«

I am asking this for two reasons:

1. I want to know if I am in any danger of BitTorrent like need for
firewall configuring if I write a Java app that uses pure sockets
talking to a server. The clients always initiate conversations. Do I
have to use HTTP to be safe from firewalls blocking outgoing calls?

2. I thought this be interesting to write up for the Java glossary.

Is this correct?

Lets say I have two computers A and B on a LAN with IP 192.168.0.2 and
192.168.0.3.

Lets say I have a router/firewall on the LAN internally addressable as
192.168.0.1 and with a face IP to the world of 4.69.120.20.

Lets say I want to talk to a server with IP 65.110.20.44.

Lets say that both A and B want to look at web page on the server.
They each send a request containing their own IP, a random spare port
for the return packets to come to, the IP of the server, and 80 the
port of the server, to the router's internal IXP.

To the outside world, router looks like a single computer. So it has
to fake the two requests from A and B as if they both came from
itself. So it sends on request two packets with the routers face IXP,
a spare port on the router, the IP of the server and port 80.

When the server responds, it has to look up which spare port is
associates with spare port on which computer and forward the response.

--
Canadian Mind Products, Roedy Green.
http://mindprod.com Java custom programming, consulting and coaching.

Roedy Green wrote:
> 1. I want to know if I am in any danger of BitTorrent like need for
> firewall configuring if I write a Java app that uses pure sockets
> talking to a server. The clients always initiate conversations. Do I
> have to use HTTP to be safe from firewalls blocking outgoing calls?

There are firewalls that can block outbound ports that aren't approved,
though. By the same token, those firewalls could be configured to block
on other criteria as well, like destination address, so this is not
necessarily something you can prevent.

Since your subject includes NAT, note that NAT will not by itself
necessitate this. BitTorrent and other protocols where a machine behind
NAT acts as a server require configuration because NAT won't otherwise
know how to route unsolicited inbound packets.

Roedy I don't understand what the question is. Is it simply what port
to use? Don't use port 80 unless you're connecting to http servers.
Even if you write your own app on port 80, that doesn't mean that
Windows firewall won't block your application. A hardware firewall
obviously won't know the difference, but most hardware firewalls built
into NAT routers don't block outgoing requests anyway...

BitTorrent is different because it is a client and server rolled into
one.

On 10 Jan 2006 22:22:17 -0800, "Mark H" <> wrote,
quoted or indirectly quoted someone who said :

>Roedy I don't understand what the question is. Is it simply what port
>to use? Don't use port 80 unless you're connecting to http servers.
>Even if you write your own app on port 80, that doesn't mean that
>Windows firewall won't block your application. A hardware firewall
>obviously won't know the difference, but most hardware firewalls built
>into NAT routers don't block outgoing requests anyway.

My problem is, I can do this app very easily with permanent sockets
exchanging serialised object messages. I then don't need to set up
Tomcat or the like, just my own very simple server that won't require
any expertise to install.

But if I got that route, I thought I might get in trouble with
firewalls. My clients won't have a clue what to do. So what I have
to do is use Tomcat and Servlets and traditional HTTP messages, though
JAWS apps send them instead of browsers.

Which brings up another question.. Does http have a way of SENDING
unarmoured binary to the server, or only the other way?

--
Canadian Mind Products, Roedy Green.
http://mindprod.com Java custom programming, consulting and coaching.

Roedy Green wrote:
> But if I got that route, I thought I might get in trouble with
> firewalls. My clients won't have a clue what to do.

Firewalls are usually there for a reason. If your client doesn't know
about their own firewalls, well ...

As someone else has mentioned, the other thing is NAT. This is not
related to firewalls. Even if you run an HTTP server on port 80 behind a
NAT device, that device will typically need configuration - in case of
course the server should be reachable from the outside.

However, if the software behind the NAT initiates the TCP connection,
the NAT device need no special configuration. It is not clear from your
description who initiates the connection. If you have some client behind
a NAT which initiates a connection it shouldn't be a problem. If you
have a server behind a NAT device, waiting for incoming requests, it is
a problem.

Again, in both cases firewalls are a separate issue. Only because
typical devices do both (and many other things), doesn't mean you should
mix the problems, because the fixes are different.

