 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / General / January 2006Understanding NAT, Firewalls, TCP/IP
I am asking this for two reasons: 1. I want to know if I am in any danger of BitTorrent like need for firewall configuring if I write a Java app that uses pure sockets talking to a server. The clients always initiate conversations. Do I have to use HTTP to be safe from firewalls blocking outgoing calls? 2. I thought this be interesting to write up for the Java glossary. Is this correct? Lets say I have two computers A and B on a LAN with IP 192.168.0.2 and 192.168.0.3. Lets say I have a router/firewall on the LAN internally addressable as 192.168.0.1 and with a face IP to the world of 4.69.120.20. Lets say I want to talk to a server with IP 65.110.20.44. Lets say that both A and B want to look at web page on the server. They each send a request containing their own IP, a random spare port for the return packets to come to, the IP of the server, and 80 the port of the server, to the router's internal IXP. To the outside world, router looks like a single computer. So it has to fake the two requests from A and B as if they both came from itself. So it sends on request two packets with the routers face IXP, a spare port on the router, the IP of the server and port 80. When the server responds, it has to look up which spare port is associates with spare port on which computer and forward the response.  SignatureCanadian Mind Products, Roedy Green. http://mindprod.com Java custom programming, consulting and coaching. > 1. I want to know if I am in any danger of BitTorrent like need for > firewall configuring if I write a Java app that uses pure sockets > talking to a server. The clients always initiate conversations. Do I > have to use HTTP to be safe from firewalls blocking outgoing calls? There are firewalls that can block outbound ports that aren't approved, though. By the same token, those firewalls could be configured to block on other criteria as well, like destination address, so this is not necessarily something you can prevent. Since your subject includes NAT, note that NAT will not by itself necessitate this. BitTorrent and other protocols where a machine behind NAT acts as a server require configuration because NAT won't otherwise know how to route unsolicited inbound packets. Roedy I don't understand what the question is. Is it simply what port to use? Don't use port 80 unless you're connecting to http servers. Even if you write your own app on port 80, that doesn't mean that Windows firewall won't block your application. A hardware firewall obviously won't know the difference, but most hardware firewalls built into NAT routers don't block outgoing requests anyway... BitTorrent is different because it is a client and server rolled into one. >Roedy I don't understand what the question is. Is it simply what port >to use? Don't use port 80 unless you're connecting to http servers. >Even if you write your own app on port 80, that doesn't mean that >Windows firewall won't block your application. A hardware firewall >obviously won't know the difference, but most hardware firewalls built >into NAT routers don't block outgoing requests anyway. My problem is, I can do this app very easily with permanent sockets exchanging serialised object messages. I then don't need to set up Tomcat or the like, just my own very simple server that won't require any expertise to install. But if I got that route, I thought I might get in trouble with firewalls. My clients won't have a clue what to do. So what I have to do is use Tomcat and Servlets and traditional HTTP messages, though JAWS apps send them instead of browsers. Which brings up another question.. Does http have a way of SENDING unarmoured binary to the server, or only the other way? SignatureCanadian Mind Products, Roedy Green. http://mindprod.com Java custom programming, consulting and coaching. > But if I got that route, I thought I might get in trouble with > firewalls. My clients won't have a clue what to do. Firewalls are usually there for a reason. If your client doesn't know about their own firewalls, well ... As someone else has mentioned, the other thing is NAT. This is not related to firewalls. Even if you run an HTTP server on port 80 behind a NAT device, that device will typically need configuration - in case of course the server should be reachable from the outside. However, if the software behind the NAT initiates the TCP connection, the NAT device need no special configuration. It is not clear from your description who initiates the connection. If you have some client behind a NAT which initiates a connection it shouldn't be a problem. If you have a server behind a NAT device, waiting for incoming requests, it is a problem. Again, in both cases firewalls are a separate issue. Only because typical devices do both (and many other things), doesn't mean you should mix the problems, because the fixes are different. Regarding SOHO NAT devices ("routers"). Many of them are remote/application configurable via UPnP these days. From a security point of view this is a nightmare. But if your client runs such a device, you could use UPnP to discover the device, and then configure it. However, UPnP is not fun. And, it uses SOAP. And once you start