[mosh-users] Which ports to open on the client side?

[Alan Schmitt]

Keith Winstein <keithw at mit.edu> writes:

> Hello Alan,
>
> You're seeing something that happens in both TCP and UDP connections.
> When you run a Web server on port 80 (TCP), clients will connect to
> the server's port 80, from a random unprivileged TCP port of their own
> choosing. So it's typical that you might see a connection from
> 1.2.3.4:47123 to your server (port 80), and another connection from
> 3.4.5.6:19156 to your server (still port 80), etc.
>
> When you tell a firewall to "open up port 80," what you mean is that
> you want clients to be able to connect to the server's port 80 from
> any client port, and that you want the server to be able to reply to
> them at the IP address and port they connected from.
>
> Most firewalls do this in the same way for both TCP and UDP
> connections. (E.g. in Amazon's EC2 firewall, when you open up UDP
> ports 60000-61000, you are allowing clients to send to those server
> ports AND allowing the server to reply from ports 60000-61000 to
> whatever port the client is using.)
>
> If your firewall is behaving differently, this may be a good place to
> focus on. Keep in mind you need to persuade the firewall to allow
> "connections" (in both directions) to the server's port 60000-61000,
> not just allow incoming datagrams destined to those ports.

Thanks for clarifying this, it now makes much more sense. I asked the
admins here about it. I guess one issue is that it's the client that is
behind the firewall, not the server. (Another issue may be that the
server is behind a NAT. I redirected the ports so that incoming packets
reach the server, and I hope that the NAT will not modify the source
port of a reply when it mentions a redirected port.)

Alan