Ipfw Firewall rule? (iptables/pf/etc)

Development Server
1

I’m loading the client through Firefox on another LAN device, with the server PC having ipfw.

I came up with this (syntax):

ipfw add '09000' 'forward' '127.0.0.1,8888' 'tcp' from '192.168.1.0/24' 'any' to '192.168.1.0/24' '8888' 'in'

It works, but I’m looking to make that last any something more-specific.

I couldn’t figure out the port(s) for SRC_PORT:

  • I figured 80 with the LAN browser doing HTTP, but FF couldn’t load the whole page
  • 8888 iirc didn’t load past some Filesystem thing on main menu loading bar (but iirc loaded the page and applet)
  • 43594 didn’t work, nor did adding all 3 like 80,8888,43594
  • Dev world, no .env
1 Like
2

I’m pretty sure if you run the server on localhost, you can just load it up on any computer connected to your local network including your phone.

3

Yeah that works, but I’m trying to create a firewall rule to explicitly allow it with a default deny-all (ipfw workstation profile), and limited so it’s not accepting all ports from anything on LAN.

4

Looks like the source port is supposed to be random with HTTP and any is fine! Solved - ipfw rule for web browser on LAN to connect to Node (8888)? | The FreeBSD Forums

Works good!

ipfw add '09000' 'allow' 'tcp' from '192.168.1.0/24' 'any' to '192.168.1.0/24' '8888' 'in'

20250521_105655
20250521_1056551920×1440 196 KB

1 Like
5

I think this is a misunderstanding about how TCP sockets work. The source port is not usually within your control from the server side. Operating systems on the client side use TCP source ports to keep track of which traffic returning from the server side need to be routed to which processes (sockets). The source port generally has no correlation to the destination port.

If, for instance, your operating system insisted on keeping these ports the same, then you would only be able to connect one socket at a time on a given destination port. This would have very annoying consequences like only being able to connect to one HTTP server at a time. Because of that, your OS will pick some random port (usually a pretty high number) for each outgoing connection.

All you need to care about on the server firewall side is the destination port, because that is the port that your service is binding to. The source port should be any because you have no practical control over what port the client machine will assign to the socket. The source address is the only worthy security consideration.

1 Like