using SOAP, you could think about using that for your application, too, instead of raw data. > Which brings up another question.. Does http have a way of SENDING > unarmoured binary to the server, or only the other way? A POST with an application/octet-stream mime type should do. But there is no guarantee that a particular firewall won't find this format objectionable. /Thomas SignatureThe comp.lang.java.gui FAQ: ftp://ftp.cs.uu.nl/pub/NEWS.ANSWERS/computer-lang/java/gui/faq http://www.uni-giessen.de/faq/archiv/computer-lang.java.gui.faq/ >> But if I got that route, I thought I might get in trouble with >> firewalls. My clients won't have a clue what to do. > > Firewalls are usually there for a reason. If your client doesn't know > about their own firewalls, well ... You mean like every Windows XP SP2 computer that Dell ships? -- LTP :) On Wed, 11 Jan 2006 10:56:18 +0100, Thomas Weidenfeller <nobody@ericsson.invalid> wrote, quoted or indirectly quoted someone who said : >It is not clear from your >description who initiates the connection. If you have some client behind >a NAT which initiates a connection it shouldn't be a problem. My project is a tool for organising the internationalisation of Java code by teams. See http://mindprod.com/projects/internationaliser.html for my latest thinking on how this will work. The client would initiate connections and there is no client to client communication. Just traditional client to server. Some of the clients will be relatively computer naive people working on home computers in remote parts of the globe as language translators. They may have a home router firewall, or some software firewall, which they will not understand. They will have just plugged it in and left it to defaults. I want wondering if there are firewalls that might by default block outgoing tcp/ip connections to anything other than port 80 or FTP ports. SignatureCanadian Mind Products, Roedy Green. http://mindprod.com Java custom programming, consulting and coaching. > I want wondering if there are firewalls that might by default block > outgoing tcp/ip connections to anything other than port 80 or FTP > ports. I've learned, over time, that there's no limit to the stupid stuff that large IT departments will do with firewalls and proxies. You can anticipate some of the problem, but you can't anticipate all. Eventually, somebody is going to have to tell the IT department that they are stifling work and need to lighten up. That said, Sun saw this as a big enough deal to worry about encapsulating RMI over HTTP... so perhaps you may run into this issue with the same frequency they did. > Some of the clients will be relatively computer naive people working > on home computers in remote parts of the globe as language > translators. They may have a home router firewall, or some software > firewall, which they will not understand. They will have just plugged > it in and left it to defaults. I doubt that any home firewall product will block any outgoing ports BY DEFAULT. I wouldn't worry about it at all. It's the "smart" people looking for clever tricks that should scare you. Signaturewww.designacourse.com The Easiest Way To Train Anyone... Anywhere. Chris Smith - Lead Software Developer/Technical Trainer MindIQ Corporation Chris Smith sez: ... > I doubt that any home firewall product will block any outgoing ports BY > DEFAULT. I wouldn't worry about it at all. It's the "smart" people > looking for clever tricks that should scare you. ZoneAlarm by default pops up a message "Program foo wants to access the internet, should I let it?" (which is about the only thing that makes egress filtering useful for a workstation). It'll block until you tell it 'y' or 'n'. Dima SignatureWe're part of that admittedly-too-small group that is trying to save the human race from itself. With any luck, we'll fail abjectly and the cockroaches will win out. -- Mike Andrews > ZoneAlarm by default pops up a message "Program foo wants to access > the internet, should I let it?" (which is about the only thing that > makes egress filtering useful for a workstation). It'll block until > you tell it 'y' or 'n'. I really wish Microsoft had taken an outbound connection blocking approach as well in Windows Firewall, at least made it configurable. It only blocks inbound connections I'm not as concerned about some server on my laptop being vulnerable, I'm more concerned about malware infecting IE and silently phoning home, though it would (in theory) block malware from listening at a port for controller probes. Alan Krueger sez: >> ZoneAlarm by default pops up a message "Program foo wants to access >> the internet, should I let it?" (which is about the only thing that >> makes egress filtering useful for a workstation). ... > I really wish Microsoft had taken an outbound connection blocking > approach as well in Windows Firewall, at least made it configurable. It > only blocks inbound connections I'm not as concerned about some server > on my laptop being vulnerable, I'm more concerned about malware > infecting IE and silently phoning home, though it would (in theory) > block malware from listening at a port for controller probes. Bwahahahaha. The sole reason for having egress filtering is because Microsoft software works well only as an