Regarding SOHO NAT devices ("routers"). Many of them are
remote/application configurable via UPnP these days. From a security
point of view this is a nightmare. But if your client runs such a
device, you could use UPnP to discover the device, and then configure
it. However, UPnP is not fun. And, it uses SOAP. And once you start
using SOAP, you could think about using that for your application, too,
instead of raw data.

> Which brings up another question.. Does http have a way of SENDING
> unarmoured binary to the server, or only the other way?

A POST with an application/octet-stream mime type should do. But there
is no guarantee that a particular firewall won't find this format
objectionable.

/Thomas
--
The comp.lang.java.gui FAQ:
ftp://ftp.cs.uu.nl/pub/NEWS.ANSWERS/...g/java/gui/faq
http://www.uni-giessen.de/faq/archiv....java.gui.faq/

Roedy Green sez:
> I am asking this for two reasons:
>
> 1. I want to know if I am in any danger of BitTorrent like need for
> firewall configuring if I write a Java app that uses pure sockets
> talking to a server. The clients always initiate conversations. Do I
> have to use HTTP to be safe from firewalls blocking outgoing calls?

Some people do egress filtering. They usually allow outgoing
trafic to a few well-known ports, so your server will have to
listen on one of those. Port 80 is the least likely to be
blocked.

....
> When the server responds, it has to look up which spare port is
> associates with spare port on which computer and forward the response.

Good enough, although for Java glossary I'd simply say "NAT
router maintains a table of NATted connections and forwards
replies to the correct host" -- I don't think it matters to
Java coders whether it does so by port, tcp sequence number,
or keeps the entire 5-tuples in the table.

Dima
--
All whitespace is equivalent except in certain situations
-- ANSI C standard committee

"Thomas Weidenfeller" <> wrote in message
news:dq2ko3$no4$...
> Roedy Green wrote:
>> But if I got that route, I thought I might get in trouble with
>> firewalls. My clients won't have a clue what to do.
>
> Firewalls are usually there for a reason. If your client doesn't know
> about their own firewalls, well ...

You mean like every Windows XP SP2 computer that Dell ships?

--
LTP

On Wed, 11 Jan 2006 10:56:18 +0100, Thomas Weidenfeller
<> wrote, quoted or indirectly quoted someone
who said :

>It is not clear from your
>description who initiates the connection. If you have some client behind
>a NAT which initiates a connection it shouldn't be a problem.
My project is a tool for organising the internationalisation of Java
code by teams. See http://mindprod.com/projects/internationaliser.html
for my latest thinking on how this will work.

The client would initiate connections and there is no client to client
communication. Just traditional client to server.

Some of the clients will be relatively computer naive people working
on home computers in remote parts of the globe as language
translators. They may have a home router firewall, or some software
firewall, which they will not understand. They will have just plugged
it in and left it to defaults.

I want wondering if there are firewalls that might by default block
outgoing tcp/ip connections to anything other than port 80 or FTP
ports.
--
Canadian Mind Products, Roedy Green.
http://mindprod.com Java custom programming, consulting and coaching.

On Wed, 11 Jan 2006 17:11:38 +0000 (UTC), Dimitri Maziuk
<dima@127.0.0.1> wrote, quoted or indirectly quoted someone who said :

>
>Some people do egress filtering. They usually allow outgoing
>trafic to a few well-known ports, so your server will have to
>listen on one of those. Port 80 is the least likely to be
>blocked.

That's what I was worried about. I think I will have to organise this
around traditinal HTTP.
--
Canadian Mind Products, Roedy Green.
http://mindprod.com Java custom programming, consulting and coaching.

On Wed, 11 Jan 2006 17:11:38 +0000 (UTC), Dimitri Maziuk
<dima@127.0.0.1> wrote, quoted or indirectly quoted someone who said :

>Good enough, although for Java glossary I'd simply say "NAT
>router maintains a table of NATted connections and forwards
>replies to the correct host" -- I don't think it matters to
>Java coders whether it does so by port, tcp sequence number,
>or keeps the entire 5-tuples in the table.

Routers bothered me. I could not see how the NAT could simulate
multiple computers with one IP. Then I discovered it doesn't. It
simulates one very busy PC, that might have multiple logons to the
same site, and that's ok.

Some online voting schemes give one vote per IP. This discriminates
against people behind NAT, but to the outside world everyone behind
the NAT looks like one person.


--
Canadian Mind Products, Roedy Green.
http://mindprod.com Java custom programming, consulting and coaching.