[mosh-users] Which ports to open on the client side?
Keith Winstein
keithw at MIT.EDU
Thu Aug 30 14:15:35 EDT 2012
Hello Alan,
You're seeing something that happens in both TCP and UDP connections.
When you run a Web server on port 80 (TCP), clients will connect to
the server's port 80, from a random unprivileged TCP port of their own
choosing. So it's typical that you might see a connection from
1.2.3.4:47123 to your server (port 80), and another connection from
3.4.5.6:19156 to your server (still port 80), etc.
When you tell a firewall to "open up port 80," what you mean is that
you want clients to be able to connect to the server's port 80 from
any client port, and that you want the server to be able to reply to
them at the IP address and port they connected from.
Most firewalls do this in the same way for both TCP and UDP
connections. (E.g. in Amazon's EC2 firewall, when you open up UDP
ports 60000-61000, you are allowing clients to send to those server
ports AND allowing the server to reply from ports 60000-61000 to
whatever port the client is using.)
If your firewall is behaving differently, this may be a good place to
focus on. Keep in mind you need to persuade the firewall to allow
"connections" (in both directions) to the server's port 60000-61000,
not just allow incoming datagrams destined to those ports.
I hope this is helpful!
Best regards,
Keith
On Thu, Aug 30, 2012 at 12:46 PM, Alan Schmitt
<alan.schmitt at polytechnique.org> wrote:
> Martin Hannigan <hannigan at gmail.com> writes:
>
>> You should open 60000 through 610000. Unless you have a specific
>> reason to specify a port or your target server is unfiltered entirely,
>> you may not need to specific port.
>
> My problem is that it's not the server that is filtered, but the client.
> I guess only some ports are allowed for incoming UDP traffic on the
> client side.
>
>> I also found you need to allow ICMP. I found this tcpdump'ing to
>> resolve a similiar issue. I don't know if thats a function of the NAT
>> that I am behind or the client and I haven't dug too deeply into the
>> logs of both to confirm it's end to end.
>
> This could also be it. I'll try some experiments when I get back to this
> network.
>
> Thanks,
>
> Alan
> _______________________________________________
> mosh-users mailing list
> mosh-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mosh-users
More information about the mosh-users
mailing list