infection vector. They haven't done anything to change that in 20 years, what makes you think they're gonna start now? Especially now that they reserve the right to collect any information they like from your computer and quietly send it to their business affiliates as they see fit. You really think they'd give you a tool to stop them? Dima SignatureWe're sysadmins. Sanity happens to other people. -- Chris King >> ZoneAlarm by default pops up a message "Program foo wants to access >> the internet, should I let it?" (which is about the only thing that [quoted text clipped - 7 lines] > infecting IE and silently phoning home, though it would (in theory) > block malware from listening at a port for controller probes. The problem with personal firewalls' outbound blocking is that it makes you feel warm and cosy, whilst providing little in the way of real protection. If your machine has become infected because you are logged in with administrative rights (and how many Windows users don't have admin rights?), then the malware also has administrative rights. Code which executes with administrative rights can tunnel straight through your "firewall" without you even noticing. The "firewall" only warns you about well behaved applications, and you don't really need protecting from these. So, what you end up with is a piece of software which annoys you and interferes with normal operations, whilst providing little real protection. If you really want outbound protection it should be done on a router, where malware on the client can't affect, or control, it (unless you've been lured into enabling UPnP on the router firewall). Inbound protection is the really important thing you need, and the Windows firewall does provide some protect against that. SignatureNigel Wade, System Administrator, Space Plasma Physics Group, University of Leicester, Leicester, LE1 7RH, UK E-mail : nmw@ion.le.ac.uk Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555 Nigel Wade sez: >>> ZoneAlarm by default pops up a message "Program foo wants to access >>> the internet, should I let it?" (which is about the only thing that [quoted text clipped - 10 lines] > The problem with personal firewalls' outbound blocking is that it makes you feel > warm and cosy, whilst providing little in the way of real protection. It's a problem with any reactive security scheme. E.g. antivirus program makes you feel warm and cosy while a brand new virus is free to infect your box -- until AV vehdor updates their VDF and you download and install it. Nontheless, it's better than nothing. Dima SignatureOne distinguishing characteristic of BOFHen is attention deficit disorder. Put me in front of something boring and I can find a near-infinite number of really creative ways to bugger off. -- ADB > If your machine has become infected because you are logged in with > administrative rights (and how many Windows users don't have admin rights?), > then the malware also has administrative rights. Code which executes with > administrative rights can tunnel straight through your "firewall" without you > even noticing. The "firewall" only warns you about well behaved applications, > and you don't really need protecting from these. Worse, IIRC, they provide some mechanism for software to automatically add exceptions to blocks on listening sockets anyway, to ensure that "legitimate" software won't inconvenience the users. This would be the first target of something trying to circumvent Windows Firewall, as it could silence all warnings before trying to do anything. > On Wed, 11 Jan 2006 10:56:18 +0100, Thomas Weidenfeller > <nobody@ericsson.invalid> wrote, quoted or indirectly quoted someone > who said : <snipped /> > Some of the clients will be relatively computer naive people working > on home computers in remote parts of the globe as language [quoted text clipped - 5 lines] > outgoing tcp/ip connections to anything other than port 80 or FTP > ports. Well... to give you an example... My firewall usually have these settings (and so do all the firewalls of my computer illiterate friends): # Access via SSH for administration pass in quick on xl1 proto tcp from any to any port = 22 keep state # General statefull connection out pass out quick on xl1 proto tcp/udp from any to any keep state pass out quick on xl1 proto icmp from any to any keep state # webserver inside DMZ pass in quick on xl1 proto tcp from any to any port = 80 flags S keep state keep frags pass in quick on xl1 proto tcp from any to any port = 21 flags S keep state keep frags pass in quick on xl1 proto tcp from any to any port = 8080 flags S keep state keep frags # General denial og incoming connections block in quick on xl1 Which means, except for SSH, FTP and my web-servers, *everything* is blocked! (And no, I'm not worried after posting my settings here :-D ) Bottom line is that all the people with a "friend with knowledge" probably have very strict incoming policy. (The "friend" want to avoid extra work). But connections initiated from them (any port) will be allowed, including subsequent incoming responses to the actual port. SignatureDag. > The client would initiate connections and there is no client to client > communication. Just traditional client to server. Then NAT shouldn't be a problem for setting up the