Understanding NAT, Firewalls, TCP/IP

[Roedy Green]

I am asking this for two reasons:

1. I want to know if I am in any danger of BitTorrent like need for
firewall configuring if I write a Java app that uses pure sockets
talking to a server. The clients always initiate conversations. Do I
have to use HTTP to be safe from firewalls blocking outgoing calls?

2. I thought this be interesting to write up for the Java glossary.

Is this correct?

Lets say I have two computers A and B on a LAN with IP 192.168.0.2 and
192.168.0.3.

Lets say I have a router/firewall on the LAN internally addressable as
192.168.0.1 and with a face IP to the world of 4.69.120.20.

Lets say I want to talk to a server with IP 65.110.20.44.

Lets say that both A and B want to look at web page on the server.
They each send a request containing their own IP, a random spare port
for the return packets to come to, the IP of the server, and 80 the
port of the server, to the router's internal IXP.

To the outside world, router looks like a single computer. So it has
to fake the two requests from A and B as if they both came from
itself. So it sends on request two packets with the routers face IXP,
a spare port on the router, the IP of the server and port 80.

When the server responds, it has to look up which spare port is
associates with spare port on which computer and forward the response.

 

[Alan Krueger]

1. I want to know if I am in any danger of BitTorrent like need for
firewall configuring if I write a Java app that uses pure sockets
talking to a server. The clients always initiate conversations. Do I
have to use HTTP to be safe from firewalls blocking outgoing calls?

There are firewalls that can block outbound ports that aren't approved,
though. By the same token, those firewalls could be configured to block
on other criteria as well, like destination address, so this is not
necessarily something you can prevent.

Since your subject includes NAT, note that NAT will not by itself
necessitate this. BitTorrent and other protocols where a machine behind
NAT acts as a server require configuration because NAT won't otherwise
know how to route unsolicited inbound packets.

 

[Mark H]

Roedy I don't understand what the question is. Is it simply what port
to use? Don't use port 80 unless you're connecting to http servers.
Even if you write your own app on port 80, that doesn't mean that
Windows firewall won't block your application. A hardware firewall
obviously won't know the difference, but most hardware firewalls built
into NAT routers don't block outgoing requests anyway...

BitTorrent is different because it is a client and server rolled into
one.

 

[Roedy Green]

Roedy I don't understand what the question is. Is it simply what port
to use? Don't use port 80 unless you're connecting to http servers.
Even if you write your own app on port 80, that doesn't mean that
Windows firewall won't block your application. A hardware firewall
obviously won't know the difference, but most hardware firewalls built
into NAT routers don't block outgoing requests anyway.

My problem is, I can do this app very easily with permanent sockets
exchanging serialised object messages. I then don't need to set up
Tomcat or the like, just my own very simple server that won't require
any expertise to install.

But if I got that route, I thought I might get in trouble with
firewalls. My clients won't have a clue what to do. So what I have
to do is use Tomcat and Servlets and traditional HTTP messages, though
JAWS apps send them instead of browsers.

Which brings up another question.. Does http have a way of SENDING
unarmoured binary to the server, or only the other way?

 

[Thomas Weidenfeller]

But if I got that route, I thought I might get in trouble with
firewalls. My clients won't have a clue what to do.

Firewalls are usually there for a reason. If your client doesn't know
about their own firewalls, well ...

As someone else has mentioned, the other thing is NAT. This is not
related to firewalls. Even if you run an HTTP server on port 80 behind a
NAT device, that device will typically need configuration - in case of
course the server should be reachable from the outside.

However, if the software behind the NAT initiates the TCP connection,
the NAT device need no special configuration. It is not clear from your
description who initiates the connection. If you have some client behind
a NAT which initiates a connection it shouldn't be a problem. If you
have a server behind a NAT device, waiting for incoming requests, it is
a problem.

Again, in both cases firewalls are a separate issue. Only because
typical devices do both (and many other things), doesn't mean you should
mix the problems, because the fixes are different.

Regarding SOHO NAT devices ("routers"). Many of them are
remote/application configurable via UPnP these days. From a security
point of view this is a nightmare. But if your client runs such a
device, you could use UPnP to discover the device, and then configure
it. However, UPnP is not fun. And, it uses SOAP. And once you start
using SOAP, you could think about using that for your application, too,
instead of raw data.

Which brings up another question.. Does http have a way of SENDING
unarmoured binary to the server, or only the other way?

A POST with an application/octet-stream mime type should do. But there
is no guarantee that a particular firewall won't find this format
objectionable.

/Thomas

 

[Dimitri Maziuk]

Roedy Green sez:

I am asking this for two reasons:

1. I want to know if I am in any danger of BitTorrent like need for
firewall configuring if I write a Java app that uses pure sockets
talking to a server. The clients always initiate conversations. Do I
have to use HTTP to be safe from firewalls blocking outgoing calls?

Some people do egress filtering. They usually allow outgoing
trafic to a few well-known ports, so your server will have to
listen on one of those. Port 80 is the least likely to be
blocked.

....

