Arch Linux

ThoughtBubble

Member

Registered: 2024-07-09

Posts: 55

Looking for additional documentation to understand output from ss tool

I'm trying to follow step 11.1.1 in the Security page of the Arch wiki. I'm not sure what services needs access only to the local system. I am also not sure how to read the output and the man page for the ss tool does not answer all my questions. I can't help but feel there is more prerequisite knowledge I need to know, but I don't know where to start.

Can someone point me to some helpful resources for a newbie like myself? I'm willing to spend the time and effort needed to learn whatever I need to know.

mpan

Member

Registered: 2012-08-01

Posts: 1,597

Website

Re: Looking for additional documentation to understand output from ss tool

I'm not sure what services needs access only to the local system.

The services, which you don’t want to expose to the network and you want to be accessible only from the local system. There is no general rule: it’s you, who make that decision.

If you installed just basic things, you may skip that part now, focus on other things, and return to it later. Most official packages come with configuration, which is in line with typical usage scenarios.⁽¹⁾ Get a working system first, make yourself comfortable with it, then start perfecting it.

If you configured a firewall with the default reject/deny policy, access to these services is already limited as much as it could be.⁽²⁾

I am also not sure how to read the output and the man page for the ss tool does not answer all my questions. I can't help but feel there is more prerequisite knowledge I need to know, but I don't know where to start.

By asking a specific question. Then we can help you understand the topic.

____
⁽¹⁾ This is upstreams’ doing, not Arch’s.
⁽²⁾ A small exceptions are services configured to use network sockets, despite they could use Unix domain sockets. In this case there is still room for improvement.

---

Paperclips in avatars? | Sometimes I seem a bit harsh — don’t get offended too easily!

ThoughtBubble

Member

Registered: 2024-07-09

Posts: 55

Re: Looking for additional documentation to understand output from ss tool

Ok. I'll get to the questions then.

I am not sure what each unique value of netID is supposed to represent. Is there a place where I can lookup what a specific netID value is supposed to represent? I have the same question for state

I notice I am not seeing a number for some entries in the local address column. Are the ports sometimes represented with strings? Why are some port numbers prefixed with '/' instead of ':'? What do negative port numbers mean? What is the string to the left of the colon supposed to represent? If it is the local address, wouldn't it be in the x.x.x.x format?

I notice that peer addresses are either

*

or

* 0

What is this supposed to mean?

Is it normal for UDP to be the only entry showing up when I use the command ss -lpntu? Is it normal for the "Recv-Q" field to have a nonzero value for an unconnected socket?

Last edited by ThoughtBubble (2024-09-06 22:35:04)

seth

Member

From: Won't reply 2 private help req

Registered: 2012-09-03

Posts: 75,808

Re: Looking for additional documentation to understand output from ss tool

I am not sure what each unique value of netID is supposed to represent.

Have you looked at the values? What do you think stuff lie "tcp" and "udp" represent?
https://man.archlinux.org/man/core/iproute2/ss.8.en#f
https://man.archlinux.org/man/core/iproute2/ss.8.en#A

Are the ports sometimes represented with strings?

Yes. You can deactivate that w/ "-n"

Is it normal for UDP to be the only entry showing up when I use the command ss -lpntu?

Have you considered maybe possibly consulting https://man.archlinux.org/man/core/iproute2/ss.8.en as you've **obviously** not done that yet?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

mpan

Member

Registered: 2012-08-01

Posts: 1,597

Website

Re: Looking for additional documentation to understand output from ss tool

I am not sure what each unique value of netID is supposed to represent.

The protocol used by the given socket.

I have the same question for state

Those are socket states, with names derived from TCP. The details come from sockets API.

I notice I am not seeing a number for some entries in the local address column.

Give an example.

Are the ports sometimes represented with strings?

That shouldn’t be the case, if you actually executed command given on Arch Wiki. The output suggests omission of the -n parameter, in which case known port numbers are replaced with the services they conventionally expose.

Why are some port numbers prefixed with '/' instead of ':'?

Give an example.

What do negative port numbers mean?

There is no such output. Please give an example.

What is the string to the left of the colon supposed to represent? If it is the local address, wouldn't it be in the x.x.x.x format?

That’s the IP address to which socket is bound. It would be in x.x.x.x format if and only if it’s an IPv4 address.

I notice that peer addresses are either

*

or

* 0

The former (single asterisk) indicates the socket is bound to all addresses. For the latter: please provide an example.

Is it normal for UDP to be the only entry showing up when I use the command ss -lpntu?

If there is no TCP sockets listening, yes.

Is it normal for the "Recv-Q" field to have a nonzero value for an unconnected socket?

Yes. Recv-Q indicates the number of bytes received on that socket, but not read by the process. If it’s non-zero, it means the process didn’t yet read them. Send-Q is the opposite direction.

---

Paperclips in avatars? | Sometimes I seem a bit harsh — don’t get offended too easily!

seth

Member

From: Won't reply 2 private help req

Registered: 2012-09-03

Posts: 75,808

Re: Looking for additional documentation to understand output from ss tool

Are the ports sometimes represented with strings?
Why are some port numbers prefixed with '/' instead of ':'?
What is the string to the left of the colon supposed to represent? If it is the local address, wouldn't it be in the x.x.x.x format?
* 0

and likely also

What do negative port numbers mean?

OP gets confused by the unix sockets in the output.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc