If I understood it correctly, only connections between an input and an output port/variable should be allowed...
Is there a way to restrict possible connections to input-to-output connections only (so that input-input (or output-output) connections will not be allowed anymore)?
Related
I want make my server only accept one connection from a device(that means people can not open several browsers to connect my server), and I use client ip to identify connections. The question is if two devices are from the same ethernet their ip address will be the same(so they can not connect to my server the same time).
I tried to use socket.request.connection.remotePort to get the client port, but it shows different every connection even in the same browser.
Reading the following article: 10M concurrent websockets
So, there are 1000 websocket servers listening on ports 10000-11000. When a connection is made to one of these servers, I assume they continue communication from a random established TCP connection with random ports. So, as one IP is used, and there are 64K ports, how can one maintain 10M connections? Are connections identified by IP-Port pairs? Can two different connections from different IPs to same port be established? How does this work under the hood?
When a connection is made to one of these servers, I assume they continue communication from a random established TCP connection with random ports.
Wrong assumption. They communicate with the clients using the same local port number they are listening on.
So, as one IP is used, and there are 64K ports, how can one maintain 10M connections?
Not a problem.
Are connections identified by IP-Port pairs?
Yes.
Can two different connections from different IPs to same port be established?
Yes.
How does this work under the hood?
See above. IP:port pairs. You answered your own question.
Sorry for totally changing my answer.
Linux can easily support millions of open sockets if the machine has enough memory and processing power. The TCP/IP stack allows this because the socket the OS targets for a given TCP packet is determined by the source and destination IP and port tuple.
The server implementing the websocket protocol need only listen to a single TCP socket, often defined by the HTTP or HTTPS port number, but not in this example. As part of standard TCP handshaking, the server OS and application open a unique socket for the TCP connection to the new client when the HTTP request which is a websocket request is received. The websocket package takes care of upgrading the protocol used on this new socket from standard HTTP to websocket.
In the example, a goroutine is started for each websocket socket.
The client side, the side initiating the TCP connections, is limited by the number of ephemeral ports its OS can open for a given destination host and port. Honestly, I don't know if this is a limitation of the client OS or the TCP/IP specification itself.
I think the part you are missing is a TCP connection is actually two pairs of IP:PORT.
One for the server, one for the client.
The listening side of a tcp socket is generally always the same IP/Port pair.
Example: net.Listen("tcp", ":8080") is listening on port 8080 (on all interfaces in this case)
The connecting (client) side is usually uses a single outgoing IP along with a random port.
Example: net.Dial("tcp","server:8080) Selects a random available ephemeral port and then attempts to connect to server:8080.
So, in the above example, that connection is: client.ip:32768 -> server.ip:8080 (where 32768 is the ephemeral port selected)
the two pairs combined make a unique connection.
The server side can take as many connections from a single client as there are available (client side) ports. It can also take as many clients are there are IP addresses.
Think of it as, for one listening socket, you can theoretically have 2^16(ports) * 2^32(ipv4 addrs) connections.
In reality, there are reserved IPs, ports, memory limitations, etc so the number is far smaller.
For exmaple, the ephemeral port range on Linux is 32768 - 61000. Which means I'll start getting errors if I net.Dial("tcp", "server:8080") more than 28232 times as I will have exhausted my ephemeral port range for the given server address. But if the server is listening on 2 separate ports, I can do 28232 to the first port, and another 28232 to the second port.
When you see people do the 10MM connection tests, they have to use multiple client IPs or multiple server IPs/Ports to achieve this (or a combo of both to get 10MM unique client:ip/server:ip pairs)
According to TCP/IP specification I consider it impossible to ESTABLISH two connections with the same port from the client side. BUT IT DIT!
The matchine 172.22.3.137 acts as client and left ones are servers. So does this mean it is possible for a client to connect to multiple servers with identical port?
Any ideas?
According to the TCP specification, a connection is identified by four numbers: client port, client address, server port, server address.
It is entirely possible for client ports to be reused, otherwise you could have only 64k connections from any machine.
What is not possible, is to connect from the same client port to the same server (address and port), this would make the two connections indistinguishable.
Have you checked that when second connection was setuo first one still exist ??
Check am sure first one must have terminated as if not then your machine willnot send any ack and three way handshake will not complete.
Ok this is kind of embarassing but I just have a rather "noob" question.
In a client server TCP communications, where my system is a client accessing a remote server at say Port XX, isnt the client opening a random port YY in its system to talk to remote port XX?
So when we code we do specify the destination port XX right?
For the client, the port YY itself is chosen when the socket is created, isnt it?
Is there anyway I could monitor/restrict/control any client talking to a particular server?(like say clients talking to servers at specific serving ports??)
Is there any IPTABLE rule or some firewall rule restricting the client?
Can this be done at all??
Are destination ports saved in the socket structures? If so where??
Thanks!
