Actually, you can not make connections to a computer on an internal network through NAT unless the computer has made an outbound connection first. When a computer on the internal network makes an outbound connection, the firewall will map that connection to a port on the firewall IP-address. So when an external computer responds to the outbound connection by sending data to the port on the firewall, the data is routed on to the internal computer.
Some firewalls will make sure that only data coming from the IP and port that the outbound connection was made to will be routed to the internal computer, effectively making it impossible for external computers to initiate connections to internal computers.
This is a problem that hinders real peer-to-peer applications. If Napster did not have a centralized server that all the connections could connect to, then there would be no way for the various peers to get in touch with eachother (if they are behind firewalls with NAT).
Henry
🎉 Celebrating 25 Years of GameDev.net! 🎉
Not many can claim 25 years on the Internet! Join us in celebrating this milestone. Learn more about our history, and thank you for being a part of our community!
Firewall and Proxy
Author
Interesting. How did AIM do it? My friend and I happened to be on the same network, but behind a firewall and we were able to connect to each other directly? It was quite interesting. I know it was a direct connect since going through the entire network would have been around 100k transfer. We were getting 288k transfer. My laptop almost froze because of how fast it was going. 
Another reason it had to be direct on the same subnetwork is because the school has 1 gateway. All the computers are that IP as far as the rest of the world knows.
---------------------------
"the only thing I ask, is that if my games get pirated, people must do a good job of it." - Erick
Another reason it had to be direct on the same subnetwork is because the school has 1 gateway. All the computers are that IP as far as the rest of the world knows. ---------------------------
"the only thing I ask, is that if my games get pirated, people must do a good job of it." - Erick
Thats correct for dynmaic NAT, Henry, with a static NAT you assign an internet IP address on the firewall to an internal machine''s ip address. So you can connect to a server that''s behind a firewall. It requires the firewall to have an extra internet IP address for each server.
Then everything that hits the firewall on that IP gets forwarded to the other IP address, and the processed is reversed on the way back. There are issues involving protocols like FTP that embedd the machines IP address in the packets. Luckily every firewall handles this case... for FTP.
Gnutella implemented a hack to allow a connection to be made between one firewalled PC & a non-firewalled PC. But if both parties are behind a firewall, it doesn''t work.
In order for something like this to work, both PC must first be connected to some central PC (the gnutella serves this role). When someone wants to connect to a firewalled pc, it sends the "i wanna connect" msg to the server, which sends it down the already established connection to the firewalled pc. The firewalled PC then opens a connection to the non-firewalled PC.
An idead that I have toyed with, but not tried yet, is to have all the clients connect to the main server. Then when a client wants to connect to another, it sends the request via the server, and both the source & destination clients open new UDP ports to the server. The server then sends the port info to the clients, and they talk to each other via the opened come-back ports. This would allow two firewalled (dynamic NAT) PCs to negoiate UDP connections - IF the firewall doesn''t check to make sure the IP addresses match... which they may do...
Then everything that hits the firewall on that IP gets forwarded to the other IP address, and the processed is reversed on the way back. There are issues involving protocols like FTP that embedd the machines IP address in the packets. Luckily every firewall handles this case... for FTP.
Gnutella implemented a hack to allow a connection to be made between one firewalled PC & a non-firewalled PC. But if both parties are behind a firewall, it doesn''t work.
In order for something like this to work, both PC must first be connected to some central PC (the gnutella serves this role). When someone wants to connect to a firewalled pc, it sends the "i wanna connect" msg to the server, which sends it down the already established connection to the firewalled pc. The firewalled PC then opens a connection to the non-firewalled PC.
An idead that I have toyed with, but not tried yet, is to have all the clients connect to the main server. Then when a client wants to connect to another, it sends the request via the server, and both the source & destination clients open new UDP ports to the server. The server then sends the port info to the clients, and they talk to each other via the opened come-back ports. This would allow two firewalled (dynamic NAT) PCs to negoiate UDP connections - IF the firewall doesn''t check to make sure the IP addresses match... which they may do...
Author
Whoa! You''re a genius! That''s such a great idea. I''ll be doing this in TCP/IP btw. This program requires accuracy in transmission. But still, it should work. Anyway, how should I go about doing this?
---------------------------
"the only thing I ask, is that if my games get pirated, people must do a good job of it." - Erick
This program requires accuracy in transmission. But still, it should work. Anyway, how should I go about doing this? ---------------------------
"the only thing I ask, is that if my games get pirated, people must do a good job of it." - Erick
*notices this thread*
Hmm... so if I was writing a client for a client/server setup, the person using the client would have to tweak the settings on their firewall if they couldn''t connect, and I wouldn''t have to do any programming for that...?
Hmm... so if I was writing a client for a client/server setup, the person using the client would have to tweak the settings on their firewall if they couldn''t connect, and I wouldn''t have to do any programming for that...?
Author
Uhh. Well it isn''t client/server Scott. It''s for peer-peer connections.
---------------------------
"the only thing I ask, is that if my games get pirated, people must do a good job of it." - Erick
It''s for peer-peer connections. ---------------------------
"the only thing I ask, is that if my games get pirated, people must do a good job of it." - Erick
Yeah. But from what I''ve read here it seems like furby''s problem with the talker is in his firewall configuration, not my client, unless I interpreted this wrong...
Author
Ah yes. I believe some firewalls are anal and block all incomming and outgoing ports except for 25 and 80. Maybe 110.