TCP connection. > I want wondering if there are firewalls that might by default block > outgoing tcp/ip connections to anything other than port 80 or FTP > ports. Many, maybe not by default, but configured that way. And particular the software ones take the process into account which tries to set up the connection. If it is not your browser or some other trusted program, they complain. That's their job. You can argue if software firewalls make sense at all, but the fact is, many people now have them. And particularly the people who couldn't handle their computer in the past and couldn't keep it clean, are now the ones who can't handle their firewall(s) ... /Thomas SignatureThe comp.lang.java.gui FAQ: ftp://ftp.cs.uu.nl/pub/NEWS.ANSWERS/computer-lang/java/gui/faq http://www.uni-giessen.de/faq/archiv/computer-lang.java.gui.faq/ > On Wed, 11 Jan 2006 10:56:18 +0100, Thomas Weidenfeller > <nobody@ericsson.invalid> wrote, quoted or indirectly quoted someone [quoted text clipped - 9 lines] > The client would initiate connections and there is no client to client > communication. Just traditional client to server. Provided there is no server-to-client communication other than on the client-initiated socket, there shouldn't be any problem due to NAT. > Some of the clients will be relatively computer naive people working > on home computers in remote parts of the globe as language > translators. They may have a home router firewall, or some software > firewall, which they will not understand. They will have just plugged > it in and left it to defaults. Most home NAT routers don't even have a firewall. Those which do are generally shipped with the firewall disabled. It's only people who know about them (and possibly how to set them up) who will use them. It's very unlikely they would block outgoing connections on ports other than http/ftp. Personal, software, firewalls are becoming much more common. When the user tried to connect to your server using your client software they ought to get a warning of some sort. You'd need to warn your users of this, so they would be expecting it and not "panic" and block it. > I want wondering if there are firewalls that might by default block > outgoing tcp/ip connections to anything other than port 80 or FTP > ports. If the user is behind a "corporate" firewall there's a good chance that this will be true. Given that, it's also true that the firewall will [probably] be administered by someone competent who can be asked for assistance in enabling connection to your server. It's also true that many network/security admins are not reasonable people... Many real firewalls now do deep packet inspection and look at the contents of the packets, which makes it much more difficult for you to "hijack" the http or ftp port for your own, custom, protocol. SignatureNigel Wade, System Administrator, Space Plasma Physics Group, University of Leicester, Leicester, LE1 7RH, UK E-mail : nmw@ion.le.ac.uk Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555 > Most home NAT routers don't even have a firewall. Those which do are > generally shipped with the firewall disabled. Both of the home NATers that I've had have included firewalls. The first (a cheap thing) had only simple firewalling, but it was there and was turned on by default. IIRC it blocked "random" outgoing connections by default (but that was some time ago and I could be wrong). My current NATing router features a decidedly more elaborate firewall, and that certainly shipped in a default configuration disallowing outbound connections on arbitrary ports. Oh, and it doesn't and won't -- as a matter of manufacturer's security policy -- support UPnP. I /could/ allow outgoing connections on any ports I liked, but I see no good reason to do so for any except a very small number of protocols. I /definitely/ wouldn't open up a port in order to take part in a BitTorrent-like distribution scheme. -- chris > Oh, and it doesn't and won't -- as a matter of manufacturer's security > policy -- support UPnP. Sounds good to me. Which vendor would that be? /Thomas SignatureThe comp.lang.java.gui FAQ: ftp://ftp.cs.uu.nl/pub/NEWS.ANSWERS/computer-lang/java/gui/faq http://www.uni-giessen.de/faq/archiv/computer-lang.java.gui.faq/ > > Oh, and it doesn't and won't -- as a matter of manufacturer's security > > policy -- support UPnP. > > Sounds good to me. Which vendor would that be? I'm sorry but I'd rather not advertise the identity of my firewall on a forum which also includes the IP address that it protects. I'd have replied offline, but you don't supply an email address.... -- chris >> Most home NAT routers don't even have a firewall. Those which do are >> generally shipped with the firewall disabled. [quoted text clipped - 5 lines] > decidedly more elaborate firewall, and that certainly shipped in a default > configuration disallowing outbound connections on arbitrary ports. I was basing the statement on my limited knowledge of home NAT routers. The only ones I've used had the firewall disabled by default. They had very basic input port blocking on 137,139,443 setup by default, but the real firewall was not setup. > Oh, and it doesn't and won't -- as a matter of manufacturer's security > policy -- support UPnP. It's an abomination. After all, what's