> 1. How do we generate a reliable list of which ports to avoid? > Wether we automatically generate the port number, or advise users > to "pick a port number", this issue will need to be addressed.
If it must be random, I would consult /etc/services and bind to ports not listed therein. > 1a. What cross-platform technique will generate a good list of > ports that are already in use? Of ports that might be in use See above. > security logs as a potential problem. AFAIK, there was no way for > Joe Average User to know in advance which ports were blocked. No, but setting up a "test box" and then trying to connect to each port in sequence would be a good way to figure this out automagically. Someone needs to volunteer a test box, however. :) This, AFAIK, is how ICQ, Yahoo Messenger and the AIM client all bypass firewalls. > 1b2. A while back there was a discussion on Slashdot about > port scanning. In it, one sysadmin commented that he investigates > any attempt to use the port '37337', just because at one time that > was a popular port in certain circles. It's 31337 and 12345 for Back Orifice (www.bo2k.com) and NetBus respectively. See www.securityfocus.com or "Packet Storm Security", the URL of which I disrecall presently for additional information. > 2. If this is implemented, we need to insure that people have > an easy way to find the right address and current port number > of nodes they wish to contact. If someone says "you can start > your Freenet node by connecting to my node at f00bar.net", > they may not include current information about the port being There still needs some way (eventually) to automatically communicate this to new nodes. I'm out of ideas on this one - the only way is to have a central server.. which is what freenet is trying at all costs to avoid. > some sort of registry like inform.php has its own problems. Hmm. Yes, it breaks. Often. =) > right port?" when connection attempts fail, along with a warning > about the hazards of finding it via repeated trial and error. Yes, but if this is the method we are using, someone is going to simply hack their client to portscan as it is more efficient than guessing ports at random.. effectively a very slow portscan. It might as well be in the "official" client if that will be the de facto standard for finding Freenet nodes... > 3. Will randomizing port usage fix what it is supposed to fix? > The purpose for switching the port used is to make it harder > for someone trying to shut down nodes to even find the nodes, > yes? Is there some other reason? It is to make it difficult to locate nodes. There are many reasons for this, including legal reasons, but that is the big one. Whether this is practical or not remains to be seen. > Last I heard, we are nowhere near the ability to run nodes > undetected. The protections were in the form of being able to > say that there was no proof that a particular node operator > accessed an 'illegal' file, which seems to be in the same > spirit of the Napster defense -- their service was for legit > stuff, and the 'illegal' stuff was the fault of those awful Napster does not have plausible deniability as their servers maintain a plaintext list of who has what. Freenet will not have this ability, AFAIK. At best, you can search for keys. There are additional "obscurity options" being discussed to further improve plausible deniability. Freenet is beginning to face the same challenges of, and resemble, the DNS system.. distributed database. Strange, no? > you can't hide the node, then your best defense is that the node > is for approved uses. It doesn't look good if you make clumsy > attempts to hide the existence of your node, then claim after > you're caught that the node was only for good bits instead of > bad bits. Unless of course Freenet per default hides itself. There are good justifications for this... one of which is that by providing a central list of servers, you are giving attackers an easy way to trash the entire network. Hiding/obscuring nodes would help it to resist DoS attacks - a noble goal. ~ Signal 11 _______________________________________________ Freenet-dev mailing list Freenet-dev at lists.sourceforge.net http://lists.sourceforge.net/mailman/listinfo/freenet-dev
