From what I understand, IPFW is the "native" FreeBSD firewall, PF is the OpenBSD firewall ported to FreeBSD and IPFILTER is a cross-platform firewall available on several *BSDs. Is this correct? But even if it is, it doesn't help me to decide ... is there some feature comparison somewhere?
But why then I got "connection refused" when trying to connect over tcp to my server? I thought I need to allow required ports to enable connection.Nothing is enabled by default.
Connection refused means you received a RST packet in response to a SYN (connection attempt). Which means there's nothing listening on that port. If a firewall would block it you would get a "connection timed out" or similar error message.But why then I got "connection refused" when trying to connect over tcp to my server?
I've wrote a server to listen tcp connections and test in on my local machine (mac), then I moved server on remote machine (FreeBSD) and when trying to connect I'm getting error.Connection refused means you received a RST packet in response to a SYN (connection attempt). Which means there's nothing listening on that port. If a firewall would block it you would get a "connection timed out" or similar error message.
And why do you need to drag up a 7 year old thread?
Your service failed to start or isn't started at all. Or it's listening on a different port. As I said, a "connection refused" means you received a RST. You will receive a RST if you try to connect to a closed port. This has nothing to do with a firewall.then I moved server on remote machine (FreeBSD) and when trying to connect I'm getting error.
It's not. There is NO firewall turned on by default. That was the case 7 years ago, and is still the case today.it is relevant to my request.
Hm...ok, it's strange because on my local machine it works fine but on remote machine I got error and by the way I also can't connect with VS Code remote ssh plugin to my FreeBSD server as I did earlier with Linux machine.Your service failed to start or isn't started at all. Or it's listening on a different port. As I said, a "connection refused" means you received a RST. You will receive a RST if you try to connect to a closed port. This has nothing to do with a firewall.
It's not. There is NO firewall turned on by default. That was the case 7 years ago, and is still the case today.
This sounds more like your FreeBSD machine isn't even connected to the network. Or it doesn't have the IP address you think it has, in other words you're connecting to the wrong IP. That IP might belong to a different system (which doesn't have these services running). Another potential cause could be an IP conflict, two machines on the network having the same IP address.Hm...ok, it's strange because on my local machine it works fine but on remote machine I got error and by the way I also can't connect with VS Code remote ssh plugin to my FreeBSD server as I did earlier with Linux machine.
This at least should be kind of on-topic in the thread: A good firewall software will leave you a choice whether packets are properly rejected (e.g. for TCP using RST) or just dropped.If a firewall would block it you would get a "connection timed out" or similar error message.
There's some potential that a firewall returning an RST could result in some information leakage. If you look at the differences of the TTL value of a response between an open and firewalled port. The firewalled port will have a higher TTL value. Pretty much all firewalls default to a 'drop', not a 'block-return'.This at least should be kind of on-topic in the thread: A good firewall software will leave you a choice whether packets are properly rejected (e.g. for TCP using RST) or just dropped.
While most default to the latter behavior, I personally prefer proper rejection. First, it leads to more robust networking behavior (no unnecessary timeouts), second it won't directly reveal to an attacker that some "firewalling" is in place.
I can connect to FreeBSD machine over ssh to compile server code so it is visible and have IP.This sounds more like your FreeBSD machine isn't even connected to the network. Or it doesn't have the IP address you think it has, in other words you're connecting to the wrong IP. That IP might belong to a different system (which doesn't have these services running). Another potential cause could be an IP conflict, two machines on the network having the same IP address.
I've tested server code on my local mac and it works. If there were any errors during server startup I'll see error cause I check every return value related to socket creation and listening.So, your code is supposed to open a listening socket. You could at least simply verify that withsockstat -l
.
And then, maybe we should just have a look at your code. There's a subforum about coding. I agree with SirDice that your problem is (most likely!) in no way related to this thread.