---------------------------
"the only thing I ask, is that if my games get pirated, people must do a good job of it." - Erick
---------------------------
"the only thing I ask, is that if my games get pirated, people must do a good job of it." - Erick
80 would be the incoming http port, what''s 25 for? 110 is ssl or something? 80 & 21 are the most commonly blocked port, so people on the internet cant get to intranet ftp & http servers. Usually 80 is enabled on a seperate nic for a public http server (is 25 smtp? same goes for thoses)
Anyway, all firewalls must allow outgoing (or comeback) ports in order for any communications to occur. They usually start at 1024 and go up from there...
Anyway, all firewalls must allow outgoing (or comeback) ports in order for any communications to occur. They usually start at 1024 and go up from there...
From Winsock.h:
/*
* Constants and structures defined by the internet system,
* Per RFC 790, September 1981, taken from the BSD file netinet/in.h.
*/
/*
* Protocols
*/
#define IPPROTO_IP 0 /* dummy for IP */
#define IPPROTO_ICMP 1 /* control message protocol */
#define IPPROTO_IGMP 2 /* group management protocol */
#define IPPROTO_GGP 3 /* gateway^2 (deprecated) */
#define IPPROTO_TCP 6 /* tcp */
#define IPPROTO_PUP 12 /* pup */
#define IPPROTO_UDP 17 /* user datagram protocol */
#define IPPROTO_IDP 22 /* xns idp */
#define IPPROTO_ND 77 /* UNOFFICIAL net disk proto */
#define IPPROTO_RAW 255 /* raw IP packet */
#define IPPROTO_MAX 256
/*
* Port/socket numbers: network standard functions
*/
#define IPPORT_ECHO 7
#define IPPORT_DISCARD 9
#define IPPORT_SYSTAT 11
#define IPPORT_DAYTIME 13
#define IPPORT_NETSTAT 15
#define IPPORT_FTP 21
#define IPPORT_TELNET 23
#define IPPORT_SMTP 25
#define IPPORT_TIMESERVER 37
#define IPPORT_NAMESERVER 42
#define IPPORT_WHOIS 43
#define IPPORT_MTP 57
/*
* Port/socket numbers: host specific functions
*/
#define IPPORT_TFTP 69
#define IPPORT_RJE 77
#define IPPORT_FINGER 79
#define IPPORT_TTYLINK 87
#define IPPORT_SUPDUP 95
/*
* UNIX TCP sockets
*/
#define IPPORT_EXECSERVER 512
#define IPPORT_LOGINSERVER 513
#define IPPORT_CMDSERVER 514
#define IPPORT_EFSSERVER 520
/*
* UNIX UDP sockets
*/
#define IPPORT_BIFFUDP 512
#define IPPORT_WHOSERVER 513
#define IPPORT_ROUTESERVER 520
/* 520+1 also used */
/*
* Ports < IPPORT_RESERVED are reserved for
* privileged processes (e.g. root).
*/
#define IPPORT_RESERVED 1024
/*
* Link numbers
*/
#define IMPLINK_IP 155
#define IMPLINK_LOWEXPER 156
#define IMPLINK_HIGHEXPER 158
Yeah, it looks like port 25 is smtp
Edited by - SHilbert on December 24, 2000 2:12:19 PM
/*
* Constants and structures defined by the internet system,
* Per RFC 790, September 1981, taken from the BSD file netinet/in.h.
*/
/*
* Protocols
*/
#define IPPROTO_IP 0 /* dummy for IP */
#define IPPROTO_ICMP 1 /* control message protocol */
#define IPPROTO_IGMP 2 /* group management protocol */
#define IPPROTO_GGP 3 /* gateway^2 (deprecated) */
#define IPPROTO_TCP 6 /* tcp */
#define IPPROTO_PUP 12 /* pup */
#define IPPROTO_UDP 17 /* user datagram protocol */
#define IPPROTO_IDP 22 /* xns idp */
#define IPPROTO_ND 77 /* UNOFFICIAL net disk proto */
#define IPPROTO_RAW 255 /* raw IP packet */
#define IPPROTO_MAX 256
/*
* Port/socket numbers: network standard functions
*/
#define IPPORT_ECHO 7
#define IPPORT_DISCARD 9
#define IPPORT_SYSTAT 11
#define IPPORT_DAYTIME 13
#define IPPORT_NETSTAT 15
#define IPPORT_FTP 21
#define IPPORT_TELNET 23
#define IPPORT_SMTP 25
#define IPPORT_TIMESERVER 37
#define IPPORT_NAMESERVER 42
#define IPPORT_WHOIS 43
#define IPPORT_MTP 57
/*
* Port/socket numbers: host specific functions
*/
#define IPPORT_TFTP 69
#define IPPORT_RJE 77
#define IPPORT_FINGER 79
#define IPPORT_TTYLINK 87
#define IPPORT_SUPDUP 95
/*
* UNIX TCP sockets
*/
#define IPPORT_EXECSERVER 512
#define IPPORT_LOGINSERVER 513
#define IPPORT_CMDSERVER 514
#define IPPORT_EFSSERVER 520
/*
* UNIX UDP sockets
*/
#define IPPORT_BIFFUDP 512
#define IPPORT_WHOSERVER 513
#define IPPORT_ROUTESERVER 520
/* 520+1 also used */
/*
* Ports < IPPORT_RESERVED are reserved for
* privileged processes (e.g. root).
*/
#define IPPORT_RESERVED 1024
/*
* Link numbers
*/
#define IMPLINK_IP 155
#define IMPLINK_LOWEXPER 156
#define IMPLINK_HIGHEXPER 158
Yeah, it looks like port 25 is smtp
Edited by - SHilbert on December 24, 2000 2:12:19 PM
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