When the server responds, it has to look up which spare port is
associates with spare port on which computer and forward the response.

Good enough, although for Java glossary I'd simply say "NAT
router maintains a table of NATted connections and forwards
replies to the correct host" -- I don't think it matters to
Java coders whether it does so by port, tcp sequence number,
or keeps the entire 5-tuples in the table.

Dima

 

[Luc The Perverse]

Firewalls are usually there for a reason. If your client doesn't know
about their own firewalls, well ...

You mean like every Windows XP SP2 computer that Dell ships?

 

[Roedy Green]

It is not clear from your
description who initiates the connection. If you have some client behind
a NAT which initiates a connection it shouldn't be a problem.

My project is a tool for organising the internationalisation of Java
code by teams. See http://mindprod.com/projects/internationaliser.html
for my latest thinking on how this will work.

The client would initiate connections and there is no client to client
communication. Just traditional client to server.

Some of the clients will be relatively computer naive people working
on home computers in remote parts of the globe as language
translators. They may have a home router firewall, or some software
firewall, which they will not understand. They will have just plugged
it in and left it to defaults.

I want wondering if there are firewalls that might by default block
outgoing tcp/ip connections to anything other than port 80 or FTP
ports.

 

[Roedy Green]

Some people do egress filtering. They usually allow outgoing
trafic to a few well-known ports, so your server will have to
listen on one of those. Port 80 is the least likely to be
blocked.

That's what I was worried about. I think I will have to organise this
around traditinal HTTP.

 

[Roedy Green]

Good enough, although for Java glossary I'd simply say "NAT
router maintains a table of NATted connections and forwards
replies to the correct host" -- I don't think it matters to
Java coders whether it does so by port, tcp sequence number,
or keeps the entire 5-tuples in the table.

Routers bothered me. I could not see how the NAT could simulate
multiple computers with one IP. Then I discovered it doesn't. It
simulates one very busy PC, that might have multiple logons to the
same site, and that's ok.

Some online voting schemes give one vote per IP. This discriminates
against people behind NAT, but to the outside world everyone behind
the NAT looks like one person.

 

[Chris Smith]

I want wondering if there are firewalls that might by default block
outgoing tcp/ip connections to anything other than port 80 or FTP
ports.

I've learned, over time, that there's no limit to the stupid stuff that
large IT departments will do with firewalls and proxies. You can
anticipate some of the problem, but you can't anticipate all.
Eventually, somebody is going to have to tell the IT department that
they are stifling work and need to lighten up.

That said, Sun saw this as a big enough deal to worry about
encapsulating RMI over HTTP... so perhaps you may run into this issue
with the same frequency they did.

Some of the clients will be relatively computer naive people working
on home computers in remote parts of the globe as language
translators. They may have a home router firewall, or some software
firewall, which they will not understand. They will have just plugged
it in and left it to defaults.

I doubt that any home firewall product will block any outgoing ports BY
DEFAULT. I wouldn't worry about it at all. It's the "smart" people
looking for clever tricks that should scare you.

--
www.designacourse.com
The Easiest Way To Train Anyone... Anywhere.

Chris Smith - Lead Software Developer/Technical Trainer
MindIQ Corporation

 

[Dimitri Maziuk]

Roedy Green sez:

Routers bothered me. I could not see how the NAT could simulate
multiple computers with one IP. Then I discovered it doesn't. It
simulates one very busy PC, that might have multiple logons to the
same site, and that's ok.

Some online voting schemes give one vote per IP. This discriminates
against people behind NAT, but to the outside world everyone behind
the NAT looks like one person.

Yep. By the same token, I have two netblocks here: a /25 and a /26
so I can cast 188 votes from distinct IP addresses. Moreover, if I
could fit the vote into spoofed packets I could cast as many votes
as there are ip addresses -- sans the few that already voted. Some
online voting schemes are stupid. In other news, sky was recently
found to be blue.

My point was on the technical side: forwarding by port number
alone doesn't work for icmp and udp, nor for protocols that
use multiple connections (ftp, corba). Forwarding by the full
5-tuple doesn't work the latter, either, simply because tcp/ip
wasn't designed for that sort of use. So depending on how much
you paid for your NAT box, it may include ftp connection tracking
module, ssl proxy for ftps forwarding, corba proxy, etc.

Dima

 

[Dimitri Maziuk]

Chris Smith sez:
....

I doubt that any home firewall product will block any outgoing ports BY
DEFAULT. I wouldn't worry about it at all. It's the "smart" people
looking for clever tricks that should scare you.

ZoneAlarm by default pops up a message "Program foo wants to access
the internet, should I let it?" (which is about the only thing that
makes egress filtering useful for a workstation). It'll block until
you tell it 'y' or 'n'.

Dima

 

[Dag Sunde]

Some of the clients will be relatively computer naive people working
on home computers in remote parts of the globe as language
translators. They may have a home router firewall, or some software
firewall, which they will not understand. They will have just plugged
it in and left it to defaults.

I want wondering if there are firewalls that might by default block
outgoing tcp/ip connections to anything other than port 80 or FTP
ports.