First, server side creates a listening socket, with the chain of socket(2), bind(2), and listen(2) calls, then waits for incoming client connection requests with the accept(2) call. Once a client connects (socket(2) and then connect(2) on the client side) and the TCP/IP stacks of the client and the server machines complete the three way handshake, the accept(2) returns new socket descriptor - that's the server's end of the connected socket. Both bind(2) on the server side, and connect(2) on the client side take server's address and port.
Now, the full TCP connection is described by four numbers - server address, server port, client address, and client port. The first two must obviously be known to the client prior to the connection attempt (otherwise, where do we go?). The client address and port, while could be specified explicitly with the bind(2), are usually assigned dynamically - the address is the IP address of the outgoing network interface, as determined by the routing table, and the port selected out of range of ephemeral ports.
The netstat(8) command shows you established connections. Adding -a flag lets you see listening sockets, -n flag disables DNS and service resolution, so you just see numeric addresses and ports.
Linux iptables(8) allows you to restrict where clients are allowed to connect to. You can restrict based on source and destination ports, addresses, and more.
You can get socket local binding with getsockname(2) call, remote binding is given by getpeername(2).
Hope this makes it a bit more clear.
Yes you can create a firewall rule to prevent outbound TCP connections to port XX. For example, some organizations prevent outbound TCP port 25, to prevent spam being sent from network PCs to remote SMTP servers.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 13 years ago.
Improve this question
Ok, computers have ports for applications to transfer data from the outside world into a firewall and then into a computer.
Then how does firefox and internet explorer use the same port on the same computer?
And why can't we use port 80 to pass all traffic from all places into the computer.
So why do we need specific ports?
It's not the ports on local that are important generally. It's the remote ports.
So when you open a browser and go to a site, you are establishing a connection from a (somewhat) random port on your end, to port 80 on the server end. The server responds back to you on the same connection. Web servers use TCP/IP, so this is what is called and established connection. If you were to go look at netstat -an on the server you connected to during web traffic, that is exactly what you would see:
tcp 0 0 ::ffff:192.168.1.223:22 ::ffff:192.168.1.230:2369 ESTABLISHED
That line says that my local machine has established a connection to my remote machine on port 22. My local machine picked a random outgoing port of 2369 to make this connection.
In this case, this is an ssh connection to my webserver in the basement.
Ports that servers should use for a particular service are listed here, but if you are going to control both ends of the connection, there is nothing stopping you from running a webserver on port 8383 if you wanted to. Just don't expect anyone else to get to it without you telling them about it. (or it being found in a port scan).
If you were running a webserver on your computer, it would open port 80 and listen for connections. Only one service can be LISTENing per IP address, so you couldn't run two web servers at once. Same thing if you then connected to your local webserver. You'd open a random local port and connect to your local port 80 on the same IP.
The opening the random local port is what allows you to have multiple local connections to a known remote port like 80.
There are 65536 ports available so it's unlikely you will ever run out, but many have 'well known' usages and are therefore avoided for your end of the connection. Generally everything above 1023 is fair game though. ( All services which require any kind of priviledge run on ports below 1023 )
This is a TCP/IP connection. TCP/IP has internal language to ensure the reliable delivery of information and does a handshake at the open of every connection to ensure the data can be transmitted.
Another common type of connection would be UDP. UDP does not establish a connection and is therefore a bit faster and has lower latency, but the programs that use it must be able to loose information and still work. It's basically a send off the data and pray protocol. Many online games work this way.
Each connection has a source and destination port. This is what allows you to have multiple connections from your machine to (say) a web server running on port 80. Connections are uniquely identified by SourceIP:SourcePort and DestIP:DestPort.
So in your example, Firefox and IE will be using the same port on the remote web server (port 80), but will have a different ports on your machine to tell them apart.
Try running netstat in a command prompt to see current connections.
ports can be used for anything, but there are conventions of the protocols to expect on certain ports.
and you can use 80 for other functions, some people do that as a simple way of bypassing firewalls...
however, only 1 application can be listening on a port.
Some netstat output can show you what's going on:
C:\Temp> netstat -an
TCP 192.168.XXX.150:1493 74.125.45.100:80 ESTABLISHED
TCP 192.168.XXX.150:1504 69.59.196.213:80 ESTABLISHED
TCP 192.168.XXX.150:1507 74.125.91.138:80 ESTABLISHED
TCP 192.168.XXX.150:1510 65.55.11.162:80 ESTABLISHED
TCP 192.168.XXX.150:1518 69.59.196.211:80 ESTABLISHED
TCP 192.168.XXX.150:1519 69.59.196.216:80 ESTABLISHED
TCP 192.168.XXX.150:3711 64.208.186.96:80 CLOSE_WAIT
Note that the 192.168.XXX.150 address is my computer's address on my home network. The 4 digit numbers following the IP address are the local port my computer is using to communicate with port 80 on a bunch of different servers.