the point in spending good money on a firewall to protect your network, and then allowing software to poke holes in it? > I /could/ allow outgoing connections on any ports I liked, but I see no good > reason to do so for any except a very small number of protocols. I > /definitely/ wouldn't open up a port in order to take part in a BitTorrent-like > distribution scheme. We are not allowed to, by local networking policy. P2P of any kind is outlawed, including BitTorrent carrying legitimate content. SignatureNigel Wade, System Administrator, Space Plasma Physics Group, University of Leicester, Leicester, LE1 7RH, UK E-mail : nmw@ion.le.ac.uk Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555 Roedy Green sez: > I am asking this for two reasons: > > 1. I want to know if I am in any danger of BitTorrent like need for > firewall configuring if I write a Java app that uses pure sockets > talking to a server. The clients always initiate conversations. Do I > have to use HTTP to be safe from firewalls blocking outgoing calls? Some people do egress filtering. They usually allow outgoing trafic to a few well-known ports, so your server will have to listen on one of those. Port 80 is the least likely to be blocked. ... > When the server responds, it has to look up which spare port is > associates with spare port on which computer and forward the response. Good enough, although for Java glossary I'd simply say "NAT router maintains a table of NATted connections and forwards replies to the correct host" -- I don't think it matters to Java coders whether it does so by port, tcp sequence number, or keeps the entire 5-tuples in the table. Dima SignatureAll whitespace is equivalent except in certain situations -- ANSI C standard committee >Some people do egress filtering. They usually allow outgoing >trafic to a few well-known ports, so your server will have to >listen on one of those. Port 80 is the least likely to be >blocked. That's what I was worried about. I think I will have to organise this around traditinal HTTP. SignatureCanadian Mind Products, Roedy Green. http://mindprod.com Java custom programming, consulting and coaching. >> Some people do egress filtering. They usually allow outgoing >> trafic to a few well-known ports, so your server will have to [quoted text clipped - 3 lines] > That's what I was worried about. I think I will have to organise this > around traditinal HTTP. Note that you have the option of running some other home-brew protocol over port 80. This will get you out of many places that do egress filtering by port (protocol) number. But I think that there may be a number of places where outgoing connections to port 80 are blocked because everyone is expected to go through a company-run proxy server that does content filtering. Steve >Good enough, although for Java glossary I'd simply say "NAT >router maintains a table of NATted connections and forwards >replies to the correct host" -- I don't think it matters to >Java coders whether it does so by port, tcp sequence number, >or keeps the entire 5-tuples in the table. Routers bothered me. I could not see how the NAT could simulate multiple computers with one IP. Then I discovered it doesn't. It simulates one very busy PC, that might have multiple logons to the same site, and that's ok. Some online voting schemes give one vote per IP. This discriminates against people behind NAT, but to the outside world everyone behind the NAT looks like one person. SignatureCanadian Mind Products, Roedy Green. http://mindprod.com Java custom programming, consulting and coaching. Roedy Green sez: >>Good enough, although for Java glossary I'd simply say "NAT >>router maintains a table of NATted connections and forwards [quoted text clipped - 10 lines] > against people behind NAT, but to the outside world everyone behind > the NAT looks like one person. Yep. By the same token, I have two netblocks here: a /25 and a /26 so I can cast 188 votes from distinct IP addresses. Moreover, if I could fit the vote into spoofed packets I could cast as many votes as there are ip addresses -- sans the few that already voted. Some online voting schemes are stupid. In other news, sky was recently found to be blue. My point was on the technical side: forwarding by port number alone doesn't work for icmp and udp, nor for protocols that use multiple connections (ftp, corba). Forwarding by the full 5-tuple doesn't work the latter, either, simply because tcp/ip wasn't designed for that sort of use. So depending on how much you paid for your NAT box, it may include ftp connection tracking module, ssl proxy for ftps forwarding, corba proxy, etc. Dima SignatureWe're part of that admittedly-too-small group that is trying to save the human race from itself. With any luck, we'll fail abjectly and the cockroaches will win out. -- Mike Andrews > Some online voting schemes give one vote per IP. This discriminates > against people behind NAT, but to the outside world everyone behind > the NAT looks like one person. This is unfair anyway, since multi-user systems have existed for decades. Not everything is a PC. A Unix server doesn't necessarily have more than one IP address per user, but could serve multiple desktop sessions on terminals. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.