Well... to give you an example... My firewall usually have these
settings (and so do all the firewalls of my computer
illiterate friends):

# Access via SSH for administration
pass in quick on xl1 proto tcp from any to any port = 22 keep state

# General statefull connection out
pass out quick on xl1 proto tcp/udp from any to any keep state
pass out quick on xl1 proto icmp from any to any keep state

# webserver inside DMZ
pass in quick on xl1 proto tcp from any to any port = 80 flags S keep
state keep frags
pass in quick on xl1 proto tcp from any to any port = 21 flags S keep
state keep frags
pass in quick on xl1 proto tcp from any to any port = 8080 flags S keep
state keep frags

# General denial og incoming connections
block in quick on xl1

Which means, except for SSH, FTP and my web-servers, *everything* is
blocked!

(And no, I'm not worried after posting my settings here :-D )

Bottom line is that all the people with a "friend with knowledge" probably
have very strict incoming policy. (The "friend" want to avoid extra work).

But connections initiated from them (any port) will be allowed, including
subsequent incoming responses to the actual port.

 

[Thomas Weidenfeller]

The client would initiate connections and there is no client to client
communication. Just traditional client to server.

Then NAT shouldn't be a problem for setting up the TCP connection.

I want wondering if there are firewalls that might by default block
outgoing tcp/ip connections to anything other than port 80 or FTP
ports.

Many, maybe not by default, but configured that way. And particular the
software ones take the process into account which tries to set up the
connection. If it is not your browser or some other trusted program,
they complain. That's their job.

You can argue if software firewalls make sense at all, but the fact is,
many people now have them. And particularly the people who couldn't
handle their computer in the past and couldn't keep it clean, are now
the ones who can't handle their firewall(s) ...


/Thomas

 

[Nigel Wade]

My project is a tool for organising the internationalisation of Java
code by teams. See http://mindprod.com/projects/internationaliser.html
for my latest thinking on how this will work.

The client would initiate connections and there is no client to client
communication. Just traditional client to server.

Provided there is no server-to-client communication other than on the
client-initiated socket, there shouldn't be any problem due to NAT.

Some of the clients will be relatively computer naive people working
on home computers in remote parts of the globe as language
translators. They may have a home router firewall, or some software
firewall, which they will not understand. They will have just plugged
it in and left it to defaults.

Most home NAT routers don't even have a firewall. Those which do are generally
shipped with the firewall disabled. It's only people who know about them (and
possibly how to set them up) who will use them. It's very unlikely they would
block outgoing connections on ports other than http/ftp.

Personal, software, firewalls are becoming much more common. When the user tried
to connect to your server using your client software they ought to get a
warning of some sort. You'd need to warn your users of this, so they would be
expecting it and not "panic" and block it.

I want wondering if there are firewalls that might by default block
outgoing tcp/ip connections to anything other than port 80 or FTP
ports.

If the user is behind a "corporate" firewall there's a good chance that this
will be true. Given that, it's also true that the firewall will [probably] be
administered by someone competent who can be asked for assistance in enabling
connection to your server. It's also true that many network/security admins are
not reasonable people...

Many real firewalls now do deep packet inspection and look at the contents of
the packets, which makes it much more difficult for you to "hijack" the http or
ftp port for your own, custom, protocol.

 

[Chris Uppal]

Most home NAT routers don't even have a firewall. Those which do are
generally shipped with the firewall disabled.

Both of the home NATers that I've had have included firewalls. The first (a
cheap thing) had only simple firewalling, but it was there and was turned on by
default. IIRC it blocked "random" outgoing connections by default (but that
was some time ago and I could be wrong). My current NATing router features a
decidedly more elaborate firewall, and that certainly shipped in a default
configuration disallowing outbound connections on arbitrary ports.

Oh, and it doesn't and won't -- as a matter of manufacturer's security
policy -- support UPnP.

I /could/ allow outgoing connections on any ports I liked, but I see no good
reason to do so for any except a very small number of protocols. I
/definitely/ wouldn't open up a port in order to take part in a BitTorrent-like
distribution scheme.

-- chris

 

[Thomas Weidenfeller]

Oh, and it doesn't and won't -- as a matter of manufacturer's security
policy -- support UPnP.

Sounds good to me. Which vendor would that be?

/Thomas

 

[Chris Uppal]

Sounds good to me. Which vendor would that be?

I'm sorry but I'd rather not advertise the identity of my firewall on a forum
which also includes the IP address that it protects. I'd have replied
offline, but you don't supply an email address....

-- chris

 

[Alan Krueger]

ZoneAlarm by default pops up a message "Program foo wants to access
the internet, should I let it?" (which is about the only thing that
makes egress filtering useful for a workstation). It'll block until
you tell it 'y' or 'n'.

I really wish Microsoft had taken an outbound connection blocking
approach as well in Windows Firewall, at least made it configurable. It
only blocks inbound connections I'm not as concerned about some server
on my laptop being vulnerable, I'm more concerned about malware
infecting IE and silently phoning home, though it would (in theory)
block malware from listening at a port for controller probes.