • Embed this notice
     ​🇧​​🇷​​🇴​​🇳​​🇿​​🇪​​🇦​​🇬​​🇪​​🇭​​🇴​​🇬​​🇨​​🇷​​🇦​​🇳​​🇰​​🇪​​🇷​ (bronzeagehogcranker@geofront.rocks)'s status on Sunday, 16-Jul-2023 06:23:47 JST ​🇧​​🇷​​🇴​​🇳​​🇿​​🇪​​🇦​​🇬​​🇪​​🇭​​🇴​​🇬​​🇨​​🇷​​🇦​​🇳​​🇰​​🇪​​🇷​

     in reply to
     seems incorrect but ok
     
     I mean for that to work you would essentially have to have no outbound firewall
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Sunday, 16-Jul-2023 08:33:14 JST feld

     in reply to

     • ​🇧​​🇷​​🇴​​🇳​​🇿​​🇪​​🇦​​🇬​​🇪​​🇭​​🇴​​🇬​​🇨​​🇷​​🇦​​🇳​​🇰​​🇪​​🇷​
     No? That's how the TCP 3 way handshake works.
     
     A stateful firewall watches the packets as they come through to track the source port of the initial outbound packet (with SYN flag) to learn the port it should allow the other side to send their traffic back on.
     
     That's why it's terrible if anyone gets control of a computer inside your network: they can now open bidirectional communications, defeating the firewall
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Sunday, 16-Jul-2023 08:37:21 JST feld

     in reply to

     • feld
     • ​🇧​​🇷​​🇴​​🇳​​🇿​​🇪​​🇦​​🇬​​🇪​​🇭​​🇴​​🇬​​🇨​​🇷​​🇦​​🇳​​🇰​​🇪​​🇷​
     A nice trick we used to do was to configure the firewall to disallow the user running the webserver (e.g., apache) from being able to send outbound traffic.
     
     It still works fine as a webserver, as it's not initiating the connection. But if someone finds a vulnerability and hacks the server, their attack can't make any network requests outbound to establish comms with the C&C server, download payloads, etc.
     
     You can still do that today but web stacks are getting complex and even the webserver may be making network requests to the open internet. Though if it was only to specific APIs you could allow that too...
   • Embed this notice
     lamp (lamp@berserker.town)'s status on Sunday, 16-Jul-2023 09:16:43 JST lamp

     in reply to

     @alex So the destination port is used to identify the service, as you know 80 for http 22 for ssh etc.

     But multiple clients can connect to those servers at the same time, even multiple connections from the same client. So how does it tell those connections apart?

     So the client picks a random source port to initate the connection. From 1.1.1.1:12345 to 2.2.2.2:80 for example.

     This mapping is the basis of the TCP connection, so the server at 2.2.2.2:80 knows to send back to 1.1.1.1:12345 for this particular connection.

     Alex Gleason likes this.
   • Embed this notice
     lamp (lamp@berserker.town)'s status on Sunday, 16-Jul-2023 09:16:44 JST lamp

     in reply to

     @alex TCP is multiplexed meaning multiple TCP connections can coexist at the same time. In order for this to work there has to be a source and destination port so that the other end of a connection knows where to send the packets back to.

     翠星石 likes this.