#include <err.h>
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/event.h>
#include <sys/socket.h>
#include <unistd.h>
#define NUM_CLIENTS 10
#define MAX_EVENTS 32
#define MAX_MSG_SIZE 256
extern char * __progname;
struct client_data {
int fd;
} clients[NUM_CLIENTS];
int get_conn(int fd) {
for (int i = 0; i < NUM_CLIENTS; i++)
if (clients[i].fd == fd)
return i;
return -1;
}
int conn_add(int fd) {
if (fd < 1) return -1;
int i = get_conn(0);
if (i == -1) return -1;
clients[i].fd = fd;
return 0;
}
int conn_del(int fd) {
if (fd < 1) return -1;
int i = get_conn(fd);
if (i == -1) return -1;
clients[i].fd = 0;
return close(fd);
}
void recv_msg(int s) {
char buf[MAX_MSG_SIZE];
int bytes_read = recv(s, buf, sizeof(buf) - 1, 0);
buf[bytes_read] = 0;
printf("\nclient #%d: %s", get_conn(s), buf);
fflush(stdout);
}
void send_welcome_msg(int s) {
char msg[80];
sprintf(msg, "welcome! you are client #%d!\n", get_conn(s));
send(s, msg, strlen(msg), 0);
}
void run_event_loop(int kq, int local_s) {
struct kevent evSet;
struct kevent evList[MAX_EVENTS];
struct sockaddr_storage addr;
socklen_t socklen = sizeof(addr);
printf("strarted to listen\n");
while (1) {
int num_events = kevent(kq, NULL, 0, evList, MAX_EVENTS, NULL);
for (int i = 0; i < num_events; i++) {
// receive new connection
if (evList[i].ident == local_s) {
int fd = accept(evList[i].ident, (struct sockaddr *) &addr, &socklen);
if (conn_add(fd) == 0) {
EV_SET(&evSet, fd, EVFILT_READ, EV_ADD, 0, 0, NULL);
kevent(kq, &evSet, 1, NULL, 0, NULL);
send_welcome_msg(fd);
} else {
printf("connection refused.\n");
close(fd);
}
} // client disconnected
else if (evList[i].flags & EV_EOF) {
int fd = evList[i].ident;
printf("client #%d disconnected.\n", get_conn(fd));
EV_SET(&evSet, fd, EVFILT_READ, EV_DELETE, 0, 0, NULL);
kevent(kq, &evSet, 1, NULL, 0, NULL);
conn_del(fd);
} // read message from client
else if (evList[i].filter == EVFILT_READ) {
recv_msg(evList[i].ident);
}
}
}
}
int create_socket_and_listen() {
struct addrinfo *addr;
struct addrinfo hints;
memset(&hints, 0, sizeof hints);
hints.ai_flags = AI_PASSIVE;
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
getaddrinfo("127.0.0.1", "8080", &hints, &addr);
int local_s = socket(addr->ai_family, addr->ai_socktype, addr->ai_protocol);
int bindResult = bind(local_s, addr->ai_addr, addr->ai_addrlen);
if(bindResult != 0) {
printf("bindResult %d\n", bindResult);
exit(bindResult);
}
int listenResult = listen(local_s, 5);
if(listenResult != 0) {
printf("listenResult %d\n", listenResult);
exit(listenResult);
}
return local_s;
}
int main(int argc, char *argv[]) {
int local_s = create_socket_and_listen();
int kq = kqueue();
struct kevent evSet;
EV_SET(&evSet, local_s, EVFILT_READ, EV_ADD, 0, 0, NULL);
kevent(kq, &evSet, 1, NULL, 0, NULL);
run_event_loop(kq, local_s);
return EXIT_SUCCESS;
}
I think it's not code related because it works fine on my local machine I think the problem is related to some FreeBSD settings.So, your code is supposed to open a listening socket. You could at least simply verify that withsockstat -l
.
And then, maybe we should just have a look at your code. There's a subforum about coding. I agree with SirDice that your problem is (most likely!) in no way related to this thread.
Is this supposed to be some sort of troll? I mean, you hardcodegetaddrinfo("127.0.0.1", "8080", &hints, &addr);
127.0.0.1
, the IPv4 address of the local loopback interface, for binding/listening, and expect to connect to that from some remote machine?Millions of tons of excuses ((( I just copy-pasted it from my local machine. Now it works on remote machine too. Thank youIs this supposed to be some sort of troll? I mean, you hardcode127.0.0.1
, the IPv4 address of the local loopback interface, for binding/listening, and expect to connect to that from some remote machine?