# PF: The search for more information



## Understudy (Dec 28, 2011)

Hi,

I looking for more information on certain items in regards to the Macros that exist in pf. 

In regards to macro tcp_services { ssh, ftp, domain, ntp, web, http, https } I understand that these can be found in /etc/services. However due to the lack of true state in udp I usually see examples of the macro udp_services {domain} or at best {domain, ntp}.

 What is a resource that will describe which services actually use udp in such a way they should be listed in udp_services macro?



Sincerely,
Brendhan


----------



## SirDice (Dec 29, 2011)

Your question doesn't make much sense. Neither macro is mandatory because it's you that decides what traffic to allow or not. To understand what traffic that is, you'll need to take a look at the protocols involved.

The ports mentioned in /etc/services are the so-called _well-known_ ports. I.e. the ones that are registered at IANA. Anybody can pick any port, tcp or udp, and run a service on it.


----------



## Understudy (Dec 30, 2011)

SirDice said:
			
		

> Your question doesn't make much sense. Neither macro is mandatory because it's you that decides what traffic to allow or not. To understand what traffic that is, you'll need to take a look at the protocols involved.
> 
> The ports mentioned in /etc/services are the so-called _well-known_ ports. I.e. the ones that are registered at IANA. Anybody can pick any port, tcp or udp, and run a service on it.



Okay, I don't know how to word the question better. So I will try another way at it. I understand when you look at /etc/services. You will as an example see both tcp and udp listed for let's pick one port 80 which is the http port. 


```
http             80/tcp    www www-http #World Wide Web HTTP
http             80/udp    www www-http #World Wide Web HTTP
```

Now when you do a tcp_services macro in your pf.conf you will often see the line filled out similar to this. 


```
tcp_services { http }
```

However I have yet to see a udp_services line in it that has anything in other then at most this:

```
udp_services {domain, ntp}
```

and I have been told that ntp doesn't need to be there. My limited understanding is that that because udp is basically stateless (according the book of pf and others). So that this configuration is correct:


```
tcp_services { ssh, ftp, domain, ntp, web, http, https }
udp_services {domain}
```

and this one is not:


```
tcp_services { ssh, ftp, domain, ntp, web, http, https }
udp_services { ssh, ftp, domain, ntp, web, http, https }
```

So despite /etc/services showing a tcp and udp port for http and most other common services. Do you not need to match the udp_services to the tcp_services that you want to have an out on the external nic? 

I am not sure if my question is worded any better but I do want to try and ask the better question. Thank you.

Sincerely,
Brendhan


----------



## DutchDaemon (Dec 30, 2011)

It basically depends on the application whether tcp, udp, or both are used. Looking at /etc/services will not clear that up. 

You will simply have to find out how protocols work. For example, you will never see udp used for ssh, http, https, ftp -- there are no servers and no clients that support udp, though _technically_ they're allowed. 

You will never see tcp used for ntp. 

You will see udp *and* tcp used for domain; it depends on the size of a DNS reply (udp can only handle 512-byte replies, so tcp is used when the reply is bigger), or on the action (a zonefile transfer uses tcp, a DNS query uses udp, unless the reply is > 512 bytes; then it retries using tcp). 

Something like OpenVPN can use udp or tcp, depends on how you configure it; both are valid. Same goes for bittorrent.

This is stuff you will have to know or find out.


----------



## Understudy (Dec 31, 2011)

DutchDaemon said:
			
		

> It basically depends on the application whether tcp, udp, or both are used. Looking at /etc/services will not clear that up.
> 
> You will simply have to find out how protocols work. For example, you will never see udp used for ssh, http, https, ftp -- there are no servers and no clients that support udp, though _technically_ they're allowed.
> 
> ...



First, Thank you making the corrections on my post. My apologies for mucking it up. 

And as SirDice mentioned it is asking the right question. 

Based on the answers received from both of you the right question would have been what services actually use just tcp, just udp, and what services use both in most common aspects of the services?

Let's mark this one solved please and I will continue my adventures in learning. 

Thank you both. Happy New Year.

Sincerely,
Brendhan


----------



## DutchDaemon (Dec 31, 2011)

Note: tcpdump(1) is your friend. If you're unsure what protocol is used by an application, run *tcpdump* on the port it's using and see whether it uses udp, tcp, or both. If you prefer graphical stuff, try net/wireshark.


----------

